[Yandex Cloud documentation](../../../index.md) > [Yandex Identity Hub](../../index.md) > [Tutorials](../index.md) > [Setting up single sign-on (SSO) for apps](index.md) > OpenVPN > OpenVPN Access Server

# Creating a SAML app in Yandex Identity Hub for integration with OpenVPN Access Server

For the users of your [organization](../../concepts/organization.md) to be able to authenticate to OpenVPN Access Server via [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) SSO, create a [SAML app](../../concepts/applications.md#saml) in Yandex Identity Hub and configure it both in Yandex Identity Hub and OpenVPN Access Server.

[OpenVPN Access Server](https://yandex.cloud/en/marketplace/products/yc/openvpn-access-server) is built on and compatible with the OpenVPN [open-source version](https://github.com/OpenVPN). It provides clients for Windows, Mac, Android, and iOS. You can also use its web UI to manage connections.

SAML apps can be managed by users with the `organization-manager.samlApplications.admin` [role](../../security/index.md#organization-manager-samlApplications-admin) or higher.

To give access to OpenVPN Access Server to the users of your organization:

1. [Get OpenVPN Access Server ready](#prepare-ovpn).
1. [Create an app in Yandex Identity Hub](#create-app).
1. [Set up the integration](#setup-integration).
1. [Make sure the application works correctly](#validate).

## Get OpenVPN Access Server ready {#prepare-ovpn}

You can use an OpenVPN Access Server installation of your own, an SaaS version, or create a VM with OpenVPN Access Server in Yandex Cloud.

{% cut "Creating a VM with OpenVPN Access Server in Yandex Cloud" %}

{% list tabs group=instructions %}

- Management console {#console}

   1. In the [management console](https://console.yandex.cloud), select the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) where you want to create your VM.
   1. Navigate to **Compute Cloud**.
   1. In the left-hand panel, select ![image](../../../_assets/console-icons/server.svg) **Virtual machines**.
   1. Click **Create virtual machine**.
   1. Under **Boot disk image**, specify `OpenVPN Access Server` in the **Product search** field and select the [OpenVPN Access Server](https://yandex.cloud/en/marketplace/products/yc/openvpn-access-server) image.
   1. Under **Location**, select the [availability zone](../../../overview/concepts/geo-scope.md).
   1. Under **Access**, select **SSH key** and specify the VM access credentials:

      * In the **Login** field, enter the username: `yc-user`.
      * In the **SSH key** field, select the SSH key saved in your [organization user](../../concepts/membership.md) profile.
        
        If there are no SSH keys in your profile or you want to add a new key:
        
        1. Click **Add key**.
        1. Enter a name for the SSH key.
        1. Select one of the following:
        
            * `Enter manually`: Paste the contents of the public SSH key. You need to [create](../../../compute/operations/vm-connect/ssh.md#creating-ssh-keys) an SSH key pair on your own.
            * `Load from file`: Upload the public part of the SSH key. You need to create an SSH key pair on your own.
            * `Generate key`: Automatically create an SSH key pair.
            
              When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the `/home/<user_name>/.ssh` directory. In Windows, unpack the archive to the `C:\Users\<user_name>/.ssh` directory. You do not need additionally enter the public key in the management console.
        
        1. Click **Add**.
        
        The system will add the SSH key to your organization user profile. If the organization has [disabled](../../operations/os-login-access.md) the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

   1. Under **General information**, specify the VM name: `vpn-server`.
   1. Click **Create VM**.
   1. This will open a window with the licensing model: BYOL (Bring Your Own License).
   1. Click **Create**.

{% endlist %}

### Get the administrator password {#get-admin-password}

The openvpn user with administrator privileges was created on the `OpenVPN` server in advance. The password is generated automatically when you create a [VM](../../../compute/concepts/vm.md).

Get the password in the [serial port output](../../../compute/operations/vm-info/get-serial-port-output.md) or the serial console. The password will display in the following string:

```text
To log in, please use the `openvpn` account with the <password> password.
```

Where `<password>` is the `openvpn` user password.

Log in to the admin panel using the `openvpn` username and the obtained password.

If you do not get the password after [launching the VPN server](#create-vpn-server) for the first time, you need to re-create the VM running [OpenVPN Access Server](https://yandex.cloud/en/marketplace/products/yc/openvpn-access-server). The password will not display when reboot.

{% endcut %}

## Create an app in Yandex Identity Hub {#create-app}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

   1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
   1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps**.
   1. In the top-right corner, click ![Circles3Plus](../../../_assets/console-icons/circles-3-plus.svg) **Create application** and in the window that opens:
      1. Select the **SAML (Security Assertion Markup Language)** single sign-on method.
      1. In the **Name** field, specify a name for your new app: `ovpn-app`.

      1. Optionally, in the **Description** field, enter a description for the new app.
      1. Optionally, add [labels](../../../resource-manager/concepts/labels.md):

         1. Click **Add label**.
         1. Add a label in `key: value` format.
         1. Press **Enter**.
      1. Click **Create application**.
   1. Save the **Metadata URL** value, you will need it at the next step.

{% endlist %}

## Set up the integration {#setup-integration}

### Configure authentication on the OpenVPN Access Server side {#setup-sp}

{% note info %}

By default, the server has a self-signed certificate. If you need to replace this certificate, follow the steps [here](https://openvpn.net/vpn-server-resources/installing-a-valid-ssl-web-certificate-in-access-server/).

{% endnote %}

Add SAML authentication on the OpenVPN server:

1. In your browser, open the OpenVPN Access Server admin interface. Its default address is `https://<server_address>:943/admin`.
1. Enter the OpenVPN Access Server admin username and password.
1. Click **Agree**. This will open the OpenVPN Admin Web UI home page.
1. Expand the **Authentication** tab and open **SAML**.
1. Set the **Enable SAML authentication** checkbox to **Yes**.
1. Expand the **Configure Identity Provider (IdP) Automatically via Metadata** section.
1. In the **IdP Metadata URL** field, enter the metadata file address you copied earlier.
1. Click **Get**.
1. Click **Save settings**.
1. Copy the `SP Identity` and `SP ACS` values on this page.
   ```text
   These URLs depend on the hostname setting your current setting of '<server_address>'.
      SP Identity: https://<server_address>/saml/metadata
      SP ACS: https://<server_address>/saml/acs
   ```
1. Expand the **Authentication** tab and open **Settings**.
1. Under **Default Authentication System**, select **SAML**.
1. Click **Save settings**.
1. Click **Update running server**.

### Set up the SAML application in Yandex Identity Hub {#setup-idp}

#### Set up service provider endpoints {#sp-endpoints}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the SAML app.
  1. At the top right, click ![pencil](../../../_assets/console-icons/pencil.svg) **Edit** and in the window that opens:  
      1. In the **SP EntityID ** field, paste the `SP Identity` address you copied earlier.
      1. In the **ACS URL** field, paste the `SP ACS` address you copied earlier.
      1. Click **Save**.

{% endlist %}

### Add a user {#add-user}

For the users of your organization to be able to authenticate in OpenVPN Access Server with Yandex Identity Hub's SAML app, you need to explicitly add these users and/or [user groups](../../concepts/groups.md) to the SAML application.

{% note info %}

Users and groups added to a SAML application can be managed by a user with the `organization-manager.samlApplications.userAdmin` [role](../../security/index.md#organization-manager-samlApplications-userAdmin) or higher.

{% endnote %}

1. Add users to the application:

   {% list tabs group=instructions %}

   - Cloud Center UI {#cloud-center}

      1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
      1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the required app.
      1. Navigate to the **Users and groups** tab.
      1. Click ![person-plus](../../../_assets/console-icons/person-plus.svg) **Add users**.
      1. In the window that opens, select the required user or user group.
      1. Click **Add**.

   {% endlist %}

## Make sure your application works correctly {#validate}

To make sure your SAML app and OpenVPN Access Server integration work correctly, authenticate to OpenVPN Access Server as one of the users you added to the app. Follow these steps:

1. In your browser, go to the OpenVPN Access Server client interface. Its default address is `https://<server_address>:943/`.
1. On the authentication page, click **Sign In With SAML**.
1. On the Yandex Cloud authentication page, enter the user email address and password. The user or group they belong to must be added to the application.
1. Make sure you have successfully authenticated to OpenVPN Access Server.