[Yandex Cloud documentation](../../../index.md) > [Yandex Identity Hub](../../index.md) > [Tutorials](../index.md) > [Setting up single sign-on (SSO) for apps](index.md) > 1C:Enterprise

# Creating an OIDC application in Yandex Identity Hub for integration with 1C:Enterprise


[1C:Enterprise](https://scloud.ru/1s-predpriyatie/) is a development platform for 1C accounting and business automation applications. The platform supports [OpenID Connect](https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)) (OIDC) authentication to provide secure SSO for your organization's users.

To authenticate your [organization's](../../concepts/organization.md) users to 1C:Enterprise with OpenID Connect SSO, create an [OIDC app](../../concepts/applications.md#oidc) in Yandex Identity Hub and configure it appropriately both in Yandex Identity Hub and 1C:Enterprise.

OIDC apps can be managed by users with the `organization-manager.oauthApplications.admin` [role](../../security/index.md#organization-manager-oauthApplications-admin) or higher.

For the users of your organization to be able to access 1C:Enterprise:

1. [Create an app](#create-app).
1. [Set up the integration](#setup-integration).
1. [Make sure the application works correctly](#validate).


## Getting started {#before-you-begin}

To complete this tutorial, you may need a valid [1C:ITS agreement](https://its.1c.ru/db/aboutitsnew) to access the extended documentation.


## Create an app {#create-app}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps**.
    1. In the top-right corner, click ![Circles3Plus](../../../_assets/console-icons/circles-3-plus.svg) **Create application** and in the window that opens:
        1. Select the **OIDC (OpenID Connect)** single sign-on method.
        1. In the **Name** field, specify `enterprise-1c-oidc-app`.
        1. In the **Folder** field, select the folder where you want to create an OAuth client for your app.
        1. Click **Create application**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for creating an OIDC app:

     ```bash
     yc organization-manager idp application oauth application create --help
     ```

  1. Create an OAuth client:

     ```bash
     yc iam oauth-client create \
       --name enterprise-1c-oauth-client \
       --scopes openid,email,profile
     ```

     Where:

     * `--name`: OAuth client name.
     * `--scopes`: User attributes available to 1C:Enterprise. The specified attributes are:
       * `openid`: User ID. Required attribute.
       * `email`: User email address.
       * `profile`: Additional user details, such as first name, last name, and avatar.

     Result:

     ```text
     id: ajeqqip130i1********
     name: enterprise-1c-oauth-client
     folder_id: b1g500m2195v********
     status: ACTIVE
     ```

     Save the `id` field value: you will need it to create and configure your app.

  1. Create a secret for your OAuth client:

     ```bash
     yc iam oauth-client-secret create \
       --oauth-client-id <OAuth_client_ID>
     ```

     Result:

     ```text
     oauth_client_secret:
       id: ajeq9jfrmc5t********
       oauth_client_id: ajeqqip130i1********
       masked_secret: yccs__939233b8ac****
       created_at: "2025-10-21T10:14:17.861652377Z"
     secret_value: yccs__939233b8ac********
     ```

     Save the `secret_value` field value: you will need it to configure your 1C:Enterprise.
  
  1. Create an OIDC app:

     ```bash
     yc organization-manager idp application oauth application create \
       --organization-id <organization_ID> \
       --name enterprise-1c-oidc-app \
       --description "OIDC application for integration with 1C:Enterprise" \
       --client-id <OAuth_client_ID> \
       --authorized-scopes openid,email,profile \
       --group-distribution-type none
     ```

     Where:

     * `--organization-id`: [ID of the organization](../../operations/organization-get-id.md) you want to create your OIDC app in. This is a required setting.
     * `--name`: OIDC app name. This is a required setting.
     * `--description`: OIDC app description. This is an optional setting.
     * `--client-id`: OAuth client ID you got in Step 2. This is a required setting.
     * `--authorized-scopes`: Specify the same attributes as when creating the OAuth client.
     * `--group-distribution-type`: Set to `none` as user groups are not provided to 1C:Enterprise.

     Result:

     ```text
     id: ek0o663g4rs2********
     name: enterprise-1c-oidc-app
     organization_id: bpf2c65rqcl8********
     group_claims_settings:
       group_distribution_type: NONE
     client_grant:
       client_id: ajeqqip130i1********
       authorized_scopes:
         - openid
         - email
         - profile
     status: ACTIVE
     created_at: "2025-10-21T10:51:28.790866Z"
     updated_at: "2025-10-21T12:37:19.274522Z"
     ```

{% endlist %}


## Set up the integration {#setup-integration}

Set up the 1C:Enterprise integration with the OIDC app you created in Yandex Identity Hub.


### Configure your OIDC application in Yandex Identity Hub {#setup-idp}

#### Get the application’s credentials {#get-credentials}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the OIDC app.
  1. On the **Overview** tab, under **Identity provider (IdP) configuration**, expand the **Additional attributes** section and copy the parameter values you need to specify in 1C:Enterprise:

        * `ClientID`: Unique application ID.
        * `OpenID Configuration`: URL with the configuration of all parameters required to set up the integration.

  1. Under **App secrets**, click **Add secret**, and in the window that opens:
     
     1. Optionally, add a description for the new secret.
     1. Click **Create**.
     
     The window will display the generated [application secret](../../concepts/applications.md#oidc-secret). Save this value.
     
     {% note warning %}
     
     If you refresh or close the application information page, you will not be able to view the secret again.
     
     {% endnote %}
     
     If you closed or refreshed the page before saving the secret, click **Add secret** to create a new one.
     
     To delete a secret, in the list of secrets on the OIDC app page, click ![ellipsis](../../../_assets/console-icons/ellipsis.svg) in the secret row and select ![trash-bin](../../../_assets/console-icons/trash-bin.svg) **Delete**.

- CLI {#cli}

  1. Get information about your new OIDC application:

     ```bash
     yc organization-manager idp application oauth application get <app_ID>
     ```

     Where `<app_ID>` is your OIDC app ID you got when creating the app.

     This will return the application information, including the following:

     ```text
     id: ek0o663g4rs2********
     name: enterprise-1c-oidc-app
     organization_id: bpf2c65rqcl8********
     client_grant:
       client_id: ajeqqip130i1********
       authorized_scopes:
         - openid
         - email
         - profile
     ```

     Save the `client_id` value: this is the OIDC app ID you will need to configure your 1C:Enterprise.

  1. Get the OpenID Connect Discovery configuration URL:

     ```bash
     yc organization-manager idp application oauth application get <app_ID> \
       --format json | jq -r '.client_grant.issuer_uri'
     ```

     The result will look as follows:

     ```text
     https://auth.yandex.cloud/oauth/<OAuth_client_ID>
     ```

     Save this URL: this is the OpenID Connect Discovery URL you will need to configure your 1C:Enterprise.

  1. Use the OAuth client secret that you saved when creating the app in the previous step. If you have not saved the secret, create a new one:

     ```bash
     yc iam oauth-client-secret create \
       --oauth-client-id <OAuth_client_ID>
     ```

     Save the `secret_value` from the command output: this is the app secret you will need to configure your 1C:Enterprise.

{% endlist %}


#### Configure the redirect URI {#setup-redirect}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the OIDC app.
  1. At the top right, click ![pencil](../../../_assets/console-icons/pencil.svg) **Edit** and in the window that opens:
      1. In the **Redirect URI** field, specify the 1C infobase URL for OIDC app response processing, formatted as follows:

        ```text
        <1C_infobase_publication_domain>/<application_name>/authform.html
        ```

        For example: `https://your.company.ru/your-app/authform.html`.

      1. Click **Save**.

- CLI {#cli}

  1. Update your OAuth client by providing the redirect URI:

     ```bash
     yc iam oauth-client update \
       --id <OAuth_client_ID> \
       --redirect-uris "<1C_infobase_publication_domain>/<application_name>/authform.html"
     ```

     Where:
     
     * `<OAuth_client_ID>`: OAuth client ID you got when creating it.
     * `--redirect-uris`: 1C infobase URL for OIDC app response processing. For example: `https://your.company.ru/your-app/authform.html`.

     Result:

     ```text
     id: ajeiu3otac08********
     name: enterprise-1c-oauth-client
     redirect_uris:
       - https://your.company.ru/your-app/authform.html
     scopes:
       - openid
       - email
       - profile
     folder_id: b1gkd6dks6i1********
     status: ACTIVE
     ```

{% endlist %}


### Configure your OIDC application in 1C:Enterprise {#setup-sp}

To configure OpenID Connect authentication in 1C:Enterprise, set up the infobase publication configuration, restart [Apache HTTP Server](https://httpd.apache.org/), and enable OIDC authentication.

The location of the configuration file depends on your specific 1C:Enterprise setup. For example, it may be located at this path: `/var/www/<app_name>/default.vrd`.

1. Open the configuration file and add the `openidconnect` section within `point`:

    ```xml
    <?xml version="1.0" encoding="UTF-8"?>
    <point xmlns="http://v8.1c.ru/8.2/virtual-resource-system"
    ...
            <openidconnect>
                    <providers>
                  <![CDATA[[
                    {
                    "name": "identity-hub",
                    "title": "Identity Hub",
                    "discovery": "https://auth.yandex.cloud/.well-known/openid-configuration",
                    "authenticationClaimName": "preferred_username",
                    "authenticationUserPropertyName": "email",
                    "clientconfig": {
                          "authority": "https://auth.yandex.cloud",
                          "client_id": "<app_ID>",
                          "client_secret" : "<app_secret>",
                          "redirect_uri": "https://<1C_infobase_publication_domain>/<application_name>/authform.html",
                          "response_type": "code",
                          "scope": "openid email profile",
                          "filterProtocolClaims": true,
                          "loadUserInfo": false
                          }
                    }
                    ]]]>
                    </providers>
                    <allowStandardAuthentication>true</allowStandardAuthentication>
            </openidconnect>
    ...
    </point>
    ```

    Where:

    * `authenticationUserPropertyName`: User attribute for authentication. In this example, it is `email`, the email address.
    * `client_id`: Unique OIDC app ID you got [earlier](#get-credentials).
    * `client_secret`: Generated OIDC app secret you got [earlier](#get-credentials).
    * `redirect_uri`: 1C infobase URL for OIDC app response processing.

1. Restart the Apache HTTP Server:

    ```bash
    systemctl restart apache2
    ```

1. Go to 1C Configurator and enable **OpenID Connect authentication** for each user you need. Make sure the user's profile indicates the attribute mapped to the `authenticationUserPropertyName` configuration parameter.


## Make sure your application works correctly {#validate}

To make sure both your OIDC app and 1C:Enterprise integration work correctly, authenticate to 1C:Enterprise as one of the users for whom you have enabled the OIDC authentication.

Proceed as follows:

1. In your browser, navigate to the address of your 1C:Enterprise instance, e.g., `https://your.company.ru`.
1. If you were logged in to 1C:Enterprise, log out.
1. On the 1C:Enterprise authentication page, click **Log in**.
1. On the Yandex Cloud authentication page, enter the email address and user password.
1. Make sure you have authenticated in 1C:Enterprise.