Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.nebius.com/llms.txt

Use this file to discover all available pages before exploring further.

In this tutorial, you’ll learn to configure SSO in Nebius AI Cloud with Okta. To configure SSO, you need access to two systems:
  • Nebius AI Cloud, where you create and configure a federation.
  • , where you create an application, make it available to the users for whom you configure SSO, and connect the to the federation.
After the federation and are set up, users can sign in to Nebius AI Cloud by using their credentials.

Costs

This tutorial doesn’t include any chargeable resources. The infrastructure you create is free of charge.

Prerequisites

  1. Create an Okta account.
  2. Make sure that your Nebius AI Cloud account is added to the tenant’s group of administrators. To check this, in the web console, go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM → Users.
  3. If you prefer not to use the web console, prepare one of the other available Nebius AI Cloud interfaces:
    Install and configure the Nebius AI Cloud CLI.

Steps

Create an application in Okta

  1. Sign in to the Okta admin console.
  2. Create and configure a new application:
    1. Go to ApplicationsApplications and click Create App Integration.
    2. In the window that opens, select SAML 2.0 and click Next.
    3. On the General settings step, enter a name in the App name field. You can optionally upload a logo for your app.
    4. Click Next to proceed to the Configure SAML step and specify the following parameters:
      • Single sign-on URL: https://auth.nebius.com/login/saml2/provider/federation-id
      • Audience URI (SP Entity ID): https://auth.eu.nebius.com/saml2/rp/federation-id
      • Name ID format: Unspecified
      • Application username: Okta username
        federation-id is used temporarily until you create a federation and get its ID. After that, replace federation-id with the actual value.
    5. Click Next to proceed to the Feedback step and select the This is an internal app that we have created checkbox next to App type.
    6. Click Finish to create the application.
  3. Create users, assign users to a group and then assign the group to your application.

Download the IdP metadata file from Okta

  1. Go to your application page in the Okta admin console.
  2. Switch to the Sign On tab and find the SAML Signing Certificates section.
  3. Click ActionsView IdP metadata next to the currently active certificate. If there are no active certificates, click Generate new certificate to create one.
  4. In the browser tab that opens, save the XML file with metadata (for example, by using Command + S on macOS or Ctrl + S on Windows). To download the certificate without metadata, use ActionsDownload certificate.

Create a federation in Nebius AI Cloud

  1. To create a federation:
    1. In the sidebar, go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM.
    2. Click Create entity and select Federation.
    3. Enter your federation name and click Upload file.
    4. Select the XML file you saved in the previous step and click Continue.
    5. Enter a name for your certificate in the Certificates section and click Create federation. Copy the ID of the newly created federation.
  2. Update the SAML settings of your application in the Okta admin console:
    1. Open the application page and go to the General tab.
    2. In the SAML Settings section, click Edit and go to the Configure SAML step.
    3. In the fields Single sign-on URL and Audience URI (SP Entity ID), replace the federation-id part of the values with the copied federation ID.

Add a certificate to the federation

If you used the web console to create a federation, you can skip this part and proceed to the next step.
Add the certificate from the metadata file you obtained in the previous step to the federation:
  1. Prepare the federation-cert.json file: 
    {
   "metadata": {
      "parent_id": "<federation_ID>"
   },
   "spec": {
      "description": "certificate for a federation",
      "data": "-----BEGIN CERTIFICATE-----\n<certificate_body>\n-----END CERTIFICATE-----\n"
   }
}
    Specify the federation ID and the certificate body from the downloaded XML file. In this file, the certificate body is stored in the X509Certificate element. Paste it as a single line to federation-cert.json.
  2. Apply the certificate file: 
    nebius iam federation-certificate create --file federation-cert.json

Log in to Nebius AI Cloud

  1. Open the Nebius AI Cloud web console.
  2. Click Get started with SSO.
  3. Enter the federation ID and click Sign in.
  4. In the Contact details window that opens:
    1. Specify your name and email.
    2. Confirm that you agree with the Nebius AI Cloud Terms of Use.
    3. Click Continue.
A successful login means that you have correctly configured the federation and in Nebius AI Cloud and .

Assign administrator rights for the new account

After your first login to the new federation, a new user account is created in the tenant. To complete the setup and grant the new user account access to the platform, add it to a group with admin rights in Nebius AI Cloud:
  1. Log out of your new account in the web console.
  2. Log in to your main Nebius AI Cloud account.
  3. Go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21 Administration → IAM → Users and add the new user to the relevant admin group.