Managing domains in a user pool
Note
This feature is at the Preview stage.
A domain allows you to authenticate through the Login Discovery system. When authenticating, a user with your domain will be redirected to your user pool.
Associating a domain
- Log in to Yandex Identity Hub using an administrator or organization owner account.
- In the left-hand panel, click User pools and select the user pool.
- In the top-right corner, click Add domain.
- Enter the domain name.
- Click Add.
To use the domain to add new users, have it verified.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
See the description of the CLI command to associate a domain with a user pool:
yc organization-manager idp userpool domain add --help -
Run this command:
yc organization-manager idp userpool domain add <pool_ID> <domain>Result:
done (1s) domain: example. com status: NEED_TO_VALIDATE status_code: organization/domain-diagnostics#need-to-validate created_at: "2025-10-09T06:40:18.704791371Z" validated_at: "1970-01-01T00:00:00Z" challenges: - created_at: "2025-10-09T06:40:18.704791371Z" updated_at: "2025-10-09T06:40:18.704791371Z" type: DNS_TXT status: PENDING dns_challenge: name: _yandexcloud-challenge. example. com type: TXT value: TlHc5HKJDeQIgPqaoiiSXxgy3CWFD+MLMJJP********Save the
valueas you will need it to validate the domain.
Use the Userpool.AddDomain REST API method for the Userpool resource or the UserpoolService/AddDomain gRPC API call.
Verifying a domain
You can use only verified domains to add users.
- Log in to Yandex Identity Hub using an administrator or organization owner account.
- In the left-hand panel, click User pools and select the user pool.
- Select the domain you need to verify.
- In the section that opens, you will see the details you will need to pass the domain rights check.
- After completing the verification, click Confirm.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
Confirm that the domain belongs to you:
-
Go to the DNS records management section on your domain's DNS provider's website:
-
Add a TXT record with the following parameters:
- Host or Subdomain:
_yandexcloud-challenge. - Text or Value: The
valuefield value you got after associating the domain.
- Host or Subdomain:
-
Wait for the DNS records to update. The update may take up to 72 hours.
-
-
See the description of the CLI command for validating your domain in a user pool:
yc organization-manager idp userpool domain validate --help -
Run this command:
yc organization-manager idp userpool domain validate <pool_ID> <domain> \ --name <domain>For example, validate
my-domain.ruinmy-federation:yc organization-manager federation saml validate-domain my-federation \ --domain my-domain.ru
Use the Userpool.ValidateDomain REST API method for the Userpool resource or the UserpoolService/ValidateDomain gRPC API call.
Getting a list of domains
- Log in to Yandex Identity Hub using an administrator or organization owner account.
- In the left-hand panel, click User pools.
- Select the pool from the user pool list.
- Under Domains, you will see a list of all available domains.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
Use the Userpool.ListDomains REST API method for the Userpool resource or the UserpoolService/ListDomains gRPC API call.
Viewing information about a domain
- Log in to Yandex Identity Hub using an administrator or organization owner account.
- In the left-hand panel, click User pools.
- Select the required pool from the user pool list.
- Under Domains, click the domain name.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
Use the Userpool.GetDomain REST API method for the Userpool resource or the UserpoolService/GetDomain gRPC API call.
Deleting a domain
You cannot delete the default domain or a domain with associated users.
- Log in to Yandex Identity Hub using an administrator or organization owner account.
- In the left-hand panel, click User pools and select the user pool.
- Under Domains, click next to the domain and select Delete.
- In the window that opens, confirm deleting the domain.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
See the description of the CLI command for deleting a domain from a user pool:
yc organization-manager idp userpool domain delete --help -
Run this command:
yc organization-manager idp userpool domain delete <pool_ID> <domain>
Use the Userpool.DeleteDomain REST API method for the Userpool resource or the UserpoolService/DeleteDomain gRPC API call.