Yandex.Cloud Two-factor authentication
Overview
This article shows how to set up two-factor authentication for the Yandex.Cloud.
Yandex.Cloud supports federated SAML authentication (Single Sign-On). It allows you to configure Yandex.Cloud access for your existing user base and set up multifactor authentication with centralized access management via Multifactor.
Manually created Yandex.Cloud accounts will continue to work for administrative purposes.
Multifactor does not request and store your users' passwords. Accounts and first-factor authentication methods are managed and verified locally with your Identity Provider (IDP) of choice.
List of supported IDPs:
Active Directory
GSuite (Google)
Yandex
List is extending
Work scheme
- Yandex Cloud and Multifactor establish mutual trust by sharing public certificates and setting up a Single Sign On and Single Log Out addresses.
- After authentication request Yandex Cloud forwards user to Multifactor page.
- Multifactor redirects user to IdP's authentication page (GSuite, Active Directory, Yadnex)
- After confirmation of the first factor, Multifactor requests two-factor authentication and returns signed request to Yandex Cloud.
Multifactor configuration
- Login into your account and create new "Site" -> "Yandex.Cloud"
- Title: arbitrary
- Address: cloud address
- Identity Provider:
- Gsuite for using Google accounts;
- Yandex for using Yandex accounts;
- Active Directory for Microsoft domain accounts.
- Portal address:
- If you selected the Active Directory account provider, enter the address (either configured internally or externally) of a self-service portal.
- Save settings
- Download file with Multifactor metadata as you will need it for further configuration.
Configure Yandex.Cloud
- Select the cloud, browse to "Federation" section and create new Federation:
- name: Multifactor
- Idp Issuer: Copy from Multifactor settings
- Single Sign On method: POST
- IdP Login link: copy from Multifactor settings
- Automatically create users:
- If enabled, users are created in the cloud automatically with the
resource-manager.clouds.member
The list of users can be limited in Multifactor group settings. - If not enabled, accounts should be added manually in "Users and roles" -> "Add federated users" section.
- If enabled, users are created in the cloud automatically with the
- Leave other settings by default. .
- Browse to federation you just created, click "Add certificate" and download the Multifactor certificate.
- Copy the Federation ID, go back to your Multifactor account, and specify yhe ID in you resource settings.
Try it out
Link for Federated Access:https://console.cloud.yandex.ru/federations/<Federation ID>
See also: