Creating a SAML app in Yandex Identity Hub for integration with VK Cloud
VK Cloud is a Russian cloud platform offering IaaS and PaaS services, data and AI/ML tools, as well as solutions you need to build a cloud infrastructure. VK Cloud supports SAML-based user authentication via an identity federation.
For your organization's users to be able to authenticate in VK Cloud via SAML SSO, create a SAML app in Yandex Identity Hub and configure it both on the Yandex Cloud and VK Cloud side.
SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.
To give your organization's users access to VK Cloud:
- Create an app.
- Set up the integration.
- Add users and configure permissions.
- Make sure the application works correctly.
Create an app
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps.
- In the top-right corner, click Create application and in the window that opens:
-
Select the SAML (Security Assertion Markup Language) single sign-on method.
-
In the Name field, specify a name for your new app:
vkcloud-saml. -
Optionally, in the Description field, enter a description for the new app.
-
Optionally, add labels:
- Click Add label.
- Enter a label in
key: valueformat. - Press Enter.
-
Click Create application.
-
Set up the integration
To integrate VK Cloud with the SAML app you created in Yandex Identity Hub, complete the setup both on the VK Cloud and Yandex Identity Hub side.
Configuring an identity federation on the VK Cloud side
Note
Only a project owner can create an identity federation in VK Cloud.
-
Get the metadata for the new app:
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps and then, the SAML app.
- On the Overview tab, under Identity provider (IdP) configuration, click Download metadata file.
The downloaded XML file contains the required metadata and a certificate used for SAML response signature verification.
-
Create an identity federation in VK Cloud using Yandex Identity Hub metadata:
- Go to your VK Cloud account.
- Open the Identity federation section and navigate to the Federations tab.
- Click Create.
- Click Upload IdP metadata and upload the XML metadata file you downloaded from Yandex Identity Hub.
- Click Upload.
-
In the new federation's info, copy and save the federation ID. You will need it to set up a SAML application in Yandex Identity Hub and to manage federated user sign-ins.
Set up the SAML application in Yandex Identity Hub
Set up service provider endpoints
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps and then, the SAML app.
- At the top right, click Edit and in the window that opens:
- In the **SP EntityID ** field, specify the address
https://msk.cloud.vk.com/federation-service/v1/federation/saml/<federation_ID>/metadata, where<federation_ID>is the federation ID you copied when creating the federation in VK Cloud. - In the ACS URL field, enter this address:
https://msk.cloud.vk.com/federation-service/v1/federation/saml/<federation_ID>/acs. - Click Save.
- In the **SP EntityID ** field, specify the address
Configure user attributes
Warning
For the federation to function correctly in VK Cloud, SAML attribute names must have URI prefixes: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ for user attributes; http://schemas.xmlsoap.org/claims/ for group attribute.
Without these prefixes (and if there are case variations, e.g., Group), attribute mapping in VK Cloud may fail.
Set user attributes for integration with VK Cloud:
-
Log in to Yandex Identity Hub.
-
In the left-hand panel, select Apps and select the desired app.
-
Navigate to the Attributes tab.
-
Make sure the attributes are configured as follows:
Attribute Value http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressSubjectClaims.emailhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSubjectClaims.firstNamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameSubjectClaims.lastName -
If you plan to use group mapping, add an attribute for group transfer:
- Click Attribute name.
- In the Attribute name field, specify
http://schemas.xmlsoap.org/claims/Group. - In the Value field, specify
SubjectClaims.groups. - Click Save.
Add users and configure permissions
For the users of your organization to be able to authenticate in VK Cloud via a SAML application in Yandex Identity Hub, add them to the application and configure access permissions in VK Cloud.
Note
Users and groups added to a SAML application can be managed by a user with the organization-manager.samlApplications.userAdmin role or higher.
Add users to the Yandex Identity Hub SAML application
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps and select the required app.
- Navigate to the Users and groups tab.
- Click Add users.
- In the window that opens, select the users.
- Click Add.
Configure group and role mapping in VK Cloud
To define federated users' access permissions in VK Cloud, configure mappings between IdP groups and VK Cloud roles.
- Go to your VK Cloud account.
- Open the Identity federation section and navigate to the Groups tab.
- Select the project you want to configure the federation for.
- Click Add (or Add group if groups already exist).
- Specify the IdP group name in lowercase and select the scope of permissions (Domain or Project), then proceed to assign roles.
- Click Add.
Make sure your application works correctly
To make sure your SAML app and its integration with VK Cloud work correctly, sign in to VK Cloud as one of the users you added to the app.
Proceed as follows:
- In your browser, open the federated user sign-in URL:
https://cloud.vk.com/v1/federation/saml/<federation_ID>/signin, where<federation_ID>is the federation ID you copied when creating the federation in VK Cloud. - Authenticate in Yandex Cloud under a user account from your organization.
- Make sure you have signed in to VK Cloud following authentication.