Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Creating a SAML app in Yandex Identity Hub for integration with OpenVPN Access Server

Written by
Updated at January 13, 2026

Note

This feature is at the Preview stage.

For your organization's users to be able to authenticate in OpenVPN Access Server via SAML SSO, create a SAML app in Identity Hub and configure it on the Identity Hub side and OpenVPN Access Server side.

OpenVPN Access Server is built on and compatible with the OpenVPN open-source version. It provides clients for Windows, Mac, Android, and iOS. You can also use its web UI to manage connections.

SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.

To grant access to OpenVPN Access Server to the users of your organization:

  1. Get OpenVPN Access Server ready.
  2. Create an app in Identity Hub.
  3. Set up the integration.
  4. Make sure the application works correctly.

Get OpenVPN Access Server ready

You can use an OpenVPN Access Server installation of your own, an SaaS version, or create a VM with OpenVPN Access Server in Yandex Cloud.

Creating a VM with OpenVPN Access Server in Yandex Cloud

  1. In the management console, select the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, specify OpenVPN Access Server in the Product search field and select the OpenVPN Access Server image.

  6. Under Location, select the availability zone.

  7. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, enter the username: yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  8. Under General information, specify the VM name: vpn-server.

  9. Click Create VM.

  10. This will open a window with the licensing model: BYOL (Bring Your Own License).

  11. Click Create.

Get the administrator password

The openvpn user with administrator privileges was created on the OpenVPN server in advance. The password is generated automatically when you create a VM.

Get the password in the serial port output or the serial console. The password will display in the following string:

To log in, please use the `openvpn` account with the <password> password.

Where <password> is the openvpn user password.

Log in to the admin panel using the openvpn username and the obtained password.

If you do not get the password after launching the VPN server for the first time, you need to re-create the VM running OpenVPN Access Server. The password will not display when reboot.

Create an app in Identity Hub

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps.
  3. In the top-right corner, click Create application and in the window that opens:

    1. Select the SAML (Security Assertion Markup Language) single sign-on method.

    2. In the Name field, specify a name for your new app: ovpn-app.

    3. Optionally, in the Description field, enter a description for the new app.

    4. Optionally, add labels:

      1. Click Add label.
      2. Enter a label in key: value format.
      3. Press Enter.

    5. Click Create application.

  4. Save the Metadata URL value until the next step.

Set up the integration

Configure authentication on the OpenVPN Access Server side

Note

By default, the server has a self-signed certificate. If you need to replace this certificate, follow the steps here.

Add SAML authentication on the OpenVPN server:

  1. In your browser, open the OpenVPN Access Server admin interface. Its default address is https://<server_address>:943/admin.
  2. Enter the OpenVPN Access Server admin username and password.
  3. Click Agree. This will open the OpenVPN Admin Web UI home page.
  4. Expand the Authentication tab and open SAML.
  5. Set the Enable SAML authentication checkbox to Yes.
  6. Expand the Configure Identity Provider (IdP) Automatically via Metadata section.
  7. In the IdP Metadata URL field, enter the metadata file address you copied earlier.
  8. Click Get.
  9. Click Save settings.
  10. Copy the SP Identity and SP ACS values on this page. 
    These URLs depend on the hostname setting your current setting of '<server_address>'.
   SP Identity: https://<server_address>/saml/metadata
   SP ACS: https://<server_address>/saml/acs
  11. Expand the Authentication tab and open Settings.
  12. Under Default Authentication System, select SAML.
  13. Click Save settings.
  14. Click Update running server.

Set up the SAML application in Yandex Identity Hub

Set up service provider endpoints

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the SAML app.
  3. At the top right, click Edit and in the window that opens:
    1. In the **SP EntityID ** field, paste the SP Identity address you copied earlier.
    2. In the ACS URL field, paste the SP ACS address you copied earlier.
    3. Click Save.

Add a user

For the users of your organization to be able to authenticate in OpenVPN Access Server with Identity Hub's SAML app, you need to explicitly add these users and/or user groups to the SAML application.

Note

Users and groups added to a SAML application can be managed by a user with the organization-manager.samlApplications.userAdmin role or higher.

  1. Add users to the application:

    1. Log in to Yandex Identity Hub.
    2. In the left-hand panel, select Apps and select the required app.
    3. Navigate to the Users and groups tab.
    4. Click Add users.
    5. In the window that opens, select the required user or user group.
    6. Click Add.

Make sure your application works correctly

To make sure your SAML app and OpenVPN Access Server integration work correctly, authenticate to OpenVPN Access Server as one of the users you added to the app. Proceed as follows:

  1. In your browser, go to the OpenVPN Access Server client interface. Its default address is https://<server_address>:943/.
  2. On the authentication page, click Sign In With SAML.
  3. On the Yandex Cloud authentication page, enter the user email address and password. The user or group they belong to must be added to the application.
  4. Make sure you have successfully authenticated to OpenVPN Access Server.
Previous
SonarQube
Next
Organization