SAML-compatible identity federations
Nebius AI supports SAML 2.0
This approach is called identity federation, it's when all the information about usernames and passwords is stored by a trusted Identity Provider (IdP). While a service provider (SP), such Nebius AI, sends users to the identity provider's (IdP's) server for authentication.
If your company has a user and access management system (for example, Active Directory or Google Workspace), you can use it to authorize employees in Cloud Organization. In this case, you don't need to create a new Google account for every company employee. They can get access to Nebius AI services using their corporate accounts.
Configuring up federations in Cloud Organization
Using identity federations, you can configure a Single Sign-On system (Single Sign-On, SSO) and use corporate accounts to authorize in Cloud Organization. In this case, your corporate account management system acts as an identity provider (IdP).
In Cloud Organization, you can create an identity federation with any credential management service (identity provider) that supports the SAML
Information about user logins and passwords is stored by the identity provider. When a user logs in to Cloud Organization, they're directed to the identity provider (IdP) server for authentication. If authentication is successful, the user gets access to Nebius AI services.
Since authentication takes place on the IdP server's side, you can configure a more secure user data verification, such as two-factor authentication or USB tokens.
You can set up identity federations for different identity providers:
- Active Directory.
- Google Workspace.
- Azure Active Directory.
- Keycloak.
- Other SAML-compatible identity providers.
Authenticating in a federation
To log in to the management console, federated users must follow the link with the federation ID:
https://console.nebius.ai/federations/<federation_ID>
-
The user opens a console login link in the browser.
-
If this is the first time the user authenticates, the console redirects them to the IdP server for authentication.
If the user was already authenticated, this information is saved in the browser cookie. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. The cookie lifetime is specified when the federation is created.
If the cookie expires, the console forwards the user to the IdP server for re-authentication.
You can also require re-authentication in the federation settings. When this option is enabled, the IdP will reauthenticate the user when the session expires in Nebius AI.
-
The IdP server shows the authentication page to the user. For example, it prompts them to enter their username and password.
-
The user enters the data required for authentication on the IdP server.
-
If authentication is successful, the IdP server sends the user's browser back to the management console login page.
-
The management console asks IAM whether this user is added to the cloud. If the user is added, the management console authenticates the user and redirects them to the home page.
Note
In the identity federation, the user interacts both with the IdP and the Nebius AI management console. This does not require network access between the IdP and Nebius AI.