Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Creating an OIDC application in Yandex Identity Hub for integration with Harbor

Written by
Updated at May 19, 2026

Harbor is an open-source registry of container development artifacts: container images, Helm charts, and other data types. Harbor supports authentication via OpenID Connect (OIDC), allowing you to use an external identity provider for user single sign-on.

For the users of your organization to sign in to Harbor using OpenID Connect, create an OIDC application in Yandex Identity Hub and set up the integration both in Yandex Identity Hub and Harbor.

OIDC apps can be managed by users with the organization-manager.oauthApplications.admin role or higher.

To grant access to Harbor to organization users:

  1. Create an app.
  2. Set up the integration.
  3. Make sure the application works correctly.

Create an app

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select  Apps.
  3. In the top-right corner, click Create application and in the window that opens:

    1. Select the OIDC (OpenID Connect) single sign-on method.

    2. In the Name field, specify a name for your new app: harbor-oidc-app.

    3. In the Folder field, select the folder where you want to create an OAuth client for your app.

    4. Optionally, in the Description field, enter a description for the new app.

    5. Optionally, add labels:

      1. Click Add label.
      2. Add a label in key: value format.
      3. Press Enter.

    6. Click Create application.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for creating an OIDC app:

    yc organization-manager idp application oauth application create --help

  2. Create an OAuth client:

    yc iam oauth-client create \
  --name harbor-oauth-client \
  --scopes openid,email,profile,groups

    Where:

    • --name: OAuth client name.
    • --scopes: User attributes available to Harbor. The specified attributes are:
      • openid: User ID. Required attribute.
      • email: User email address.
      • profile: Additional user details, such as first name, last name, and avatar.
      • groups: User groups in the organization.

    Result:

    id: ajeqqip130i1********
name: harbor-oauth-client
folder_id: b1g500m2195v********
status: ACTIVE

    Save the id field value for when you need to create and configure your app.

  3. Create a secret for your OAuth client:

    yc iam oauth-client-secret create \
  --oauth-client-id <OAuth_client_ID>

    Result:

    oauth_client_secret:
  id: ajeq9jfrmc5t********
  oauth_client_id: ajeqqip130i1********
  masked_secret: yccs__939233b8ac****
  created_at: "2025-10-21T10:14:17.861652377Z"
secret_value: yccs__939233b8ac********

    Save the secret_value field value for when you need to configure Harbor.

  4. Create an OIDC app:

    yc organization-manager idp application oauth application create \
  --organization-id <organization_ID> \
  --name harbor-oidc-app \
  --description "OIDC application for integration with Harbor" \
  --client-id <OAuth_client_ID> \
  --authorized-scopes openid,email,profile,groups \
  --group-distribution-type assigned-groups

    Where:

    • --organization-id: ID of the organization you want to create your OIDC app in. This is a required setting.
    • --name: OIDC app name. This is a required setting.
    • --description: OIDC app description. This is an optional setting.
    • --client-id: OAuth client ID you got in Step 2. This is a required setting.
    • --authorized-scopes: Specify the same attributes as when creating the OAuth client.
    • --group-distribution-type: Specify assigned-groups to provide to Harbor only the groups added to the application.

    Result:

    id: ek0o663g4rs2********
name: harbor-oidc-app
organization_id: bpf2c65rqcl8********
group_claims_settings:
  group_distribution_type: ASSIGNED_GROUPS
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
    - email
    - profile
    - groups
status: ACTIVE
created_at: "2025-10-21T10:51:28.790866Z"
updated_at: "2025-10-21T12:37:19.274522Z"

Set up the integration

To set up Harbor integration with the OIDC app you created in Yandex Identity Hub, follow the steps both in Yandex Identity Hub and Harbor.

Check that the Harbor URL (portal and registry) is accessible via HTTPS with a trusted certificate: this is required for correct OIDC redirects.

Configure your OIDC application in Yandex Identity Hub

Get the application’s credentials

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and then, the OIDC app.

  3. On the Overview tab, under Identity provider (IdP) configuration, expand the Additional attributes section and copy the parameter values you need to set in Harbor:

    • ClientID: Unique application ID.
    • OpenID Configuration: URL with the configuration of all parameters required to set up the integration.

  4. Under App secrets, click Add secret, and in the window that opens:

    1. Optionally, add a description for the new secret.
    2. Click Create.

    The window will display the generated application secret. Save this value.

    Warning

    If you refresh or close the application information page, you will not be able to view the secret again.

    If you closed or refreshed the page before saving the secret, click Add secret to create a new one.

    To delete a secret, in the list of secrets on the OIDC app page, click in the secret row and select Delete.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Get information about your new OIDC application:

    yc organization-manager idp application oauth application get <app_ID>

    Where <app_ID> is your OIDC app ID you got when creating the app.

    This will return the application information, including the following:

    id: ek0o663g4rs2********
name: harbor-oidc-app
organization_id: bpf2c65rqcl8********
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
    - email
    - profile
    - groups

    Save the client_id value: this is the client ID you need to configure Harbor.

  2. Get the OpenID Connect Discovery configuration URL:

    yc organization-manager idp application oauth application get <app_ID> \
  --format json | jq -r '.client_grant.issuer_uri'

    The result will look as follows:

    https://auth.yandex.cloud/oauth/<OAuth_client_ID>

    Save this URL to test OpenID Connect Discovery for availability. In the OIDC Provider Endpoint field in Harbor, specify the provider's base address: https://auth.yandex.cloud (without the /.well-known/openid-configuration suffix).

  3. Use the OAuth client secret that you saved when creating the app in the previous step. If you have not saved the secret, create a new one:

    yc iam oauth-client-secret create \
  --oauth-client-id <OAuth_client_ID>

    Save the secret_value from the command output: this is the client secret you need to configure Harbor.

Configure the redirect URI

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the OIDC app.
  3. At the top right, click Edit and in the window that opens:

    1. In the Redirect URI field, specify the endpoint in the following format:

      https://<Harbor_domain>/c/oidc/callback

    2. In the Scopes field, check the groups (user's groups in the organization) attribute and select Assigned groups only.

    3. Click Save.

Update your OAuth client by providing the redirect URI:

yc iam oauth-client update \
  --id <OAuth_client_ID> \
  --redirect-uris "https://<Harbor_domain>/c/oidc/callback"

Where:

  • <OAuth_client_ID>: OAuth client ID you got when you created it.
  • --redirect-uris: Harbor callback endpoint, e.g., https://reg.example.com/c/oidc/callback.

Result:

id: ajeiu3otac08********
name: harbor-oauth-client
redirect_uris:
  - https://reg.example.com/c/oidc/callback
scopes:
  - openid
  - email
  - profile
  - groups
folder_id: b1gkd6dks6i1********
status: ACTIVE

Set up Harbor

On the Harbor side, you should act under the system administrator account.

Install Harbor

  1. If you do not have the Harbor registry yet, install it on your VM: install Docker Engine version 20.10.10 or higher and the docker compose plugin in advance. To learn how to install Docker on Ubuntu, see this official Docker guide.

  2. Connect to the VM via SSH, navigate to the unpacked Harbor installer directory, and make sure that Docker and docker compose are available:

    docker --version
docker compose version

  3. Create a configuration file from a template:

    cp harbor.yml.tmpl harbor.yml

  4. Open harbor.yml and set the required parameters:

    • hostname: VM FQDN for access to Harbor. We recommend to use a domain name for OIDC.
    • harbor_admin_password: Harbor administrator password.
    • database.password: Harbor local database password.
    • https section parameters (port, certificate, private_key): Specify the paths to the certificate and key for access to Harbor via TLS.

    For more information on the file parameters, see this Harbor guide: Configure the Harbor YML File.

  5. Configure external TLS for Harbor:

    Specify the path to the certificate in harbor.yml. Detailed guide: Configure HTTPS Access to Harbor.

  6. Optionally, enable internal TLS between Harbor components via the internal_tls section in harbor.yml.

    This step is recommended for production installations with increased internal traffic protection requirements. For more information, see the following: Configure Internal TLS communication between Harbor Component.

  7. Run Harbor installation from the installer directory:

    sudo ./install.sh

    For more information, see the following: Run the Installer Script.

  8. Log in to the Harbor web interface using an administrator account.

Set up authentication

Note

To switch Harbor to OIDC mode, there must be no user accounts in the Harbor database other than the built-in administrator account (this rule remains in effect after the first administrator sign-in: it is enough to have no other local users). For more information, see this Harbor OIDC guide.

Before configuring OIDC, make sure the web interface is accessible via HTTPS. This is a mandatory condition: Harbor uses a callback URL of this format: https://<Harbor_domain>/c/oidc/callback.

  1. Open the Administration section and go to Configuration.

  2. Open the Authentication tab.

  3. In the Auth Mode field, select OIDC.

  4. Fill in the OIDC provider fields:

    • OIDC Provider Name: Any login button name, e.g., Yandex Identity Hub.
    • OIDC Provider Endpoint: OIDC provider's base address: https://auth.yandex.cloud. If you copy the value from the OpenID Configuration field, remove the /.well-known/openid-configuration suffix from it.
    • OIDC Client ID: ClientID value.
    • OIDC Client Secret: Previously saved OAuth client secret.
    • OIDC Scope: Specify separated by commas, openid,profile,email,groups.
    • Verify Certificate: Leave enabled if the identity provider certificate is trusted for Harbor.

  5. If you plan to transfer groups from Yandex Identity Hub to Harbor:

    • Under Group Claim Name, specify groups.
    • If necessary, set OIDC Admin Group and OIDC Group Filter as per this Harbor guide.

  6. Optionally, enable Automatic onboarding if you do not want to specify your Harbor username manually the first time you log in. In the Username Claim field, enter the ID token claim you want to use as a login (preferred_username is recommended; you can also use email. Align the selected value with the attributes returned by Yandex Identity Hub).

  7. Make sure the Redirect URI value at the bottom of the page matches the one you specified in the OIDC application in Yandex Identity Hub (https://<Harbor_domain>/c/oidc/callback).

  8. Click Test OIDC Server and make sure the test runs without errors.

  9. Click Save.

For more information on OIDC mode fields and limitations, see this official Harbor guide.

Add a user

For the organization users to sign in to Harbor through the Yandex Identity Hub OIDC app, explicitly add the users and/or user groups to the app.

Note

Users and groups added to an OIDC application can be managed by a user with the organization-manager.oidcApplications.userAdmin role or higher.

Add a user to the application:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and select the required app.
  3. Navigate to the Users and groups tab.
  4. Click Add users.
  5. In the window that opens, select the required user or user group.
  6. Click Add.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Get the user ID or user group ID.

  2. To add a user or user group to the app:

    1. See the description of the CLI command for adding users to an app:

      yc organization-manager idp application oauth application add-assignments --help

    2. Run this command:

      yc organization-manager idp application oauth application add-assignments \
  --id <app_ID> \
  --subject-id <user_or_group_ID>

      Where:

      • --id: OIDC app ID.
      • --subject-id: User or user group ID.

      Result:

      assignment_deltas:
  - action: ADD
    assignment:
      subject_id: ajetvnq2mil8********

Make sure your application works correctly

To test the OIDC app and its integration with Harbor, sign in to Harbor as the user you added to the app.

Follow these steps:

  1. In your browser, navigate to your Harbor instance address, e.g., https://<Harbor_domain>.
  2. If already signed in, sign out of your account.
  3. On the login page, click the OIDC login button (the text matches the value of the OIDC Provider Name field in Harbor).
  4. On the Yandex Cloud authentication page, enter the user's email and password. The user or group they belong to must be added to the application.
  5. Make sure you have successfully signed in to Harbor.
  6. Optionally, open the Harbor user's profile to check the user's group memberships, if group transfer has been configured.
Previous
Setting up SAML SSO in VK Cloud
Next
Setting up SAML SSO in Sentry