Updating a SAML app in Yandex Identity Hub

Log in to Yandex Identity Hub.

In the left-hand panel, select Apps and then, the SAML app.

On the top right, click Edit and in the window that opens:

1. Change the app's name in the Name field. The name must be unique within the organization and follow the naming requirements:

   • It must be from 1 to 63 characters long.
   • It may contain lowercase Latin letters, numbers, and hyphens.
   • It must start with a letter and cannot end with a hyphen.

2. Change the app's description in the Description field.

3. Add new labels by clicking Add label in the Labels field. Click to delete an existing label.

4. Click Save.

On the top right, click Edit and in the window that opens:

1. In the **SP EntityID ** field, enter the unique service provider ID.

   The value must be the same on the service provider's and Identity Hub side.

2. In the ACS URL field, specify the URL Identity Hub will send the SAML response to.

   If your service provider uses ACS indexes instead of ACS URLs, in addition to ACS URLs, you can specify the index value you got on the service provider's side.

   Optionally, use the Add URL button to specify multiple ACS URLs/indexes.

   Note

   If you have specified an index for one of the URLs in the ACS URL field settings, you must also specify indexes for all the other URLs.

3. In the Signature mode field, select the SAML response elements that will be digitally signed:

   • Assertions: Only provided attributes will be signed. This is a default value.
   • Response: The full SAML response will be signed.
   • Assertions and Response: The full SAML response and, separately, the provided attributes will be signed.

   Warning

   The signing mode configured for the SAML app on the Identity Hub side must be the same as the signing mode on the service provider's side.

4. Click Save.

Log in to Yandex Identity Hub.

In the left-hand panel, select Apps and then, the SAML app.

Under Application certificate, click Certificate management on the Overview tab and in the window that opens:

1. Click Generate new certificate. This will create a new certificate which will appear in the list.

2. To activate the new certificate, enable Active next to it.

   Warning

   In a SAML app, only one certificate can be active. Activating a new certificate automatically deactivates the current one. After you activate the new certificate, do not forget to upload it to the app's integration settings on the service provider’s side.

3. To download the new certificate, click next to it and select Download.

4. To delete the certificate, click next to it and select Delete, then confirm the deletion. You can only delete inactive certificates.

5. Click Close.

Log in to Yandex Identity Hub.

In the left-hand panel, select Apps and select the required app.

Navigate to the Attributes tab.

To add a user group attribute, in the top-right corner of the page, click Add group attribute and do the following in the window that opens:

1. In the Attribute name field, set a name for the user group attribute. The attribute name must be unique within your application.

2. In the Transmitted groups field, select one of these values:

   • All grous : In a SAML response, this field will include all groups the user belongs to.

     The maximum number of groups this field can include is 1,000. If the user belongs to more groups, only the first thousand of them will be communicated to the service provider.

   • Assigned groups only: In a SAML response, this field will include only those groups that are explicitly specified on the Users and groups tab of your SAML app.

3. Click Add.

To add more user group attributes, in the top-right corner of the page, click Add attribute and do the following in the window that opens:

1. In the Attribute name field, set an attribute name unique within your app.

2. In the Value field, select one of these values:

   • SubjectClaims.sub: User ID. The field value is the same as the one displayed in the ID field in the organization's user list in the Cloud Center's Identity Hub interface, e.g., aje0fapf84ofj57q1r0b.
   • SubjectClaims.preferred_username: Unique login for the user. The field value is the same as the one displayed in the Username field in the organization's user list in the Cloud Center's Identity Hub interface, e.g., ivanov@example-federation.ru.
   • SubjectClaims.name: User’s full name. The field value is the same as the one displayed in the User field in the organization's user list in the Cloud Center's Identity Hub interface, e.g., Ivan Ivanov.
   • SubjectClaims.given_name: Name. The field value is the same as the one displayed in the Name field under Personal info on the user info page in the Cloud Center's Identity Hub interface, e.g., Ivan.
   • SubjectClaims.family_name: Last name. The field value is the same as the one displayed in the Surname field under Personal info on the user info page in the Cloud Center's Identity Hub interface, e.g., Ivanov.
   • SubjectClaims.email: Email address. The field value is the same as the one displayed in the Email field on the user info page in the Cloud Center's Identity Hub interface, e.g., ivanov@example-company.ru.
   • SubjectClaims.phone_number: Phone number. The field value is the same as the one displayed in the Phone field under Personal info on the user info page in the Cloud Center's Identity Hub interface, e.g., +74951234567.

   Note

   You can add any of these attribute values more than once under different names.

3. Click Add.

To modify an existing attribute, click its row and do the following in the window that opens:

1. Edit the attribute name and/or value.

   You cannot change the name of the NameID attribute in which the user ID is provided. You can change the ID format for this attribute, unless the attribute's format is explicitly specified in the service provider's SAML request. When the format changes, the attribute value changes automatically. Possible attribute formats and values:

   • urn: oasis: names: tc: SAML: 1.1:nameid-format: emailAddress: User ID is provided in email address format in the SubjectClaims.preferred_username attribute. This is the default format.

     The uniqueness and invariability of the provided ID is not guaranteed: one organization may have two users with the same preferred_username ID. For example: a federated and a local user can have the same value for this attribute.

     If the federated user's preferred_username ID is not in email format, the provided ID will be automatically suffixed with @<identity_federation_ID> to bring it to that format.

   • urn: oasis: names: tc: SAML: 2.0:nameid-format: persistent: User ID is provided in the SubjectClaims.sub attribute in the organization's user ID format. In this case, the provided value is guaranteed to be unique and invariable.

   Warning

   If the service provider's SAML request explicitly indicates the expected user's NameID value format, then the SAML response will present the value in the format specified in the SAML request. In this case, the format value specified in the Identity Hub settings will be ignored.

2. Click Update.

To delete an existing user or group attribute, click in its row and select Delete, then confirm the deletion.

Log in to Yandex Identity Hub.

In the left-hand panel, select Apps and select the required app.

Navigate to the Users and groups tab.

To add a user or user group to a SAML app:

1. Click Add users.
2. In the window that opens, select the required user or user group.
3. Click Add.

To delete a user or user group from a SAML app:

1. In the list of users and groups, click and select Delete next to the user or user group.
2. Confirm the deletion.