> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuration of single sign-on in JumpCloud

export const provider_1 = "JumpCloud"

export const entity_1 = "application"

export const entity_0 = "application"

export const provider_0 = "JumpCloud"

In this tutorial, you'll learn to configure SSO in Nebius AI Cloud with [JumpCloud](https://jumpcloud.com).

To configure SSO, you need access to two systems:

* Nebius AI Cloud, where you create and configure a federation.
* {provider_1}, where you create an application, make it available to the users for whom you configure SSO, and connect the {entity_1} to the federation.

After the federation and {entity_1} are set up, users can sign in to Nebius AI Cloud by using their {provider_1} credentials.

## Costs

This tutorial doesn't include any chargeable resources. The infrastructure you create is free of charge.

## Prerequisites

1. [Create a JumpCloud account](https://console.jumpcloud.com/signup).
2. Make sure that this account has at least the [Administrator](https://jumpcloud.com/support/manage-admin-accounts) role.
3. Make sure that your Nebius AI Cloud account is [added](/iam/authorization/groups/members) to the tenant's group of administrators. To check this, in the [web console](https://console.nebius.com), go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM** → **Users**.
4. If you prefer not to use the [web console](https://console.nebius.com), prepare one of the other available Nebius AI Cloud interfaces:

   <Tabs>
     <Tab title="CLI">
       [Install](/cli/install) and [configure](/cli/configure) the Nebius AI Cloud CLI.
     </Tab>

     <Tab title="Terraform">
       [Install and configure](/terraform-provider/quickstart) the Nebius AI Cloud provider for Terraform.
     </Tab>
   </Tabs>

## Steps

### Create an application in JumpCloud

1. Sign in to the [JumpCloud admin portal](https://console.jumpcloud.com/login).

   <Note>
     If your data is stored in the EU, you have a different login URL: [https://console.eu.jumpcloud.com/login](https://console.eu.jumpcloud.com/login)
   </Note>

2. [Create and configure a custom SSO application](https://jumpcloud.com/support/sso-using-custom-saml-application-connectors#to-configure-jumpcloud):

   1. Go to **Access** → **Applications** and click <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/plus.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=7c9efc69d65fc58db0eb73702fd81aa1" width="16" height="16" data-path="_assets/plus.svg" /> **Add New Application**.
   2. In the window that opens, select **Custom Application**, then select **Manage Single Sign-On (SSO)** with **Configure SSO with SAML**.
   3. Enter a name for your application in the **Display Label** field. You can optionally add a description for your application and upload a logo or select a different color indicator.
   4. On the **SSO** tab of your application, specify the following required parameters:

      * **IdP Entity ID**: Click **Copy Metadata URL** and paste the value in this field.

      * **SP Entity ID**: `https://auth.eu.nebius.com/saml2/rp/federation-id`

      * **ACS URLs**: `https://auth.nebius.com/login/saml2/provider/federation-id`

        <Note>
          `federation-id` is used temporarily until you [create a federation](#create-a-federation-in-nebius-ai-cloud) and get its ID. After that, replace `federation-id` with the actual value.
        </Note>

      * **SAMLSubject NameID**: `email`

      * **SAMLSubject NameID Format**: `urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified`

      * **Signature Algorithm**: `RSA-SHA256`

      * **Sign**: `Response`

      Click **Save** to apply the changes.

3. [Create users](https://jumpcloud.com/support/add-users-to-admin-portal), then [add users to a user group](https://jumpcloud.com/support/get-started-user-groups#creating-user-groups).

### Download the application certificate from JumpCloud

1. Go to your application settings in the JumpCloud admin portal.
2. Click **Actions** → **Download Certificate** to download and save the certificate.

### Create a federation in Nebius AI Cloud

1. To create a federation:

   <Tabs>
     <Tab title="Web console">
       1. In the sidebar, go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM**.

       2. Click **Create entity** and select **Federation**.

       3. Click the **Manual mode** toggle and enter your federation name.

       4. Specify the following parameters under **Identity provider (IdP)**:

          * **SSO URL**: Go to the **SSO** tab of your JumpCloud application settings and copy and paste the value from the **IdP URL** field.
          * **Issuer**: In the same tab in JumpCloud, click **Copy Metadata URL** and paste the value in this field.

       5. Enter a name for your certificate.

       6. Upload the certificate file that you obtained in the [previous step](#download-the-application-certificate-from-jumpcloud) and click **Create federation**.

          Copy the ID of the newly created federation.
     </Tab>

     <Tab title="CLI">
       1. Run the following command:

          ```bash theme={null}
          nebius iam federation create \
            --parent-id <tenant_ID> \
            --name <federation_name> \
            --user-account-auto-creation=true \
            --saml-settings-sso-url <Login_URL> \
            --saml-settings-idp-issuer <Identity_Provider_Identifier>
          ```

          The command contains the following parameters:

          * `--parent-id`: [Tenant ID](/iam/get-tenants#cli).

          * `--name`: The federation name.

          * `--user-account-auto-creation`: When the user signs in to Nebius AI Cloud via SSO, their account is automatically created in the tenant with the configured federation.

          * `--saml-settings-sso-url`: Login URL from JumpCloud.

          * `--saml-settings-idp-issuer`: JumpCloud identifier.

            To get values for `--saml-settings-sso-url` and `--saml-settings-idp-issuer`:

            1. Open the application settings page in the JumpCloud admin portal.
            2. Go to the **SSO** tab and copy the values of the **IdP URL** and **IdP Entity ID** fields.

       2. Copy and save the federation ID. It is returned in the `metadata.id` field of the command output.
     </Tab>

     <Tab title="Terraform">
       1. Create the following configuration file:

          ```hcl theme={null}
          resource "nebius_iam_v1_federation" "<federation_name>" {
            name                       = "<federation_name>"
            parent_id                  = "<tenant_ID>"
            user_account_auto_creation = true
            saml_settings = {
              sso_url    = "<login_URL>"
              idp_issuer = "<JumpCloud_identifier>"
            }
          }

          output "federation_id" {
            description = "ID of the created federation"
            value = nebius_iam_v1_federation.<federation_name>.id
          }
          ```

          The file contains a resource with federation settings and an output that returns the federation ID. The resource contains the following parameters:

          * `name`: The federation name.

          * `parent_id`: [Tenant ID](/iam/get-tenants).

          * `user_account_auto_creation`: When the user signs in to Nebius AI Cloud via SSO, their account is automatically created in the tenant with the configured federation.

          * `saml_settings.sso_url`: Login URL from JumpCloud.

          * `saml_settings.idp_issuer`: JumpCloud identifier.

            To get values for `saml_settings.sso_url` and `saml_settings.idp_issuer`:

            1. Open the application settings page in the JumpCloud admin portal.
            2. Go to the **SSO** tab and copy the values of the **IdP URL** and **IdP Entity ID** fields.

       2. Check that the configuration is correct:
          ```bash theme={null}
          terraform validate
          ```

       3. Apply the changes:
          ```bash theme={null}
          terraform apply
          ```

       4. Copy and save the federation ID. It is returned in the `terraform apply` output:

          ```text theme={null}
          Outputs:

          federation_id = "federation-e00*******"
          ```
     </Tab>
   </Tabs>

2. Update the SSO settings of your application in the JumpCloud admin portal:

   1. Open the application settings page and go to the **SSO** tab.
   2. In the fields **SP Entity ID** and **ACS URLs**, replace the `federation-id` part of the values with the copied federation ID.

### Add a certificate to the federation

<Note>
  If you used the [web console](https://console.nebius.com) to create a federation, you can skip this part and proceed to the [next step](#log-in-to-nebius-ai-cloud).
</Note>

Add the certificate you obtained in the [previous step](#download-the-application-certificate-from-jumpcloud) to the federation:

<Tabs>
  <Tab title="CLI">
    1. Prepare the `federation-cert.json` file:

       ```json theme={null}
       {
         "metadata": {
           "parent_id": "<federation_ID>"
         },
         "spec": {
           "description": "certificate for a federation",
           "data": "-----BEGIN CERTIFICATE-----\n<certificate_body>\n-----END CERTIFICATE-----\n"
         }
       }
       ```

       Specify the certificate body from the downloaded file and the federation ID.

       In this file, the certificate body is split into several lines. Paste it as a single line in `federation-cert.json`.
    2. Apply the certificate file:

       ```bash theme={null}
       nebius iam federation-certificate create --file federation-cert.json
       ```
  </Tab>

  <Tab title="Terraform">
    1. Prepare the certificate file in the same directory where you [store](#create-a-federation-in-nebius-ai-cloud) the `nebius_iam_v1_federation` resource:
       ```hcl theme={null}
       resource "nebius_iam_v1_federation_certificate" "certificate-for-<federation_name>" {
         parent_id   = "<federation_ID>"
         name        = "certificate"
         data        = <<EOT
       -----BEGIN CERTIFICATE-----
       <certificate_body>
       -----END CERTIFICATE-----
       EOT
         description = "certificate for a federation"
         depends_on = [
           nebius_iam_v1_federation.<federation_name>
         ]
       }
       ```
       Specify the following:
       * Federation name
       * Federation ID
       * Certificate body from the downloaded file
    2. Check that the configuration is correct:
       ```bash theme={null}
       terraform validate
       ```
    3. Apply the changes:
       ```bash theme={null}
       terraform apply
       ```
  </Tab>
</Tabs>

### Log in to Nebius AI Cloud

1. Open the [Nebius AI Cloud web console](https://console.nebius.com).
2. Click **Get started with SSO**.
3. Enter the federation ID and click **Sign in**.
4. In the **Contact details** window that opens:

   1. Specify your name and email.
   2. Confirm that you agree with the [Nebius AI Cloud Terms of Use](/legal/terms-of-use).
   3. Click **Continue**.

A successful login means that you have correctly configured the federation and {entity_0} in Nebius AI Cloud and {provider_0}.

### Assign administrator rights for the new account

After your first login to the new federation, a new user account is created in the tenant.

To complete the setup and grant the new user account access to the platform, add it to a group with admin rights in Nebius AI Cloud:

1. Log out of your new account in the [web console](https://console.nebius.com).
2. Log in to your main Nebius AI Cloud account.
3. Go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM** → **Users** and [add](../authorization/groups/members) the new user to the relevant admin group.