Authentication using Google Workspace
With an identity federation, you can use Google Workspace
Authentication setup includes the following steps:
Getting started
To follow the steps described in this section, you will need a subscription to Google Workspace services and a verified domain to set up your SAML application for.
Creating and setting up a SAML application in Google Workspace
Create a SAML application and download a certificate
A SAML application in Google Workspace acts as an identity provider (IdP). Create a SAML application and download a certificate:
-
Open the Google Workspace Admin Console
. -
In the left-hand panel, select Mobile and web applications.
-
Click Add → Add a custom SAML app.
-
Enter the name of the app, select the logo, and click Continue.
-
In the Google IdP information step, the IdP server data is shown. You will need this data when setting up a federation in Cloud Organization.
Alert
Do not close the page where you create an app in Google Workspace: you will get the required configuration data for the Service provider information step in further steps.
Creating and setting up a federation in Cloud Organization
Create a federation
-
Go to Cloud Organization
. -
In the left-hand panel, select Federations
. -
Click Create federation.
-
Give your federation a name. It must be unique within the folder.
-
You can also add a description, if required.
-
In the Cookie lifetime field, specify the period of time that must elapse before the browser asks the user to re-authenticate.
-
In the IdP Issuer field, enter the link from the Object ID field on the Google Workspace Google IdP information page. The link should have the following format:
https://accounts.google.com/o/saml2?idpid=<SAML app ID>
-
In the Link tothe IdP login page field, enter the link from the SSO URL field on the Google Workspace Google IdP information page. The link should have the following format:
https://accounts.google.com/o/saml2/idp?idpid=<SAML app ID>
You can only use HTTP and HTTPS in a link.
-
Enable Automatically create users to add authenticated users to your organization automatically. If you do not enable this option, you will need to manually add your federated users.
A federated user is created automatically only when they log in to a cloud for the first time. If you deleted a user from a federation, you can only add them back manually.
If you don't have the Nebius AI command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the create federation command:
ncp organization-manager federation saml create --help
-
Create a federation:
ncp organization-manager federation saml create --name my-federation \ --organization-id <organization ID> \ --auto-create-account-on-login \ --cookie-max-age 12h \ --issuer "https://accounts.google.com/o/saml2?idpid=<SAML application ID>" \ --sso-binding POST \ --sso-url "https://accounts.google.com/o/saml2/idp?idpid=<SAML application ID>" \ --force-authn
Where:
-
name
: Federation name. It must be unique within the folder. -
organization-id
: Your organization ID. -
auto-create-account-on-login
: Flag to enable the automatic creation of new cloud users following authentication on the IdP server.This option makes it easier to create users; however, users created this way will not be able to do anything with cloud resources.
If this option is disabled, users who are not added to the organization cannot log in to the management console, even if they authenticate with your server. In this case, you can manage a list of users allowed to use Nebius AI resources.
-
cookie-max-age
: Time that must elapse before the browser asks the user to re-authenticate. -
issuer
: IdP server ID to be used for authentication.Use the link from the Object ID field on the Google Workspace Google IdP information page. This is a link in the format:
https://accounts.google.com/o/saml2?idpid=<SAML app ID>
-
sso-url
: URL of the page that the browser redirects the user to for authentication.Use the link from the SSO URL field on the Google Workspace Google IdP information page. The link should have the following format:
https://accounts.google.com/o/saml2/idp?idpid=<SAML app ID>
You can only use HTTP and HTTPS in a link.
-
sso-binding
: Specify the Single Sign-on binding type. Most Identity Providers support thePOST
binding type. -
force-authn
: Flag that requires user re-authentication once a session expires in Nebius AI.
-
-
Create a file with the request body, e.g.,
body.json
:{ "name": "my-federation", "organizationId": "<organization ID>", "autoCreateAccountOnLogin": true, "cookieMaxAge":"43200s", "issuer": "https://accounts.google.com/o/saml2?idpid=<SAML application ID>", "ssoUrl": "https://accounts.google.com/o/saml2/idp?idpid=<SAML application ID>", "ssoBinding": "POST", "securitySettings": { "forceAuthn": true } }
Where:
-
name
: Federation name. It must be unique within the folder. -
organizationId
: Organization ID. -
autoCreateAccountOnLogin
: Flag to activate the automatic creation of new cloud users after authenticating on the IdP server.
This option makes it easier to create users; however, users created this way will not be able to do anything with cloud resources.If this option is disabled, users who are not added to the organization cannot log in to the management console, even if they authenticate with your server. In this case, you can manage a list of users allowed to use Nebius AI resources.
-
cookieMaxAge
: Time that must elapse before the browser asks the user to re-authenticate. -
issuer
: IdP server ID to be used for authentication.Use the link from the Object ID field on the Google Workspace Google IdP information page. The link should have the following format:
https://accounts.google.com/o/saml2?idpid=<SAML app ID>
-
ssoUrl
: URL of the page the browser redirects the user to for authentication.Use this as the destination when copying the link from the SSO URL field on the Google Workspace ** Google IdP information** page. The link should have the following format:
https://accounts.google.com/o/saml2/idp?idpid=<SAML app ID>
You can only use HTTP and HTTPS in a link.
-
ssoBinding
: Specify the Single Sign-on binding type. Most Identity Providers support thePOST
binding type. -
forceAuthn
: Parameter that requires user re-authentication once a session expires in Nebius AI.
-
Add certificates
While authenticating, the Cloud Organization service should be able to verify the IdP server certificate. To enable this, download a certificate from the open Google Workspace Google IdP Information page and add it to the created federation:
-
In the left-hand panel, select Federations
. -
Click the name of the federation to add a certificate to.
-
At the bottom of the page, click Add certificate.
-
Enter certificate name and description.
-
Choose how to add a certificate:
-
To add a certificate as a file, click Choose a file and specify the path to it.
-
To paste the contents of a copied certificate, select the Text method and paste the contents.
-
-
Click Add.
If you don't have the Nebius AI command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the add certificate command:
ncp organization-manager federation saml certificate create --help
-
Add a federation certificate by specifying the certificate file path:
ncp organization-manager federation saml certificate create --federation-id <federation_ID> \ --name "my-certificate" \ --certificate-file certificate.pem
Tip
To ensure the authentication is not interrupted when the certificate expires, we recommend adding multiple certificates to the federation, i.e., both the current one and those to be used afterwards. If a certificate turns out to be invalid, Nebius AI will attempt to verify the signature with another certificate.
Setting up Single Sign-On (SSO)
Specify the redirect URL
Once you have created a federation, complete the creation of the SAML application in Google Workspace:
-
Go back to the SAML app creation page's Google IdP information step and click Continue.
-
In the Service provider information step, specify information about Nebius AI that acts as a service provider:
-
In the ACS URL and Entity ID fields, enter the URL to redirect users to after successful authentication:
https://console.nebius.ai/federations/<federation_ID>
How to get a federation ID-
Go to Cloud Organization
. -
In the left-hand panel, select Federations
. -
Copy the ID of the federation you are configuring access for.
-
-
Enable Signed Response.
-
-
Click Continue.
Tip
For a user to be able to contact Nebius AI technical support from the management console
, in the Mapping attributes step, click Add new mappings and set up attribute transmission:- Primary email.
- First name.
- Last name.
User attributes supported by Cloud Organization services are listed below.
-
To complete the creation of the app, click Ready.
Add users
-
On the app page, under User access, click Disabled for everyone.
-
In the page that opens, select who can authenticate with this identity federation:
-
To enable access for all federation users, select ON for everyone.
-
To enable access for an individual organizational unit, select the unit from the list on the left and configure the service status for this unit. The child units inherit access settings from the parent units by default.
-
-
Click Save.
Mapping user attributes
User data | Comment | Application Attributes |
---|---|---|
Unique user ID | Required attribute. Using an email address is recommended. | Name ID field in service provider settings |
Last name | Displayed in Nebius AI services. Value length limit: 64 characters. |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
First name | Displayed in Nebius AI services. Value length limit: 64 characters. |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
Full name | Displayed in Nebius AI services. Example: John Smith. Value length limit: 64 characters. |
Attribute unavailable |
Used to send notifications from Nebius AI services. Example: smith@example.com .Value length limit: 256 characters. |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
|
Phone | Used to send notifications from Nebius AI services. Example: . Value length limit: 64 characters. |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone |
Profile image | Displayed in Nebius AI services. Value length limit: 204800 characters. |
Attribute unavailable |
Warning
The thumbnailPhoto
attribute value exceeding the length limit is ignored. If the value of a different attribute exceeds the limit, the value part that goes beyond the limit is truncated.
Attribute mapping example:
Add users to your organization
If you did not enable the Automatically create users option when creating a federation, you will have to add federated users to your organization manually.
To do this, you will need user name IDs. They are returned by the IdP server along with a response confirming successful authentication.
If the Automatically create users option is enabled, a federation will only add users logging in to a cloud for the first time. You can only add a federated user again manually after deleting them from a federation.
To add users to an organization, you must be in its admins
group.
-
Log in to an account
that belongs to an organization administrator or owner. -
Go to Cloud Organization
. -
In the left-hand panel, select Users
. -
In the top-right corner, click
-
Select the identity federation to add users from.
-
List the name IDs of users, separating them with line breaks.
-
Click Add. This will give the users access to the organization.
If you don't have the Nebius AI command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the add user command:
ncp organization-manager federation saml add-user-accounts --help
-
Add users by listing their name IDs separated by a comma:
ncp organization-manager federation saml add-user-accounts --id <federation_ID> \ --name-ids=alice@example.com,bob@example.com,charlie@example.com
Where:
-
id
: Federation ID. -
name-ids
: User name IDs.
-
To add identity federation users to the cloud:
-
Create a file with the request body, e.g.,
body.json
. In the request body, specify the array of name IDs of users you want to add:{ "nameIds": [ "alice@example.com", "bob@example.com", "charlie@example.com" ] }
-
Send the request by specifying the Federation ID in the parameters:
$ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <IAM token>" \ -d '@body.json' \ https://organization-manager.api.ai.nebius.cloud/organization-manager/v1/saml/federations/<federation ID>:addUserAccounts
Authentication
When you finish configuring the server, test that everything works properly:
-
Open your browser in guest or private browsing mode.
-
Follow the URL to log in to the management console:
https://console.nebius.ai/federations/<federation_ID>
How to get a federation ID-
Go to Cloud Organization
. -
In the left-hand panel, select Federations
. -
Copy the ID of the federation you are configuring access for.
The browser will forward you to the Google authentication page.
-
-
Enter your credentials and click Sign in.
On successful authentication, the IdP server will redirect you back to the https://console.nebius.ai/federations/<federation_ID>
URL that you specified in the Google Workspace settings, and then to the management console
What's next
- Add new users to groups to grant them permissions.