Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Creating an OIDC application in Yandex Identity Hub for integration with MWS

Written by
Updated at March 24, 2026

MTS Web Services (MWS) is an ecosystem of services and platform solutions for building and managing IT infrastructure. MWS supports OpenID Connect (OIDC) authentication to provide secure SSO for your organization's users.

To authenticate your organization's users to MWS with OpenID Connect SSO, create an OIDC app in Identity Hub and configure it appropriately both in Identity Hub and MWS.

OIDC apps can be managed by users with the organization-manager.oauthApplications.admin role or higher.

For your organization's users to be able to access MWS:

  1. Create an account in MWS.
  2. Create an app.
  3. Set up the integration.
  4. Make sure the application works correctly.

Create an account in MWS

If you do not have an MWS account, create one:

  1. On the MWS console login page, click Log in via MTS ID.
  2. Create a MTS ID account:
    • Enter your phone number. The number will be linked to the account and cannot be replaced later.
    • Enter the confirmation code from the text message.
  3. Create an MWS account:
    • Enter the email that will be linked to your MWS account.
    • Click Next.
    • Confirm your registration by clicking the Confirm email link in the message.
    • Accept the terms of the user agreement and click Log in to console.
  4. In the menu on the left, navigate to Organization, then About organization.
  5. Save your MWS organization ID, e.g., organization-test; you will need it to configure the integration.

Create an app

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps.
  3. In the top-right corner, click Create application and in the window that opens:
    1. Select the OIDC (OpenID Connect) single sign-on method.
    2. In the Name field, specify a name for your new app: mws-oidc-app.
    3. In the Folder field, select the folder where you want to create an OAuth client for your app.
    4. Optionally, in the Description field, enter a description for the new app.
    5. Optionally, add labels:
      1. Click Add label.
      2. Enter a label in key: value format.
      3. Press Enter.
    6. Click Create application.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for creating an OIDC app:

    yc organization-manager idp application oauth application create --help

  2. Create an OAuth client:

    yc iam oauth-client create \
  --name mws-oauth-client \
  --scopes openid,email,profile

    Where:

    • --name: OAuth client name.
    • --scopes: User attributes available to MWS. The specified attributes are:
      • openid: User ID. Required attribute.
      • email: User email address.
      • profile: Additional user details, such as first name, last name, and avatar.

    Result:

    id: ajeqqip130i1********
name: mws-oauth-client
folder_id: b1g500m2195v********
status: ACTIVE

    Save the id field value: you will need it to create and configure your app.

  3. Create a secret for your OAuth client:

    yc iam oauth-client-secret create \
  --oauth-client-id <OAuth_client_ID>

    Result:

    oauth_client_secret:
  id: ajeq9jfrmc5t********
  oauth_client_id: ajeqqip130i1********
  masked_secret: yccs__939233b8ac****
  created_at: "2025-10-21T10:14:17.861652377Z"
secret_value: yccs__939233b8ac********

    Save the value of the secret_value field: you will need it to configure MWS.

  4. Create an OIDC app:

    yc organization-manager idp application oauth application create \
  --organization-id <organization_ID> \
  --name mws-oidc-app \
  --description "OIDC application for integration with MWS" \
  --client-id <OAuth_client_ID> \
  --authorized-scopes openid,email,profile \
  --group-distribution-type none

    Where:

    • --organization-id: ID of the organization you want to create your OIDC app in. This is a required parameter.
    • --name: OIDC app name. This is a required parameter.
    • --description: OIDC app description. This is an optional parameter.
    • --client-id: OAuth client ID you got in Step 2. This is a required parameter.
    • --authorized-scopes: Specify the same attributes as when creating the OAuth client.
    • --group-distribution-type: Set to none as user groups are not provided to MWS.

    Result:

    id: ek0o663g4rs2********
name: mws-oidc-app
organization_id: bpf2c65rqcl8********
group_claims_settings:
  group_distribution_type: NONE
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
    - email
    - profile
status: ACTIVE
created_at: "2025-10-21T10:51:28.790866Z"
updated_at: "2025-10-21T12:37:19.274522Z"

Set up the integration

To configure MWS integration with the OIDC app you created in Identity Hub, complete the configuration both on the MWS side and in Identity Hub.

Get the application’s credentials

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the OIDC app.
  3. On the Overview tab, under Identity provider (IdP) configuration, expand the Additional attributes section and copy the ClientID value you need to set on the MWS side.

  4. Under App secrets, click Add secret, and in the window that opens:

    1. Optionally, add a description for the new secret.
    2. Click Create.

    The window will display the generated application secret. Save this value.

    Warning

    If you refresh or close the application information page, you will not be able to view the secret again.

    If you closed or refreshed the page before saving the secret, click Add secret to create a new one.

    To delete a secret, in the list of secrets on the OIDC app page, click in the secret row and select Delete.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. Get information about your new OIDC application:

    yc organization-manager idp application oauth application get <app_ID>

    Where <app_ID> is your OIDC app ID you got when creating the app.

    This will return the application information, including the following:

    id: ek0o663g4rs2********
name: mws-oidc-app
organization_id: bpf2c65rqcl8********
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
    - email
    - profile

    Save the client_id value: you will need to configure your MWS.

  2. Use the OAuth client secret that you saved when creating the app in the previous step. If you have not saved the secret, create a new one:

    yc iam oauth-client-secret create \
  --oauth-client-id <OAuth_client_ID>

    Save the secret_value from the command output: this is the client secret that you will need to configure your MWS.

Set up the application in MWS

To set up OIDC authentication in MWS, create and configure an identity federation, and then set up an OIDC client on the MWS side.

Set up your federation

  1. Log in to your organization's console.
  2. In the left-hand panel, select Federations.
  3. Click Create.
  4. Set up your federation:

    1. Give your federation a name. Save the organization ID, e.g., organization-test; you will need it to configure the integration.

    2. Optionally, select the roles that will be assigned to users authorized through the federation.

      Note

      For more details on configuring roles for federated users, see the MWS guide.

    3. Specify the session lifetime after which the user will need to re-authenticate.

    4. Optionally, provide a description for the federation.

  5. Click Create.

Configure the OIDC client

  1. After creating the federation, click Add IdP.
  2. Optionally, enter a description for the provider.
  3. Click Next.
  4. In the Issuer field, enter https://auth.yandex.cloud, then click Upload. The configuration will be populated automatically.
  5. In the Client ID field, enter the value previously copied from the ClientID field.
  6. In the Client Secret field, enter the previously generated application secret.
  7. Under Data retrieval method, select Token Endpoint and UserInfo Endpoint, then click Next.
  8. Next to the mws.subject attribute, in the IdP field, enter preferred_username and click Next.
  9. Check the configuration and click Create.
  10. After completing the setup, select the added IdP again in the Federations section, then save the provider ID, e.g., -testprov; you will need it to configure the integration.

Configure the redirect URI

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the OIDC app.
  3. At the top right, click Edit and in the window that opens:

    1. In the Redirect URI field, specify the authentication endpoint for your MWS federation in this format:

      https://auth.mws.ru/api/iam/v1/organizations/<organization_ID>/userFederations/<created_federation_id>/providers/<provider_id>/login-callback

      Here is an example:

      https://auth.mws.ru/api/iam/v1/organizations/organization-test/userFederations/federation-test/providers/-testprov/login-callback

    2. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

Update your OAuth client by providing the redirect URI:

yc iam oauth-client update \
  --id <OAuth_client_ID> \
  --redirect-uris "https://auth.mws.ru/api/iam/v1/organizations/<organization_ID>/userFederations/<created_federation_id>/providers/<provider_id>/login-callback"

Where:

  • <OAuth_client_ID>: OAuth client ID you got when you created it.

  • --redirect-uris: The authentication endpoint for your MWS federation. Here is an example:

    https://auth.mws.ru/api/iam/v1/organizations/organization-test/userFederations/federation-test/providers/-testprov/login-callback

Result:

id: ajeiu3otac08********
name: mws-oidc-app
redirect_uris:
  - https://auth.mws.ru/api/iam/v1/organizations/organization-test/userFederations/federation-test/providers/-testprov/login-callback
scopes:
  - openid
  - email
  - profile
folder_id: b1gkd6dks6i1********
status: ACTIVE

Add a user

For your organization's users to be able to authenticate in MWS with Identity Hub's OIDC app, you need to explicitly add these users and/or user groups to the OIDC application.

Note

Users and groups added to an OIDC application can be managed by a user with the organization-manager.oidcApplications.userAdmin role or higher.

Add a user to the application:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and select the required app.
  3. Navigate to the Users and groups tab.
  4. Click Add users.
  5. In the window that opens, select the required user or user group.
  6. Click Add.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. Get the user ID or user group ID.

  2. To add a user or user group to the app:

    1. See the description of the CLI command for adding users to an app:

      yc organization-manager idp application oauth application add-assignments --help

    2. Run this command:

      yc organization-manager idp application oauth application add-assignments \
  --id <app_ID> \
  --subject-id <user_or_group_ID>

      Where:

      • --id: OIDC app ID.
      • --subject-id: User or user group ID.

      Result:

      assignment_deltas:
  - action: ADD
    assignment:
      subject_id: ajetvnq2mil8********

Make sure your application works correctly

To make sure both your OIDC app and MWS integration work correctly, authenticate to MWS as one of the users you added to the app.

Proceed as follows:

  1. In your browser, navigate to your organization's console.
  2. In the left-hand panel, select Federations.
  3. Select the IdP you added earlier.
  4. On the provider's page, copy the Sign In URL from the Main section. This is the link for logging into the MWS console as a federated user.
  5. Log out of your MWS profile.
  6. Paste the link you copied into your browser address bar and follow it.
  7. On the Yandex Cloud authentication page, enter the user email and password. The user or group they belong to must be added to the application.
  8. Read and accept the terms of use, then click Next.
  9. Make sure you have successfully authenticated to MWS.
Previous
OpenVPN Access Server
Next
SAML