Skip to main content
In this tutorial, you’ll learn to configure SSO in Nebius AI Cloud with Microsoft Entra ID. To configure SSO, you need access to two systems:
  • Nebius AI Cloud, where you create and configure a federation.
  • Microsoft Entra ID, where you create an application, make it available to the users for whom you configure SSO, and connect the application to the federation.
After the federation and application are set up, users can sign in to Nebius AI Cloud by using their Microsoft Entra ID credentials.

Costs

This tutorial doesn’t include any chargeable resources. The infrastructure you create is free of charge.

Prerequisites

  1. Create a Microsoft Entra account. You can create it for free.
  2. Make sure that this account has at least the Cloud Application Administrator and User Administrator roles. Otherwise, assign them.
  3. Make sure that your Nebius AI Cloud account is added to the tenant’s group of administrators. To check this, in the web console, go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM → Users.
  4. Prepare one of Nebius AI Cloud interfaces, depending on which of them you are going to use:
Install and configure the Nebius AI Cloud CLI.

Steps

Create an application in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center.
  2. Create an enterprise application:
    1. In the Browse Microsoft Entra Gallery window, click the Create your own application button.
    2. In the window that opens, specify the application name and select the option Integrate any other application you don’t find in the gallery (Non-gallery).
  3. Create and assign user accounts to the application.
  4. Enable SSO for the application. On the SAML-based Sign-on page, in the Basic SAML Configuration section specify the following parameters:
    • Identifier (Entity ID): .
    • Reply URL (Assertion Consumer Service URL): .
    The two values use different domain names: auth.eu.nebius.com and auth.nebius.com.
    federation-id is used temporarily until you create a federation and get its ID. After that, replace federation-id with the actual value.

Create a federation in Nebius AI Cloud

  1. To create a federation:
    1. Run the following command: 
      nebius iam federation create \
  --parent-id <tenant_ID> \
  --name <federation_name> \
  --user-account-auto-creation=true \
  --saml-settings-sso-url <Login_URL> \
  --saml-settings-idp-issuer <Identity_Provider_Identifier>
      The command contains the following parameters:
      • --parent-id: The ID of the tenant where you are going to create a federation. To get the tenant ID, go to the web console and expand a top-left list of projects. Next to the tenant’s name, click https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/button-vellipsis.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e80b8e57c43bfd117679262e6a1334adCopy tenant ID.
      • --name: The federation name.
      • --user-account-auto-creation: When the user signs in to Nebius AI Cloud via SSO, their account is automatically created in the tenant with the configured federation.
      • --saml-settings-sso-url: Login URL from Microsoft Entra ID.
      • --saml-settings-idp-issuer: Microsoft Entra Identifier. To get values for --saml-settings-sso-url and --saml-settings-idp-issuer:
        1. Open the application page in the Microsoft Entra admin center.
        2. Go to the ManageSingle sign-on section.
        3. Copy the values of the Login URL and Microsoft Entra Identifier fields.
    2. Copy and save the federation ID. It is returned in the metadata.id field of the command output.
  2. Change the SAML settings of the application in the Microsoft Entra admin center:
    1. Open the application page.
    2. Go to the ManageSingle sign-on section.
    3. In the fields Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL), replace the federation-id part of the values with the copied federation ID.

Add a certificate to the federation

  1. In the Microsoft Entra admin center, download an autogenerated base64 certificate. It is available on the application page, in the ManageSingle sign-on section, in the Certificate (Base64) field. For more information, see the Microsoft Entra ID documentation.
  2. Add the certificate to the federation:
    1. Prepare the federation-cert.json file: 
      {
"metadata": {
   "parent_id": "<federation_ID>"
},
"spec": {
   "description": "certificate for a federation",
   "data": "-----BEGIN CERTIFICATE-----\n<certificate_body>\n-----END CERTIFICATE-----\n"
}
}
      Specify the certificate body from the downloaded file and the federation ID. In this file, the certificate body is split into several lines. Paste it as a single line to federation-cert.json.
    2. Apply the certificate file: 
      nebius iam federation-certificate create --file federation-cert.json

Log in to Nebius AI Cloud

  1. Open the Nebius AI Cloud web console.
  2. Click the Get started with SSO button.
  3. Enter the federation ID and click the Sign in button.
  4. In the Contact details window that opens:
    1. Specify your name and email.
    2. Confirm that you agree with the Nebius AI Cloud Terms of Use.
    3. Click the Continue button.
A successful login means that you have correctly configured the federation and application in Nebius AI Cloud and Microsoft Entra ID.

Assign administrator rights for the new account

After your first login to the new federation, a new user account is created in the tenant. To complete the setup and grant the new user account access to the platform, add it to a group with admin rights in Nebius AI Cloud:
  1. Log out of your new account in the web console.
  2. Log in to your main Nebius AI Cloud account.
  3. Go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM → Users and add the new user to the relevant admin group.