[Yandex Cloud documentation](../../../index.md) > [Yandex Identity Hub](../../index.md) > [Tutorials](../index.md) > [Setting up single sign-on (SSO) for apps](index.md) > MWS

# Creating an OIDC application in Yandex Identity Hub for integration with MWS


[MTS Web Services (MWS)](https://mws.ru/) is an ecosystem of services and platform solutions for building and managing IT infrastructure. MWS supports [OpenID Connect](https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)) (OIDC) authentication to provide secure SSO for your organization's users.

For your [organization's](../../concepts/organization.md) users to be able to authenticate to Jenkins via OpenID Connect SSO, create an [OIDC app](../../concepts/applications.md#oidc) in Yandex Identity Hub and configure it both in Yandex Identity Hub and Jenkins.

OIDC apps can be managed by users with the `organization-manager.oauthApplications.admin` [role](../../security/index.md#organization-manager-oauthApplications-admin) or higher.

To give access to MWS to the users of your organization:

1. [Create an account in MWS](#mws-account).
1. [Create an app](#create-app).
1. [Set up the integration](#setup-integration).
1. [Make sure the application works correctly](#validate).

## Create an account in MWS {#mws-account}

If you do not have an MWS account, create one:

1. On the [MWS console login page](https://console.mws.ru/), click **Log in via MTS ID**.
1. Create a MTS ID account:
    * Enter your phone number. The number will be linked to the account and cannot be replaced later.
    * Enter the confirmation code from the text message.
1. Create an MWS account:
    * Enter the email that will be linked to your MWS account.
    * Click **Next**.
    * Confirm your registration by clicking the **Confirm email** link in the message.
    * Accept the terms of the user agreement and click **Log in to console**.
1. In the menu on the left, navigate to **Organization**, then **About organization**.
1. Save your MWS organization ID, e.g., `organization-test`; you will need it to configure the integration.

## Create an app {#create-app}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps**.
    1. In the top-right corner, click ![Circles3Plus](../../../_assets/console-icons/circles-3-plus.svg) **Create application** and in the window that opens:
        1. Select the **OIDC (OpenID Connect)** single sign-on method.
        1. In the **Name** field, specify a name for your new app: `mws-oidc-app`.
        1. In the **Folder** field, select the folder where you want to create an OAuth client for your app.
        1. Optionally, in the **Description** field, enter a description for the new app.
        1. Optionally, add [labels](../../../resource-manager/concepts/labels.md):
            1. Click **Add label**.
            1. Add a label in `key: value` format.
            1. Press **Enter**.
        1. Click **Create application**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for creating an OIDC app:

     ```bash
     yc organization-manager idp application oauth application create --help
     ```

  1. Create an OAuth client:

     ```bash
     yc iam oauth-client create \
       --name mws-oauth-client \
       --scopes openid,email,profile
     ```

     Where:

     * `--name`: OAuth client name.
     * `--scopes`: User attributes available to MWS. The specified attributes are:
       * `openid`: User ID. Required attribute.
       * `email`: User email address.
       * `profile`: Additional user details, such as first name, last name, and avatar.

     Result:

     ```text
     id: ajeqqip130i1********
     name: mws-oauth-client
     folder_id: b1g500m2195v********
     status: ACTIVE
     ```

     Save the `id` field value for when you need to create and configure your app.

  1. Create a secret for your OAuth client:

     ```bash
     yc iam oauth-client-secret create \
       --oauth-client-id <OAuth_client_ID>
     ```

     Result:

     ```text
     oauth_client_secret:
       id: ajeq9jfrmc5t********
       oauth_client_id: ajeqqip130i1********
       masked_secret: yccs__939233b8ac****
       created_at: "2025-10-21T10:14:17.861652377Z"
     secret_value: yccs__939233b8ac********
     ```

     Save the value of the `secret_value` field: you will need it to configure MWS.
  
  1. Create an OIDC app:

     ```bash
     yc organization-manager idp application oauth application create \
       --organization-id <organization_ID> \
       --name mws-oidc-app \
       --description "OIDC application for integration with MWS" \
       --client-id <OAuth_client_ID> \
       --authorized-scopes openid,email,profile \
       --group-distribution-type none
     ```

     Where:

     * `--organization-id`: [ID of the organization](../../operations/organization-get-id.md) you want to create your OIDC app in. This is a required setting.
     * `--name`: OIDC app name. This is a required setting.
     * `--description`: OIDC app description. This is an optional setting.
     * `--client-id`: OAuth client ID you got in Step 2. This is a required setting.
     * `--authorized-scopes`: Specify the same attributes as when creating the OAuth client.
     * `--group-distribution-type`: Set to `none` as user groups are not provided to MWS.

     Result:

     ```text
     id: ek0o663g4rs2********
     name: mws-oidc-app
     organization_id: bpf2c65rqcl8********
     group_claims_settings:
       group_distribution_type: NONE
     client_grant:
       client_id: ajeqqip130i1********
       authorized_scopes:
         - openid
         - email
         - profile
     status: ACTIVE
     created_at: "2025-10-21T10:51:28.790866Z"
     updated_at: "2025-10-21T12:37:19.274522Z"
     ```

{% endlist %}

## Set up the integration {#setup-integration}

To configure MWS integration with the OIDC app you created in Yandex Identity Hub, complete the configuration both on the MWS side and in Yandex Identity Hub.

### Get the application’s credentials {#get-credentials}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the OIDC app.
  1. On the **Overview** tab, under **Identity provider (IdP) configuration**, expand the **Additional attributes** section and copy the **ClientID** value you need to set on the MWS side.
  1. Under **App secrets**, click **Add secret**, and in the window that opens:
     
     1. Optionally, add a description for the new secret.
     1. Click **Create**.
     
     The window will display the generated [application secret](../../concepts/applications.md#oidc-secret). Save this value.
     
     {% note warning %}
     
     If you refresh or close the application information page, you will not be able to view the secret again.
     
     {% endnote %}
     
     If you closed or refreshed the page before saving the secret, click **Add secret** to create a new one.
     
     To delete a secret, in the list of secrets on the OIDC app page, click ![ellipsis](../../../_assets/console-icons/ellipsis.svg) in the secret row and select ![trash-bin](../../../_assets/console-icons/trash-bin.svg) **Delete**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Get the new OIDC app info:

     ```bash
     yc organization-manager idp application oauth application get <app_ID>
     ```

     Where `<app_ID>` is your OIDC app ID you got when creating the app.

     This will return the application information, including the following:

     ```text
     id: ek0o663g4rs2********
     name: mws-oidc-app
     organization_id: bpf2c65rqcl8********
     client_grant:
       client_id: ajeqqip130i1********
       authorized_scopes:
         - openid
         - email
         - profile
     ```

     Save the `client_id` value: you will need to configure your MWS.

  1. Use the OAuth client secret that you saved when creating the app in the previous step. If you have not saved the secret, create a new one:

     ```bash
     yc iam oauth-client-secret create \
       --oauth-client-id <OAuth_client_ID>
     ```

     Save the `secret_value` from the command output: this is the client secret that you will need to configure your MWS.

{% endlist %}

### Set up the application in MWS {#setup-sp}

To set up OIDC authentication in MWS, create and configure an [identity federation](https://mws.ru/docs/cloud-platform/org-rm/general/federation-overview.html), and then set up an OIDC client on the MWS side.

#### Set up your federation {#setup-federation}

1. Log in to [your organization's console](https://org.mws.ru).
1. In the left-hand panel, select **Federations**.
1. Click **Create**.
1. Set up your federation:
    1. Give your federation a name. Save the organization ID, e.g., `organization-test`; you will need it to configure the integration.
    1. Optionally, select the roles that will be assigned to users authorized through the federation.

        {% note info %}

        For more details on configuring roles for federated users, see the [MWS guide](https://mws.ru/docs/cloud-platform/org-rm/general/federation-roles.html).

        {% endnote %}

    1. Specify the session lifetime after which the user will need to re-authenticate.
    1. Optionally, provide a description for the federation.
1. Click **Create**.

#### Configure the OIDC client {#setup-provider}

1. After creating the federation, click **Add IdP**.
1. Optionally, enter a description for the provider.
1. Click **Next**.
1. In the **Issuer** field, enter `https://auth.yandex.cloud`, then click **Upload**. The configuration will be populated automatically.
1. In the **Client ID** field, enter the value previously copied from the **ClientID** field.
1. In the **Client Secret** field, enter the previously generated application secret.
1. Under **Data retrieval method**, select **Token Endpoint and UserInfo Endpoint**, then click **Next**.
1. Next to the `mws.subject` attribute, in the **IdP** field, enter `preferred_username` and click **Next**.
1. Check the configuration and click **Create**.
1. After completing the setup, select the added IdP again in the **Federations** section, then save the provider ID, e.g., `-testprov`; you will need it to configure the integration.

### Configure the redirect URI {#setup-redirect}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the OIDC app.
  1. At the top right, click ![pencil](../../../_assets/console-icons/pencil.svg) **Edit** and in the window that opens:
      1. In the **Redirect URI** field, specify the authentication endpoint for your MWS federation in this format:

          ```text
          https://auth.mws.ru/api/iam/v1/organizations/<organization_ID>/userFederations/<created_federation_id>/providers/<provider_id>/login-callback
          ```

          Here is an example: 

          ```text
          https://auth.mws.ru/api/iam/v1/organizations/organization-test/userFederations/federation-test/providers/-testprov/login-callback
          ```

      1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  Update your OAuth client by providing the redirect URI:

  ```bash
  yc iam oauth-client update \
    --id <OAuth_client_ID> \
    --redirect-uris "https://auth.mws.ru/api/iam/v1/organizations/<organization_ID>/userFederations/<created_federation_id>/providers/<provider_id>/login-callback"
  ```

  Where:
  
  * `<OAuth_client_ID>`: OAuth client ID you got when you created it.
  * `--redirect-uris`: The authentication endpoint for your MWS federation. Here is an example: 

     ```text
     https://auth.mws.ru/api/iam/v1/organizations/organization-test/userFederations/federation-test/providers/-testprov/login-callback
     ```

  Result:

  ```text
  id: ajeiu3otac08********
  name: mws-oidc-app
  redirect_uris:
    - https://auth.mws.ru/api/iam/v1/organizations/organization-test/userFederations/federation-test/providers/-testprov/login-callback
  scopes:
    - openid
    - email
    - profile
  folder_id: b1gkd6dks6i1********
  status: ACTIVE
  ```

{% endlist %}

### Add a user {#add-user}

For your organization's users to be able to authenticate in MWS with Yandex Identity Hub's OIDC app, you need to explicitly add these users and/or [user groups](../../concepts/groups.md) to the OIDC application.

{% note info %}

Users and groups added to an OIDC application can be managed by a user with the `organization-manager.oidcApplications.userAdmin` [role](../../security/index.md#organization-manager-oidcApplications-userAdmin) or higher.

{% endnote %}

Add a user to the application:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the required app.
    1. Navigate to the **Users and groups** tab.
    1. Click ![person-plus](../../../_assets/console-icons/person-plus.svg) **Add users**.
    1. In the window that opens, select the required user or user group.
    1. Click **Add**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Get the [user ID](../../operations/users-get.md) or [user group ID](../../operations/group-get-id.md).

  1. To add a user or user group to the app:
   
     1. See the description of the CLI command for adding users to an app:
   
        ```bash
        yc organization-manager idp application oauth application add-assignments --help
        ```
   
     1. Run this command:
   
        ```bash
        yc organization-manager idp application oauth application add-assignments \
          --id <app_ID> \
          --subject-id <user_or_group_ID>
        ```
   
        Where:
   
        * `--id`: OIDC app ID.
        * `--subject-id`: User or user group ID.
   
        Result:
   
        ```text
        assignment_deltas:
          - action: ADD
            assignment:
              subject_id: ajetvnq2mil8********
        ```

{% endlist %}

{% note tip %}

If you want to fine-tune user authentication in your applications, including authentication only from specific IP addresses, use [authentication policies](*authentication_policies).

{% endnote %}

[*authentication_policies]: Authentication policies are a Yandex Identity Hub tool that allows you to flexibly configure access to applications by denying or allowing authentication for specific users in specific applications and/or from specific IP addresses. For more information, see [Authentication policies in Yandex Identity Hub](../../concepts/authentication-policy.md).

## Make sure your application works correctly {#validate}

To make sure both your OIDC app and MWS integration work correctly, authenticate to MWS as one of the users you added to the app.

Proceed as follows:

1. In your browser, navigate to [your organization's console](https://org.mws.ru).
1. In the left-hand panel, select **Federations**.
1. Select the IdP you added earlier.
1. On the provider's page, copy the **Sign In URL** from the **Main** section. This is the link for logging into the MWS console as a federated user.
1. Log out of your MWS profile.
1. Paste the link you copied into your browser address bar and follow it.
1. On the Yandex Cloud authentication page, enter the user email and password. The user or group they belong to must be added to the application.
1. Read and accept the terms of use, then click **Next**.
1. Make sure you have successfully authenticated to MWS.