Skip to main content
In this tutorial, you’ll learn to configure SSO in Nebius AI Cloud with Microsoft Entra ID. To configure SSO, you need access to two systems:
  • Nebius AI Cloud, where you create and configure a federation.
  • , where you create an application, make it available to the users for whom you configure SSO, and connect the to the federation.
After the federation and are set up, users can sign in to Nebius AI Cloud by using their credentials.

Costs

This tutorial doesn’t include any chargeable resources. The infrastructure you create is free of charge.

Prerequisites

  1. Create a Microsoft Entra account. You can create it for free.
  2. Make sure that this account has at least the Cloud Application Administrator and User Administrator roles. Otherwise, assign them.
  3. Make sure that your Nebius AI Cloud account is added to the tenant’s group of administrators. To check this, in the web console, go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM → Users.
  4. If you prefer not to use the web console, prepare one of the other available Nebius AI Cloud interfaces:
    Install and configure the Nebius AI Cloud CLI.

Steps

Create an application in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center.
  2. Create an enterprise application:
    1. In the Browse Microsoft Entra Gallery window, click the Create your own application button.
    2. In the window that opens, specify the application name and select the option Integrate any other application you don’t find in the gallery (Non-gallery).
  3. Create and assign user accounts to the application.
  4. Enable SSO for the application. On the SAML-based Sign-on page, in the Basic SAML Configuration section specify the following parameters:
    • Identifier (Entity ID): .
    • Reply URL (Assertion Consumer Service URL): .
    The two values use different domain names: auth.eu.nebius.com and auth.nebius.com.
    federation-id is used temporarily until you create a federation and get its ID. After that, replace federation-id with the actual value.

Download the application certificate from Microsoft Entra

In the Microsoft Entra admin center, download an autogenerated base64 certificate. Find the certificate in the ManageSingle sign-on section, in the Certificate (Base64) field. For more information, see the Microsoft Entra ID documentation.

Create a federation in Nebius AI Cloud

  1. To create a federation:
    1. In the sidebar, go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM.
    2. Click Create entity and select Federation.
    3. Click the Manual mode toggle and enter your federation name.
    4. Specify the following parameters under Identity provider (IdP):
      • SSO URL: Login URL from Microsoft Entra ID.
      • Issuer: Microsoft Entra Identifier.
      To get these values:
      1. Open the application page in the Microsoft Entra admin center.
      2. Go to the ManageSingle sign-on section.
      3. Copy the values of the Login URL and Microsoft Entra Identifier fields.
    5. Enter a name for your certificate.
    6. Upload the certificate file that you obtained in the previous step and click Create federation. Copy the ID of the newly created federation.
  2. Change the SAML settings of the application in the Microsoft Entra admin center:
    1. Open the application page.
    2. Go to the ManageSingle sign-on section.
    3. In the fields Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL), replace the federation-id part of the values with the copied federation ID.

Add a certificate to the federation

If you used the web console to create a federation, you can skip this part and proceed to the next step.
Add the certificate you obtained in the previous step to the federation:
  1. Prepare the federation-cert.json file: 
    {
  "metadata": {
    "parent_id": "<federation_ID>"
  },
  "spec": {
    "description": "certificate for a federation",
    "data": "-----BEGIN CERTIFICATE-----\n<certificate_body>\n-----END CERTIFICATE-----\n"
  }
}
    Specify the certificate body from the downloaded file and the federation ID. In this file, the certificate body is split into several lines. Paste it as a single line in federation-cert.json.
  2. Apply the certificate file: 
    nebius iam federation-certificate create --file federation-cert.json

Log in to Nebius AI Cloud

  1. Open the Nebius AI Cloud web console.
  2. Click Get started with SSO.
  3. Enter the federation ID and click Sign in.
  4. In the Contact details window that opens:
    1. Specify your name and email.
    2. Confirm that you agree with the Nebius AI Cloud Terms of Use.
    3. Click Continue.
A successful login means that you have correctly configured the federation and in Nebius AI Cloud and .

Assign administrator rights for the new account

After your first login to the new federation, a new user account is created in the tenant. To complete the setup and grant the new user account access to the platform, add it to a group with admin rights in Nebius AI Cloud:
  1. Log out of your new account in the web console.
  2. Log in to your main Nebius AI Cloud account.
  3. Go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM → Users and add the new user to the relevant admin group.