> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuration of single sign-on in Okta

export const provider_1 = "Okta"

export const entity_1 = "application"

export const entity_0 = "application"

export const provider_0 = "Okta"

In this tutorial, you'll learn to configure SSO in Nebius AI Cloud with [Okta](https://www.okta.com/).

To configure SSO, you need access to two systems:

* Nebius AI Cloud, where you create and configure a federation.
* {provider_1}, where you create an application, make it available to the users for whom you configure SSO, and connect the {entity_1} to the federation.

After the federation and {entity_1} are set up, users can sign in to Nebius AI Cloud by using their {provider_1} credentials.

## Costs

This tutorial doesn't include any chargeable resources. The infrastructure you create is free of charge.

## Prerequisites

1. [Create an Okta account](https://www.okta.com/free-trial/).
2. Make sure that your Nebius AI Cloud account is [added](/iam/authorization/groups/members) to the tenant's group of administrators. To check this, in the [web console](https://console.nebius.com), go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM** → **Users**.
3. If you prefer not to use the [web console](https://console.nebius.com), prepare one of the other available Nebius AI Cloud interfaces:

   <Tabs>
     <Tab title="CLI">
       [Install](/cli/install) and [configure](/cli/configure) the Nebius AI Cloud CLI.
     </Tab>

     <Tab title="Terraform">
       [Install and configure](/terraform-provider/quickstart) the Nebius AI Cloud provider for Terraform.
     </Tab>
   </Tabs>

## Steps

### Create an application in Okta

1. Sign in to the Okta admin console.

2. [Create and configure a new application](https://help.okta.com/oie/en-us/content/topics/apps/apps_app_integration_wizard_saml.htm):

   1. Go to **Applications** → **Applications** and click **Create App Integration**.

   2. In the window that opens, select **SAML 2.0** and click **Next**.

   3. On the **General settings** step, enter a name in the **App name** field. You can optionally upload a logo for your app.

   4. Click **Next** to proceed to the **Configure SAML** step and specify the following parameters:

      * **Single sign-on URL**: `https://auth.nebius.com/login/saml2/provider/federation-id`
      * **Audience URI (SP Entity ID)**: `https://auth.eu.nebius.com/saml2/rp/federation-id`
      * **Name ID format**: `Unspecified`
      * **Application username**: `Okta username`

        <Note>
          `federation-id` is used temporarily until you [create a federation](#create-a-federation-in-nebius-ai-cloud) and get its ID. After that, replace `federation-id` with the actual value.
        </Note>

   5. Click **Next** to proceed to the **Feedback** step and select the **This is an internal app that we have created** checkbox next to **App type**.

   6. Click **Finish** to create the application.

3. [Create users](https://help.okta.com/oie/en-us/content/topics/users-groups-profiles/usgp-add-users.htm), [assign users to a group](https://help.okta.com/oie/en-us/content/topics/users-groups-profiles/usgp-assign-group-people.htm) and then [assign the group to your application](https://help.okta.com/oie/en-us/content/topics/users-groups-profiles/usgp-assign-app-group.htm).

### Download the IdP metadata file from Okta

1. Go to your application page in the Okta admin console.

2. Switch to the **Sign On** tab and find the **SAML Signing Certificates** section.

3. Click **Actions** → **View IdP metadata** next to the currently active certificate.

   If there are no active certificates, click **Generate new certificate** to create one.

4. In the browser tab that opens, save the XML file with metadata (for example, by using **Command** + **S** on macOS or **Ctrl** + **S** on Windows).

   To download the certificate without metadata, use **Actions** → **Download certificate**.

### Create a federation in Nebius AI Cloud

1. To create a federation:

   <Tabs>
     <Tab title="Web console">
       1. In the sidebar, go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM**.

       2. Click **Create entity** and select **Federation**.

       3. Enter your federation name and click **Upload file**.

       4. Select the XML file you saved in the [previous step](#download-the-idp-metadata-file-from-okta) and click **Continue**.

       5. Enter a name for your certificate in the **Certificates** section and click **Create federation**.

          Copy the ID of the newly created federation.
     </Tab>

     <Tab title="CLI">
       1. Run the following command:

          ```bash theme={null}
          nebius iam federation create \
            --parent-id <tenant_ID> \
            --name <federation_name> \
            --user-account-auto-creation=true \
            --saml-settings-sso-url <Login_URL> \
            --saml-settings-idp-issuer <Identity_Provider_Identifier>
          ```

          The command contains the following parameters:

          * `--parent-id`: The ID of the tenant where you are going to create a federation.

            To get the tenant ID, go to the [web console](https://console.nebius.com) and expand the top-left list of tenants. Next to the tenant’s name, click <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/button-vellipsis.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e80b8e57c43bfd117679262e6a1334ad" width="12" height="24" data-path="_assets/button-vellipsis.svg" /> → **Copy tenant ID**.

          * `--name`: The federation name.

          * `--user-account-auto-creation`: When the user signs in to Nebius AI Cloud via SSO, their account is automatically created in the tenant with the configured federation.

          * `--saml-settings-sso-url`: Okta login URL.

          * `--saml-settings-idp-issuer`: Okta identifier.

            To get values for `--saml-settings-sso-url` and `--saml-settings-idp-issuer`:

            1. Open the XML file with metadata that you saved in the [previous step](#download-the-idp-metadata-file-from-okta).

            2. In the `EntityDescriptor` element, find the `entityID` attribute and use its value for `--saml-settings-idp-issuer`.

            3. In one of the `SingleSignOnService` elements, find the `Location` parameter and use its value for `--saml-settings-sso-url`.

       2. Copy and save the federation ID. It is returned in the `metadata.id` field of the command output.
     </Tab>

     <Tab title="Terraform">
       1. Create the following configuration file:

          ```hcl theme={null}
          resource "nebius_iam_v1_federation" "<federation_name>" {
            name                       = "<federation_name>"
            parent_id                  = "<tenant_ID>"
            user_account_auto_creation = true
            saml_settings = {
              sso_url    = "<login_URL>"
              idp_issuer = "<Okta_identifier>"
            }
          }

          output "federation_id" {
            description = "ID of the created federation"
            value = nebius_iam_v1_federation.<federation_name>.id
          }
          ```

          The file contains a resource with federation settings and an output that returns the federation ID. The resource contains the following parameters:

          * `name`: The federation name.

          * `parent_id`: The ID of the tenant where you are going to create a federation.

            To get the tenant ID, go to the [web console](https://console.nebius.com) and expand the top-left list of tenants. Next to the tenant’s name, click <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/button-vellipsis.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e80b8e57c43bfd117679262e6a1334ad" width="12" height="24" data-path="_assets/button-vellipsis.svg" /> → **Copy tenant ID**.

          * `user_account_auto_creation`: When the user signs in to Nebius AI Cloud via SSO, their account is automatically created in the tenant with the configured federation.

          * `saml_settings.sso_url`: Okta login URL.

          * `saml_settings.idp_issuer`: Okta identifier.

            To get values for `saml_settings.sso_url` and `saml_settings.idp_issuer`:

            1. Open the XML file with metadata that you saved in the [previous step](#download-the-idp-metadata-file-from-okta).

            2. In the `EntityDescriptor` element, find the `entityID` attribute and use its value for `saml_settings.idp_issuer`.

            3. In one of the `SingleSignOnService` elements, find the `Location` parameter and use its value for `saml_settings.sso_url`.

       2. Check that the configuration is correct:
          ```bash theme={null}
          terraform validate
          ```

       3. Apply the changes:
          ```bash theme={null}
          terraform apply
          ```

       4. Copy and save the federation ID. It is returned in the `terraform apply` output:

          ```text theme={null}
          Outputs:

          federation_id = "federation-e00*******"
          ```
     </Tab>
   </Tabs>

2. Update the SAML settings of your application in the Okta admin console:

   1. Open the application page and go to the **General** tab.
   2. In the **SAML Settings** section, click **Edit** and go to the **Configure SAML** step.
   3. In the fields **Single sign-on URL** and **Audience URI (SP Entity ID)**, replace the `federation-id` part of the values with the copied federation ID.

### Add a certificate to the federation

<Note>
  If you used the [web console](https://console.nebius.com) to create a federation, you can skip this part and proceed to the [next step](#log-in-to-nebius-ai-cloud).
</Note>

Add the certificate from the metadata file you obtained in the [previous step](#download-the-idp-metadata-file-from-okta) to the federation:

<Tabs>
  <Tab title="CLI">
    1. Prepare the `federation-cert.json` file:

       ```json theme={null}
       {
          "metadata": {
             "parent_id": "<federation_ID>"
          },
          "spec": {
             "description": "certificate for a federation",
             "data": "-----BEGIN CERTIFICATE-----\n<certificate_body>\n-----END CERTIFICATE-----\n"
          }
       }
       ```

       Specify the federation ID and the certificate body from the downloaded XML file.

       In this file, the certificate body is stored in the `X509Certificate` element. Paste it as a single line to `federation-cert.json`.

    2. Apply the certificate file:

       ```bash theme={null}
       nebius iam federation-certificate create --file federation-cert.json
       ```
  </Tab>

  <Tab title="Terraform">
    1. Prepare the certificate file in the same directory where you [store](#create-a-federation-in-nebius-ai-cloud) the `nebius_iam_v1_federation` resource:

       ```hcl theme={null}
       resource "nebius_iam_v1_federation_certificate" "certificate-for-<federation_name>" {
          parent_id   = "<federation_ID>"
          name        = "certificate"
          data        = <<EOT
       -----BEGIN CERTIFICATE-----
       <certificate_body>
       -----END CERTIFICATE-----
       EOT
          description = "certificate for a federation"
          depends_on = [
             nebius_iam_v1_federation.<federation_name>
          ]
       }
       ```

       Specify the following:

       * Federation name
       * Federation ID
       * Certificate body from the downloaded XML file

         In this file, the certificate body is stored in the `X509Certificate` element.

    2. Check that the configuration is correct:
       ```bash theme={null}
       terraform validate
       ```

    3. Apply the changes:
       ```bash theme={null}
       terraform apply
       ```
  </Tab>
</Tabs>

### Log in to Nebius AI Cloud

1. Open the [Nebius AI Cloud web console](https://console.nebius.com).
2. Click **Get started with SSO**.
3. Enter the federation ID and click **Sign in**.
4. In the **Contact details** window that opens:

   1. Specify your name and email.
   2. Confirm that you agree with the [Nebius AI Cloud Terms of Use](/legal/terms-of-use).
   3. Click **Continue**.

A successful login means that you have correctly configured the federation and {entity_0} in Nebius AI Cloud and {provider_0}.

### Assign administrator rights for the new account

After your first login to the new federation, a new user account is created in the tenant.

To complete the setup and grant the new user account access to the platform, add it to a group with admin rights in Nebius AI Cloud:

1. Log out of your new account in the [web console](https://console.nebius.com).
2. Log in to your main Nebius AI Cloud account.
3. Go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM** → **Users** and [add](../authorization/groups/members) the new user to the relevant admin group.