Skip to main content
In this tutorial, you’ll learn to configure SSO in Nebius AI Cloud with JumpCloud. To configure SSO, you need access to two systems:
  • Nebius AI Cloud, where you create and configure a federation.
  • , where you create an application, make it available to the users for whom you configure SSO, and connect the to the federation.
After the federation and are set up, users can sign in to Nebius AI Cloud by using their credentials.

Costs

This tutorial doesn’t include any chargeable resources. The infrastructure you create is free of charge.

Prerequisites

  1. Create a JumpCloud account.
  2. Make sure that this account has at least the Administrator role.
  3. Make sure that your Nebius AI Cloud account is added to the tenant’s group of administrators. To check this, in the web console, go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM → Users.
  4. If you prefer not to use the web console, prepare one of the other available Nebius AI Cloud interfaces:
    Install and configure the Nebius AI Cloud CLI.

Steps

Create an application in JumpCloud

  1. Sign in to the JumpCloud admin portal.
    If your data is stored in the EU, you have a different login URL: https://console.eu.jumpcloud.com/login
  2. Create and configure a custom SSO application:
    1. In the admin portal, go to AccessApplications and click https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/plus.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=7c9efc69d65fc58db0eb73702fd81aa1 Add New Application.
    2. In the window that opens, select Custom Application, then select Manage Single Sign-On (SSO) with Configure SSO with SAML.
    3. Enter a name for your application in the Display Label field. You can optionally add a description for your application and upload a logo or select a different color indicator.
    4. On the SSO tab of your application, specify the following required parameters:
      • IdP Entity ID: Click Copy Metadata URL and paste the value in this field.
      • SP Entity ID: https://auth.eu.nebius.com/saml2/rp/federation-id
      • ACS URLs: https://auth.nebius.com/login/saml2/provider/federation-id
        federation-id is used temporarily until you create a federation and get its ID. After that, replace federation-id with the actual value.
      • SAMLSubject NameID: email
      • SAMLSubject NameID Format: urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified
      • Signature Algorithm: RSA-SHA256
      • Sign: Response
      Click Save to apply the changes.
  3. Create users, then add users to a user group.

Download the application certificate from JumpCloud

  1. Go to your application settings in the JumpCloud admin portal.
  2. Click ActionsDownload Certificate to download and save the certificate.

Create a federation in Nebius AI Cloud

  1. To create a federation:
    1. In the sidebar, go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM.
    2. Click Create entity and select Federation.
    3. Click the Manual mode toggle and enter your federation name.
    4. Specify the following parameters under Identity provider (IdP):
      • SSO URL: Go to the SSO tab of your JumpCloud application settings and copy and paste the value from the IdP URL field.
      • Issuer: In the same tab in JumpCloud, click Copy Metadata URL and paste the value in this field.
    5. Enter a name for your certificate.
    6. Upload the certificate file that you obtained in the previous step and click Create federation. Copy the ID of the newly created federation.
  2. Update the SSO settings of your application in the JumpCloud admin portal:
    1. Open the application settings page and go to the SSO tab.
    2. In the fields SP Entity ID and ACS URLs, replace the federation-id part of the values with the copied federation ID.

Add a certificate to the federation

If you used the web console to create a federation, you can skip this part and proceed to the next step.
Add the certificate you obtained in the previous step to the federation:
  1. Prepare the federation-cert.json file: 
    {
  "metadata": {
    "parent_id": "<federation_ID>"
  },
  "spec": {
    "description": "certificate for a federation",
    "data": "-----BEGIN CERTIFICATE-----\n<certificate_body>\n-----END CERTIFICATE-----\n"
  }
}
    Specify the certificate body from the downloaded file and the federation ID. In this file, the certificate body is split into several lines. Paste it as a single line in federation-cert.json.
  2. Apply the certificate file: 
    nebius iam federation-certificate create --file federation-cert.json

Log in to Nebius AI Cloud

  1. Open the Nebius AI Cloud web console.
  2. Click Get started with SSO.
  3. Enter the federation ID and click Sign in.
  4. In the Contact details window that opens:
    1. Specify your name and email.
    2. Confirm that you agree with the Nebius AI Cloud Terms of Use.
    3. Click Continue.
A successful login means that you have correctly configured the federation and in Nebius AI Cloud and .

Assign administrator rights for the new account

After your first login to the new federation, a new user account is created in the tenant. To complete the setup and grant the new user account access to the platform, add it to a group with admin rights in Nebius AI Cloud:
  1. Log out of your new account in the web console.
  2. Log in to your main Nebius AI Cloud account.
  3. Go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM → Users and add the new user to the relevant admin group.