Creating a SAML app in Yandex Identity Hub for integration with Selectel

Selectel is a cloud infrastructure and data center provider offering dedicated servers, cloud platforms, and data storage services. Selectel supports SAML authentication to provide secure SSO for your organization's users.

To authenticate your organization's users in Selectel via SAML SSO, create a SAML app in Identity Hub and configure it appropriately both in Identity Hub and Selectel.

SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.

For the users of your organization to be able to access Selectel:

1. Create an app.
2. Set up the integration.
3. Make sure the application works correctly.

Create an appCreate an app

Set up the integrationSet up the integration

To configure Selectel integration with the SAML app you created in Identity Hub, complete the configuration both on the Selectel side and in Identity Hub.

Set up the SAML app in SelectelSet up the SAML app in Selectel

To set up SAML authentication in Selectel, create and configure an identity federation. To do this:

1. Log in to your Selectel account and select Account in the top panel.
2. In the left-hand panel, under Access management, select Federations.
3. Click Add federation.

After that, configure a link between Selectel and Identity Hub:

1. Log in to Yandex Identity Hub.
2. In the left-hand panel, select Apps and then, the SAML app.
3. In the Overview tab, under Identity provider (IdP) configuration, copy the Issuer / IdP EntityID and Login URL field values.
4. On the Overview tab, under Application certificate, click Download certificate and save the file to your device.
5. Go back to Selectel, then in the Create federation menu:
   1. In the Name field, enter a name for the federation.
   2. Optionally, in the Description field, specify the federation description.
   3. Paste the copied values to the IdP Issuer and IdP login page link fields.
   4. Under Session lifetime, specify how long an authentication session will last until the user needs to reauthenticate, or leave the default value (24 hours).
   5. Optionally, to sign authentication requests, check the Sign authentication requests box.
   6. Optionally, to force users to authenticate after their Selectel session expires, check the Forced IdP authentication box.
   7. Click Create federation.
   8. In the Certificate name field, enter a name for the certificate.
   9. Use any text editor to open the certificate file you saved earlier, copy its contents, and paste it into the Certificate field.
   10. Click Add and then click Complete adding federation.
   11. On the new federation page, copy the ID field value.

Set up the SAML application in Yandex Identity HubSet up the SAML application in Yandex Identity Hub

Set up service provider endpointsSet up service provider endpoints

Configure digital signature verification (optional)Configure digital signature verification (optional)

If you checked the Sign authentication requests box when setting up your federation, configure digital signature verification:

1. Download a Selectel certificate.
2. In the top-right corner of your SAML app, click Edit and in the window that opens, enable Only accept signed requests:
3. Click Adding a certificate.
4. Choose how to add a certificate:
   • To add a certificate as a file, click Attach file and specify the path to it.
   • To paste the contents of a copied certificate, select the Text method and paste the contents.
5. Click Add and then click Save.

Add usersAdd users

For your organization's users to be able to authenticate in Selectel with Identity Hub's SAML app, you need to explicitly add these users and/or user groups to your SAML application. Also, explicitly add users to Selectel.

Add users to the SAML applicationAdd users to the SAML application

Add users to SelectelAdd users to Selectel

Before adding a user to Selectel, copy their ID from Identity Hub:

1. Log in to Yandex Identity Hub.
2. In the left-hand panel, select Users. Find the user your want to add to Selectel in the list.
3. Copy the Username column value.

Then add the user to your Selectel account:

1. Go back to Selectel, then select Account in the top panel:
2. Go to Users.
3. In the top-right corner, click Add user.
4. Under User data:
   1. In the Login method field, select Federation (<federation_name>).
   2. Under External ID, enter the ID you copied.
   3. In the Email field, enter the user email address to receive instructions for completing the authentication.
   4. Optionally, provide a user description.
5. Under Access settings, configure the user permission. To do this:
   1. Select the access scope: Account or Projects. For the Projects access scope, select the projects in the Project field.
   2. Assign a role to the user. To assign the member role or higher to the user, your account balance must be at least ₽100.
   3. Optionally, click Add permission to add another permission.
6. Optionally, in the Group field, assign a group to the user.
7. Optionally, in the Notifications field, select notification categories to send to the user email address.
8. Click Add user.

Make sure your application works correctlyMake sure your application works correctly

To make sure both your SAML app and Selectel integration work correctly, authenticate to Selectel as one of the users you added to the application. To do this:

1. Open the email notifying of granted access to a Selectel account. The email contains the federation ID and an SSO authentication link.
2. Click the link in the email to open the authentication page.
3. Enter the Federation ID.
4. Click Log in.
5. On the Yandex Cloud authentication page, enter your email address and user password. The user or group they belong to must be added to the application.
6. After successful authentication in Identity Hub, you will be redirected to the Selectel login page. Enter your full name in the Full name field.
7. Click Log in.
8. Make sure you have successfully authenticated in Selectel.