Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Creating a SAML app in Yandex Identity Hub for integration with Passwork

Written by
Updated at June 4, 2026

Passwork is a corporate platform designed for secure and reliable storage of secrets (passwords, keys, tokens, etc.), secret management, and automation of employee access to secrets within an organization. Passwork supports SAML authentication for secure SSO for the users of your organization.

For the users of your organization to authenticate to Passwork via SAML SSO, create a SAML app in Yandex Identity Hub and configure it both on the Yandex Identity Hub and Passwork side.

SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.

To grant access to Passwork to the users of your organization:

  1. Create a SAML application in Yandex Identity Hub.
  2. Set up Yandex Identity Hub integration with Passwork.
  3. Make sure the application works correctly.

Create an app

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select  Apps.
  3. In the top-right corner, click Create application and in the window that opens:

    1. Select the SAML (Security Assertion Markup Language) single sign-on method.

    2. In the Name field, specify a name for your new app: passwork-app.

    3. Optionally, in the Description field, enter a description for the new app.

    4. Optionally, add labels:

      1. Click Add label.
      2. Add a label in key: value format.
      3. Press Enter.

    5. Click Create application.

Save the identity provider settings

On the info page of your newly created SAML application passwork-app, copy and save the settings required to establish a relying party trust between the IdP and the service provider on the Passwork side.

  1. Under Identity provider (IdP) configuration, copy and save the values of the following fields:

    • Issuer / IdP EntityID
    • Login URL
    • Logout URL

  2. Under Application certificate, click Download certificate to download your SAML app certificate.

You will need the saved values later when configuring the integration on the Passwork side.

Set up the integration

To configure Passwork integration with the SAML app you created in Yandex Identity Hub, complete the setup both on the Passwork and Yandex Identity Hub side.

Set up the SAML app in Passwork

Note

The SAML application can be set up in Passwork either by a user with the administrator role or the account owner.

  1. Sign in to the Passwork account as owner or administrator.

  2. At the top of the screen, click Settings and users, and select SSO settings from the list that opens. In the window that opens:

    • Under General settings, enable these options:

      • Enable SSO.
      • Automatically confirm new users from SSO.

    • Under User Attributes, specify the user attribute names:

      • In the Email attribute field: emailaddress.
      • In the Full name attribute field: fullname.

    • Under Identity Provider → Passwork, specify the values you copied (in passwork-app) and saved earlier:

      • In the Entity ID field, put the value from the Issuer / IdP EntityID field of the passwork-app app.
      • In the Response URL (assertion consumer service URL) field, put the value from the Login URL field.
      • In the Logout URL field, put the value from the Logout URL field.
      • In the Certificate field, paste the contents of the certificate downloaded from the passwork-app app.

  3. Under Passwork → Identity Provider, copy and save the settings required to establish a relying party trust between the IdP and the service provider on the Yandex Identity Hub side:

    • Entity ID
    • Response URL (assertion consumer service URL)
    • Logout URL

  4. Click Save settings to save the SSO parameters.

Set up the SAML application in Yandex Identity Hub

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and select the new SAML app passwork-app.
  3. At the top right, click Edit and in the window that opens:
    1. In the **SP EntityID ** field, specify the value copied earlier from the Entity ID field on the Passwork side.
    2. In the ACS URL field, specify the value copied from the Response URL (assertion consumer service URL) field.
    3. In the SP Logout URL field, specify the value copied from the Logout URL field.
    4. Click Save.

Add users to the Yandex Identity Hub SAML application

For the users of your organization to be able to authenticate in Passwork with Yandex Identity Hub's SAML app, you need to explicitly add these users and/or user groups to the app:

Note

Users and groups added to a SAML application can be managed by a user with the organization-manager.samlApplications.userAdmin role or higher.

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and select the required app.
  3. Navigate to the Users and groups tab.
  4. Click Add users.
  5. In the window that opens, select users or user groups.
  6. Click Add.

Make sure your application works correctly

To make sure both your SAML app and Passwork integration work correctly, sign in to Passwork as one of the users you added to the app. Follow these steps:

  1. In your browser, navigate to your Passwork instance URL, e.g., https://my-domain.passwork-cloud.ru.

  2. If already logged in to Passwork, sign out of your account.

  3. On the Passwork authentication page, click Log in via SSO.

  4. On the Yandex Cloud authentication page, enter the email address and user password. The user or group they belong to must be added to the application.

    If authenticating as a Yandex account user, sign in to Yandex ID using your preferred method.

  5. Set a master password for the new user you add to Passwork.

  6. Make sure you have authenticated in Passwork. As a result, the new user will appear in your Passwork instance settings, and you will be able to configure their permissions to view and manage secrets.

Previous
Zabbix
Next
Yandex 360