Skip to main content
A federation could be configured for the Nebius Token Factory to allow your organization’s users login using a SAML 2.0 compatible single sign-on provider. SSO is configured in two systems:
  • Nebius Token Factory, where you create and configure a federation.
  • Identity Provider: create an application and connect the application to the federation.
After the federation and application are set up, users can sign in to Nebius Token Factory. Following 4 steps will guide you through the process.

1. Create an application in the Identity Provider

Go to Admin Console → Applications → Application and choose “Create App Integration”.Choose “SAML 2.0” sign-in method and set the following parameters on the next screen:Continue and tick the option “This is an internal app that we have created” on the next screen.
Notefederation-id is used temporarily until you create a federation and get its ID. After that, replace federation-id with an actual one.

2. Create a federation in Nebius Token Factory

  1. Install the Nebius CLI tool (an installation script works for macOS and Linux): 
    curl -sSL https://storage.eu-north1.nebius.cloud/cli/install.sh | bash
  2. Create a configuration profile: 
    nebius profile create \
  --profile <profile name of your choice> \
  --endpoint api.nebius.cloud \
  --federation-endpoint auth.tokenfactory.nebius.com \
  --parent-id <organization ID>
    An organization ID starts with aitenant- and could be found on the organization settings page.
  3. Run the following command: 
    nebius iam federation create \
   --parent-id <organization ID> \
   --name <federation name> \
   --user-account-auto-creation=true \
   --active=true \
   --saml-settings-sso-url <login URL> \
   --saml-settings-idp-issuer <Identity Provider Issuer URI>
  4. Copy and save the federation ID. It is returned in the metadata.id field of the command output.

3. Change the SAML settings of the application

  1. Replace federation-id with an actual federation ID in the Okta application configuration.
  2. Navigate to the application configuration page on the Admin Console.
  3. Then scroll down to the “SAML Settings” section and replace federation-id with the created federation ID in the following fields:
    • Single Sign On URL: https://auth.tokenfactory.nebius.com/login/saml2/provider/<your-federation-id>
    • Recipient URL: https://auth.tokenfactory.nebius.com/login/saml2/provider/<your-federation-id>
    • Destination URL: https://auth.tokenfactory.nebius.com/login/saml2/provider/<your-federation-id>
    • Audience Restriction: https://auth.tokenfactory.nebius.com/saml2/rp/<your-federation-id>

4. Add a signing certificate to the federation

Download a certificate from the Identity Provider.
  1. Navigate to the application configuration page on the Admin Console.
  2. Switch to the “Sign On” tab and scroll down to the “SAML Signing Certificates” section.
  3. Push “Generate new certificate” and then “Actions → Download certificate” on a line with freshly created active certificate.
Then, add the certificate to the federation:
  1. Prepare the certificate.json file: 
    {
  "metadata": {
    "parent_id": "<federation_ID>"
  },
  "spec": {
    "description": "certificate for a federation",
    "data": "-----BEGIN CERTIFICATE-----\n<certificate_body>\n-----END CERTIFICATE-----\n"
  }
}
    Specify the certificate body from the downloaded file and the federation ID. In this file, the certificate body is split into several lines. Paste it as a single line to federation-cert.json.
  2. Apply the certificate file: 
    nebius iam federation-certificate create --file federation-cert.json

Log in to Nebius Token Factory using the configured SSO

  1. Open the Nebius Token Factory web console.
  2. Click the Get started with SSO button.
  3. Enter the federation ID and click the Sign in button.
A successful login means that you have correctly configured the federation and SSO.

Assigning new users to the groups

SSO users are not included in any Access groups on first login. An organization administrator should assign them to an Access group to provide the required permissions on the platform.