[Yandex Cloud documentation](../../../index.md) > [Yandex Identity Hub](../../index.md) > [Tutorials](../index.md) > [Setting up single sign-on (SSO) for apps](index.md) > Passwork

# Creating a SAML app in Yandex Identity Hub for integration with Passwork

Passwork is a corporate platform designed for secure and reliable storage of secrets (passwords, keys, tokens, etc.), secret management, and automation of employee access to secrets within an organization. Passwork supports SAML authentication for secure SSO for the users of your organization.

For the users of your [organization](../../concepts/organization.md) to authenticate to Passwork via [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) SSO, create a [SAML app](../../concepts/applications.md#saml) in Yandex Identity Hub and configure it both on the Yandex Identity Hub and Passwork side.

SAML apps can be managed by users with the `organization-manager.samlApplications.admin` [role](../../security/index.md#organization-manager-samlApplications-admin) or higher.

To grant access to Passwork to the users of your organization:

1. [Create a SAML application in Yandex Identity Hub](#create-app).
1. [Set up Yandex Identity Hub integration with Passwork](#setup-integration).
1. [Make sure the application works correctly](#validate).

## Create an app {#create-app}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps**.
    1. In the top-right corner, click ![Circles3Plus](../../../_assets/console-icons/circles-3-plus.svg) **Create application** and in the window that opens:
        1. Select the **SAML (Security Assertion Markup Language)** single sign-on method.
        1. In the **Name** field, specify a name for your new app: `passwork-app`.
        1. Optionally, in the **Description** field, enter a description for the new app.
        1. Optionally, add [labels](../../../resource-manager/concepts/labels.md):

            1. Click **Add label**.
            1. Add a label in `key: value` format.
            1. Press **Enter**.
        1. Click **Create application**.

{% endlist %}

### Save the identity provider settings {#save-idp-settings}

On the info page of your newly created SAML application `passwork-app`, copy and save the settings required to establish a relying party trust between the IdP and the service provider on the Passwork side.

1. Under **Identity provider (IdP) configuration**, copy and save the values of the following fields:

    * **Issuer / IdP EntityID**
    * **Login URL**
    * **Logout URL**
1. Under **Application certificate**, click **Download certificate** to download your SAML app certificate.

You will need the saved values later when configuring the integration on the Passwork side.

## Set up the integration {#setup-integration}

To configure Passwork integration with the SAML app you created in Yandex Identity Hub, complete the setup both on the Passwork and Yandex Identity Hub side.

### Set up the SAML app in Passwork {#setup-sp}

{% note info %}

The SAML application can be set up in Passwork either by a user with the administrator role or the account owner. 

{% endnote %}

1. Sign in to the Passwork account as owner or administrator.
1. At the top of the screen, click **Settings and users**, and select **SSO settings** from the list that opens. In the window that opens:

    * Under **General settings**, enable these options:

        * **Enable SSO**.
        * **Automatically confirm new users from SSO**.
    * Under **User Attributes**, specify the user [attribute](../../concepts/applications.md#saml-attributes) names:

        * In the **Email attribute** field: `emailaddress`.
        * In the **Full name attribute** field: `fullname`.
    * Under **Identity Provider → Passwork**, specify the values you copied (in `passwork-app`) and saved earlier:

        * In the **Entity ID** field, put the value from the **Issuer / IdP EntityID** field of the `passwork-app` app.
        * In the **Response URL (assertion consumer service URL)** field, put the value from the **Login URL** field.
        * In the **Logout URL** field, put the value from the **Logout URL** field.
        * In the **Certificate** field, paste the contents of the certificate downloaded from the `passwork-app` app.
1. Under **Passwork → Identity Provider**, copy and save the settings required to establish a relying party trust between the IdP and the service provider on the Yandex Identity Hub side:

    * **Entity ID**
    * **Response URL (assertion consumer service URL)**
    * **Logout URL**
1. Click **Save settings** to save the SSO parameters.

### Set up the SAML application in Yandex Identity Hub {#setup-idp}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the new SAML app `passwork-app`.
  1. At the top right, click ![pencil](../../../_assets/console-icons/pencil.svg) **Edit** and in the window that opens:
      1. In the **SP EntityID ** field, specify the value copied earlier from the **Entity ID** field on the Passwork side.
      1. In the **ACS URL** field, specify the value copied from the **Response URL (assertion consumer service URL)** field.
      1. In the **SP Logout URL** field, specify the value copied from the **Logout URL** field.
      1. Click **Save**.

{% endlist %}

### Add users to the Yandex Identity Hub SAML application {#add-users}

For the users of your organization to be able to authenticate in Passwork with Yandex Identity Hub's SAML app, you need to explicitly add these users and/or [user groups](../../concepts/groups.md) to the app:

{% note info %}

Users and groups added to a SAML application can be managed by a user with the `organization-manager.samlApplications.userAdmin` [role](../../security/index.md#organization-manager-samlApplications-userAdmin) or higher.

{% endnote %}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the required app.
    1. Navigate to the **Users and groups** tab.
    1. Click ![person-plus](../../../_assets/console-icons/person-plus.svg) **Add users**.
    1. In the window that opens, select users or user groups.
    1. Click **Add**.

{% endlist %}

## Make sure your application works correctly {#validate}

To make sure both your SAML app and Passwork integration work correctly, sign in to Passwork as one of the users you added to the app. Follow these steps:

1. In your browser, navigate to your Passwork instance URL, e.g., `https://my-domain.passwork-cloud.ru`.
1. If already logged in to Passwork, sign out of your account.
1. On the Passwork authentication page, click **Log in via SSO**.
1. On the Yandex Cloud authentication page, enter the email address and user password. The user or group they belong to must be added to the application.

    If authenticating as a [Yandex account](../../../iam/concepts/users/accounts.md#passport) user, sign in to Yandex ID using your preferred method.
1. Set a master password for the new user you add to Passwork.
1. Make sure you have authenticated in Passwork. As a result, the new user will appear in your Passwork instance settings, and you will be able to configure their permissions to view and manage secrets.