# Authenticating as a federated user

You can use a [federated account](../../../iam/concepts/users/accounts.md#saml-federation) to work with Yandex Cloud if your company has an [identity federation](../../../iam/concepts/federations.md) set up. In this case, no personal [Yandex account](../../../iam/concepts/users/accounts.md#passport) is required.

{% note info %}

To authenticate on a server with no GUI, you need to install a browser with [X11 forwarding set up](https://docs.ssh.com/manuals/client-user/53/tunnel-x11.html). With X11 forwarding, you can use your browser on the server over SSH. For SSH clients running on Linux, this feature is available by default. For Windows clients, you can use [Xming](https://sourceforge.net/projects/xming/).

See also [Example of authenticating to a Linux VM without GUI](#linux-vm-auth).

If you cannot install a browser, use a [service account](../../../iam/concepts/users/service-accounts.md) instead of a federated account.

{% endnote %}

If you do not have the Yandex Cloud CLI yet, [install it](../install-cli.md).


To authenticate using a [SAML-compatible identity federation](../../../organization/concepts/add-federation.md):

1. Get your federation ID from your administrator.
1. Launch the profile creation wizard:

      
   ```bash
   yc init --federation-id=<federation_ID>
   ```



1. Select the profile you want to set up authentication for or create a new one.

   ```text
   Welcome! This command will take you through the configuration process.
   Pick desired action:
   [1] Re-initialize this profile 'default' with new settings
   [2] Create a new profile
   ```

1. The CLI prompts you to continue authentication in the browser. Press **Enter** to continue.

   ```text
   You are going to be authenticated via federation-id 'aje1f0hsgds3a********'.
   Your federation authentication web site will be opened.
   After your successful authentication, you will be redirected to 'https://console.yandex.cloud'.

   Press 'enter' to continue...
   ```

   On successful authentication, an [IAM token](../../../iam/concepts/authorization/iam-token.md) will be saved in the profile. This IAM token will be used to authenticate each operation until the end of the token's [lifetime](../../../iam/concepts/authorization/iam-token.md) (not more than 12 hours). After that, the CLI will once again prompt you to authenticate in the browser.
   
   To extend the period during which you do not have to authenticate in the browser, use [refresh tokens](../../../iam/concepts/authorization/refresh-token.md), which allow you to reissue IAM tokens without entering the browser. Do it by enabling refresh tokens [at the organization level](../../../iam/concepts/authorization/refresh-token.md#token-enabling) and [initializing DPoP protection](../../../iam/concepts/authorization/refresh-token.md#enabling-dpop) in the CLI.

1. Go back to the command line interface to finish creating the profile.

1. Select one of the [clouds](../../../resource-manager/concepts/resources-hierarchy.md#cloud) from the list of those you have access to:

   ```text
      Please select cloud to use:
       [1] cloud1 (id = aoe2bmdcvata********)
       [2] cloud2 (id = dcvatao4faoe********)
      Please enter your numeric choice: 2
      ```

   If there is only one cloud available, it will be selected automatically.

1. Select the default [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder):

   ```text
      Please choose a folder to use:
       [1] folder1 (id = cvatao4faoe2********)
       [2] folder2 (id = tao4faoe2cva********)
       [3] Create a new folder
      Please enter your numeric choice: 1
      ```

1. To select the default [availability zone](../../../overview/concepts/geo-scope.md) for [Compute Cloud](../../../compute/index.md), type `Y`. To skip the setup, type `n`.

   ```bash
   Do you want to configure a default Yandex Compute Cloud availability zone? [Y/n] Y
   ```

   If you typed `Y`, select the availability zone:

   
   ```text
   Which zone do you want to use as a profile default?
    [1] ru-central1-a
    [2] ru-central1-b
    [3] ru-central1-d
    [4] Do not set default zone
   Please enter your numeric choice: 2
   ```



1. View your CLI profile settings:

   ```bash
   yc config list
   ```

   Result:

   
   ```bash
   federation-id: aje1f0hs6oja********
   subject-id: ajea53egl28l********
   cloud-id: b1g159pa15cd********
   folder-id: b1g8o9jbt58********
   compute-default-zone: ru-central1-b
   ```

## Example of authenticating to a Linux VM without GUI {#linux-vm-auth}

To authenticate to a Linux VM, follow these steps:

1. [Connect](../../../compute/operations/vm-connect/ssh.md) to the VM over SSH.
1. [Install the CLI](../install-cli.md).

1. On your VM, create a file named `/usr/local/bin/xdg-open` with the following contents:

    ```bash
    #!/bin/sh
    echo $* > /dev/tty
    ```

1. Assign permissions to execute the file:

    ```bash
    sudo chmod +x /usr/local/bin/xdg-open
    ```

1. Run this CLI command to create a profile:

    ```bash
    yc init --federation-id=<federation_ID>
    ```

1. Select the profile you want to set up authentication for or create a new one:

   ```text
   Welcome! This command will take you through the configuration process.
   Pick desired action:
   [1] Re-initialize this profile 'default' with new settings
   [2] Create a new profile
   ```

1. The CLI prompts you to continue authentication in the browser. Press **Enter** to continue:

   ```text
   You are going to be authenticated via federation-id 'aje1f0hsgds3a********'.
   Your federation authentication web site will be opened.
   After your successful authentication, you will be redirected to 'https://console.yandex.cloud'.

   Press 'enter' to continue...
   ```

1. Once you press **Enter**, you will get a URL that looks like this:

    ```text
    https://auth.yandex.cloud/oauth/authorize?client_id=yc.oauth.public-sdk&code_challenge=y22kspX4VrKLmdg9hGr_Bwgte_a3RXtw1En********&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A42121%2Fauth%2Fcallback&response_type=code&scope=openid&state=aExf0z********&yc_federation_hint=federation-id
    ```

    Save this URL. You will need it for browser authentication. You will also need the port which you can find in the `redirect_uri` query parameter following the `127.0.0.1` IP address. In our example, it is `42121`.

1. On your local computer, open a new terminal window and run the command to set up an SSH tunnel, specifying the port obtained in the previous step, username, and VM IP address:

    ```bash
    ssh -L <port>:127.0.0.1:<port> <username>@<VM_IP_address>
    ```

1. Use your local computer's browser to open the authentication URL you got earlier.

1. Upon successful authentication, the pending CLI command within the VM SSH session will display the next profile configuration step. 
1. Complete the CLI configuration.