Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Creating an OIDC application in Yandex Identity Hub for integration with Cloud.ru

Written by
Updated at March 24, 2026

Cloud.ru is a Russian provider of cloud services, spanning IaaS, PaaS, AI/ML tools, and solutions for public, private, and hybrid cloud deployments, including support for infrastructure migration and operation. Cloud.ru supports OpenID Connect (OIDC) authentication to provide secure SSO for your organization's users.

To authenticate your organization's users to Cloud.ru with OpenID Connect SSO, create an OIDC app in Identity Hub and configure it appropriately both in Identity Hub and Cloud.ru.

OIDC apps can be managed by users with the organization-manager.oauthApplications.admin role or higher.

For the users of your organization to be able to access Cloud.ru:

  1. Create an app.
  2. Set up the integration.
  3. Make sure the application works correctly.

Create an app

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps.
  3. In the top-right corner, click Create application and in the window that opens:

    1. Select the OIDC (OpenID Connect) single sign-on method.

    2. In the Name field, specify a name for your new app: cloud-ru-oidc-app.

    3. In the Folder field, select the folder where you want to create an OAuth client for your app.

    4. Optionally, in the Description field, enter a description for the new app.

    5. Optionally, add labels:

      1. Click Add label.
      2. Enter a label in key: value format.
      3. Press Enter.

    6. Click Create application.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for creating an OIDC app:

    yc organization-manager idp application oauth application create --help

  2. Create an OAuth client:

    yc iam oauth-client create \
  --name cloud-ru-oauth-client \
  --scopes openid,email,profile

    Where:

    • --name: OAuth client name.
    • --scopes: User attributes available to Cloud.ru. The specified attributes are:
      • openid: User ID. Required attribute.
      • email: User email address.
      • profile: Additional user details, such as first name, last name, and avatar.

    Result:

    id: ajeqqip130i1********
name: cloud-ru-oauth-client
folder_id: b1g500m2195v********
status: ACTIVE

    Save the id field value: you will need it to create and configure your app.

  3. Create a secret for your OAuth client:

    yc iam oauth-client-secret create \
  --oauth-client-id <OAuth_client_ID>

    Result:

    oauth_client_secret:
  id: ajeq9jfrmc5t********
  oauth_client_id: ajeqqip130i1********
  masked_secret: yccs__939233b8ac****
  created_at: "2025-10-21T10:14:17.861652377Z"
secret_value: yccs__939233b8ac********

    Save the secret_value field value: you will need it to configure Cloud.ru.

  4. Create an OIDC app:

    yc organization-manager idp application oauth application create \
  --organization-id <organization_ID> \
  --name cloud-ru-oidc-app \
  --description "OIDC application for integration with Cloud.ru" \
  --client-id <OAuth_client_ID> \
  --authorized-scopes openid,email,profile \
  --group-distribution-type none

    Where:

    • --organization-id: ID of the organization you want to create your OIDC app in. This is a required parameter.
    • --name: OIDC app name. This is a required parameter.
    • --description: OIDC app description. This is an optional parameter.
    • --client-id: OAuth client ID you got in Step 2. This is a required parameter.
    • --authorized-scopes: Specify the same attributes as when creating the OAuth client.
    • --group-distribution-type: Set to none as user groups are not provided to Cloud.ru.

    Result:

    id: ek0o663g4rs2********
name: cloud-ru-oidc-app
organization_id: bpf2c65rqcl8********
group_claims_settings:
  group_distribution_type: NONE
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
    - email
    - profile
status: ACTIVE
created_at: "2025-10-21T10:51:28.790866Z"
updated_at: "2025-10-21T12:37:19.274522Z"

Set up the integration

To configure Cloud.ru integration with the OIDC app you created in Yandex Identity Hub, complete the setup both in Cloud.ru and Yandex Identity Hub.

Configure your OIDC application in Yandex Identity Hub

Get the application’s credentials

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and then, the OIDC app.

  3. On the Overview tab, under Identity provider (IdP) configuration, expand the Additional attributes section and copy the parameter values you need to specify in Cloud.ru:

    • ClientID: Unique application ID.
    • OpenID Configuration: URL with the configuration of all parameters required to set up the integration.
    • Authorization endpoint: URL to which the service provider will redirect the user for authentication.
    • Token endpoint: URL to which the external application sends a request to obtain an ID token and access token.
    • Userinfo endpoint: URL the external application can use to obtain user attributes.

  4. Under App secrets, click Add secret, and in the window that opens:

    1. Optionally, add a description for the new secret.
    2. Click Create.

    The window will display the generated application secret. Save this value.

    Warning

    If you refresh or close the application information page, you will not be able to view the secret again.

    If you closed or refreshed the page before saving the secret, click Add secret to create a new one.

    To delete a secret, in the list of secrets on the OIDC app page, click in the secret row and select Delete.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. Get information about your new OIDC application:

    yc organization-manager idp application oauth application get <app_ID>

    Where <app_ID> is your OIDC app ID you got when creating the app.

    This will return the application information, including the following:

    id: ek0o663g4rs2********
name: cloud-ru-oidc-app
organization_id: bpf2c65rqcl8********
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
    - email
    - profile

    Save the client_id value: you will need it to configure Cloud.ru.

  2. Get the OpenID Connect Discovery configuration URL:

    yc organization-manager idp application oauth application get <app_ID> \
  --format json | jq -r '.client_grant.issuer_uri'

    The result will look as follows:

    https://auth.yandex.cloud/oauth/<OAuth_client_ID>

    Save this URL: this is the OpenID Connect Discovery URL you will need to configure Cloud.ru.

  3. Use the OAuth client secret that you saved when creating the app in the previous step. If you have not saved the secret, create a new one:

    yc iam oauth-client-secret create \
  --oauth-client-id <OAuth_client_ID>

    Save the secret_value from the command output: this is the client secret you will need to configure Cloud.ru.

Set up the OIDC app in Cloud.ru

  1. Log in to the Cloud.ru console.

  2. Navigate to the Federations tab in the Administration section.

  3. Click Create federation and select the OpenID protocol type.

  4. Enter the federation name and description.

  5. Set the session duration.

    Note

    The maximum lifetime of an SSO session is from 30 minutes to 7 days. If there is no activity, the session is automatically terminated and re-authentication is required.

  6. Fill in the fields using the values of OIDC application settings in Yandex Identity Hub:

    1. Auth URL: Authorization endpoint field value.
    2. Userinfo URL: Userinfo endpoint field value.
    3. Token URL: Token endpoint field value.
    4. Logout URL: end_session_endpoint value from OpenID Configuration.
    5. Client ID: ClientID field value.
    6. Client Secret: App secrets section value.
    7. JWKS URI: jwks_uri value from OpenID Configuration.

  7. Click Create.

  8. In the list of federations, find the new federation and copy its ID. Save this ID as you will need it later.

Configure the redirect URI in Yandex Identity Hub

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and then, the OIDC app.

  3. At the top right, click Edit and in the window that opens:

    1. In the Redirect URI field, specify the authentication endpoint for your Cloud.ru instance formatted as follows:

      https://id.cloud.ru/auth/system/idp/<Cloud.ru_federation_ID>/callback

      For example: https://id.cloud.ru/auth/system/idp/5ca1bc33-7e8a-711a-b29a-a8a121eda1cd/callback.

    2. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. Update your OAuth client by providing the redirect URI:

    yc iam oauth-client update \
  --id <OAuth_client_ID> \
  --redirect-uris "https://id.cloud.ru/auth/system/idp/<Cloud.ru_federation_ID>/callback"

    Where:

    • <OAuth_client_ID>: OAuth client ID you got when you created it.
    • --redirect-uris: Authentication endpoint for your Cloud.ru instance. For example: https://id.cloud.ru/auth/system/idp/5ca1bc33-7e8a-711a-b29a-a8a121eda1cd/callback.

    Result:

    id: ajeiu3otac08********
name: cloud-ru-oauth-client
redirect_uris:
  - https://id.cloud.ru/auth/system/idp/5ca1bc33-7e8a-711a-b29a-a8a121eda1cd/callback
scopes:
  - openid
  - email
  - profile
folder_id: b1gkd6dks6i1********
status: ACTIVE

Add users

To enable your organization's users to authenticate to Cloud.ru using the Yandex Identity Hub OIDC application, you must explicitly add their accounts both to the application and to the Cloud.ru federation.

Note

Users and groups added to an OIDC application can be managed by a user with the organization-manager.oidcApplications.userAdmin role or higher.

Add users to the Yandex Identity Hub OIDC application

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and select the required app.
  3. Navigate to the Users and groups tab.
  4. Click Add users.
  5. In the window that opens, select the required user.
  6. Click Add.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. Get the user ID.

  2. To add a user to the application:

    1. See the description of the CLI command for adding users to an app:

      yc organization-manager idp application oauth application add-assignments --help

    2. Run this command:

      yc organization-manager idp application oauth application add-assignments \
  --id <app_ID> \
  --subject-id <user_ID>

      Where:

      • --id: OIDC app ID.
      • --subject-id: User ID.

      Result:

      assignment_deltas:
  - action: ADD
    assignment:
      subject_id: ajetvnq2mil8********

Alert

Make sure the user's email attribute is specified and matches their account email address in the Cloud.ru federation.

Add users to the Cloud.ru federation

  1. Log in to the Cloud.ru console.
  2. Open the Users section and go to the Federated users tab.
  3. In the top-right corner, click Add federation user.
  4. Select the federation you want to add the user to.
  5. Specify the user's email address.
  6. Grant the user access permissions for projects and platforms.
  7. Click Add.

Make sure your application works correctly

To make sure both your OIDC app and its integration with Cloud.ru work correctly, authenticate to Cloud.ru as one of the users you added to the app.

Proceed as follows:

  1. In your browser, open the Cloud.ru console login page.
  2. If you were logged in, log out.
  3. On the login screen, click SSO.
  4. In the dialog that appears, enter the ID of the federation you created and click Log in.
  5. On the Yandex Cloud authentication page, enter the email address and user password.
  6. Make sure you have successfully authenticated to Cloud.ru.
Previous
SAML
Next
Sentry