[Yandex Cloud documentation](../../../index.md) > [Yandex Identity Hub](../../index.md) > [Tutorials](../index.md) > [Setting up single sign-on (SSO) for apps](index.md) > Yandex Browser for organizations

# Creating a SAML app in Yandex Identity Hub for integration with the management console of Yandex Browser for organizations

[Yandex Browser for organizations](https://browser.yandex.ru/corp/) is an enterprise-grade browser based on the latest standard browser version and enhanced with dedicated business features and strict security controls. Centralized browser administration is available via the [management console](https://browser.yandex.ru/corp/builds). The management console supports SAML authentication to provide secure SSO for your organization's users.

For the users of your [organization](../../concepts/organization.md) to be able to authenticate to the management console of Yandex Browser for organizations via [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) SSO, create a [SAML app](../../concepts/applications.md#saml) in Yandex Identity Hub and configure it both in Yandex Identity Hub and Yandex Browser for organizations.

SAML apps can be managed by users with the `organization-manager.samlApplications.admin` [role](../../security/index.md#organization-manager-samlApplications-admin) or higher.

To give the users of your organization access to the management console of Yandex Browser for organizations:

1. [Create an app](#create-app).
1. [Set up the integration](#setup-integration).
1. [Make sure the application works correctly](#validate).

## Create an app {#create-app}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps**.
    1. In the top-right corner, click ![Circles3Plus](../../../_assets/console-icons/circles-3-plus.svg) **Create application** and in the window that opens:
        1. Select the **SAML (Security Assertion Markup Language)** single sign-on method.
        1. In the **Name** field, specify a name for your new app: `browser-cloud`.
        1. Optionally, in the **Description** field, enter a description for the new app.
        1. Optionally, add [labels](../../../resource-manager/concepts/labels.md):
            1. Click **Add label**.
            1. Add a label in `key: value` format.
            1. Press **Enter**.
        1. Click **Create application**.

{% endlist %}

## Set up the integration {#setup-integration}

To configure the integration between Yandex Browser for organizations and the SAML app you created in Yandex Identity Hub, complete the setup both in Yandex Identity Hub and Yandex Browser for organizations.

### Set up the SAML application in Yandex Identity Hub {#setup-idp}

#### Set up service provider endpoints {#sp-endpoints}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the SAML app.
  1. At the top right, click ![pencil](../../../_assets/console-icons/pencil.svg) **Edit** and in the window that opens:  
      1. In the **SP EntityID ** field, specify `browser.yandex.ru`.
      1. In the **ACS URL** field, enter an address formatted as `https://<console_domain>/corp/api/sso/saml/callback`, e.g., `https://browser.yandex.ru/corp/api/sso/saml/callback`.
      1. In the **Signature mode** field, select `Response`.
      1. Click **Save**.

{% endlist %}

#### Configure user attributes {#user-attributes}

{% note warning %}

For integration with the management console of Yandex Browser for organizations, you need to configure the `firstName` and `lastName` attributes.

{% endnote %}

Set user attributes for integration with Yandex Browser for organizations:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the desired app.
    1. Navigate to the **Attributes** tab.
    1. Edit user attributes:

        1. Replace the `givenname` attribute with `firstName`.
        1. Replace the `surname` attribute with `lastName`.
        1. The `fullname` and `emailaddress` attributes are not required, so you can remove them.

{% endlist %}

For more information about configuring attributes, see [Configure user and group attributes](../../operations/applications/saml-create.md#setup-attributes).

#### Collect data for setting up Yandex Browser for organizations {#collect-idp-data}

To set up SSO in Yandex Browser for organizations, you need the following data from your SAML app:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the SAML app.
    1. In the **Overview** tab, under **Identity provider (IdP) configuration**, in the **Login URL** field, copy the entry point URL (Login URL).
    1. Under **Service provider (SP) configuration**, in the **SP EntityID** field, copy the unique service provider ID.
    1. Under **Application certificate**, click **Download certificate** and save the token signature certificate in X.509 format to your device.

{% endlist %}

You will need this data to set up SSO in Yandex Browser for organizations.

### Set up SAML authentication in Yandex Browser for organizations {#setup-sp}

{% note info %}

To set up SAML authentication in Yandex Browser for organizations, the user needs the organization administrator permissions.

{% endnote %}

To set up SAML authentication in Yandex Browser for organizations:

1. Log in to the Yandex Browser for organizations [management console](https://browser.yandex.ru/corp/builds).
1. Go to **SSO** settings.
1. Specify the following:
    * **Domain**: [Domain](../../concepts/domains.md) in Yandex Identity Hub.
    * **SP Entity ID**: Unique service provider ID obtained in the previous step.
    * **Single sign-on service URL**: Login URL obtained in the previous step.
    * **Signing certificate**: Provide the previously saved **token signing certificate** in X.509 format.
1. Save the settings.
1. Click **Download certificate**.
1. Optionally, configure signature verification:
   1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
   1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the SAML app.
   1. Click ![pencil](../../../_assets/console-icons/pencil.svg) **Edit**.
   1. Enable **Only accept signed requests** and click **Add certificate**.
   1. In the window that opens, attach the certificate file you downloaded in the Yandex Browser management console.
   1. Click **Add**.
1. In the Yandex Browser for organizations management console, enable **SSO/SAML authentication**.
1. Wait until the domain is confirmed. To check the status, go to **SSO** settings.

### Add users {#add-users}

For your organization's users to be able to authenticate in the Yandex Browser for organizations management console with Yandex Identity Hub's SAML app, you need to explicitly add these users and/or [user groups](../../concepts/groups.md) to your SAML application. You also need to add the relevant users as administrators in the Yandex Browser for organizations management console.

{% note info %}

Users and groups added to a SAML application can be managed by a user with the `organization-manager.samlApplications.userAdmin` [role](../../security/index.md#organization-manager-samlApplications-userAdmin) or higher.

{% endnote %}

Add users to the application:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the required app.
    1. Navigate to the **Users and groups** tab.
    1. Click ![person-plus](../../../_assets/console-icons/person-plus.svg) **Add users**.
    1. In the window that opens, select the required user or user group.
    1. Click **Add**.

{% endlist %}

Add administrators:

1. Log in to the Yandex Browser for organizations [management console](https://browser.yandex.ru/corp/builds).
1. Go to the **Administrators** settings section.
1. Click **Add**.
1. Specify the email address of a user added to the app.
1. Repeat the previous steps for all users who need access to the console.

## Make sure your application works correctly {#validate}

To make sure both your SAML app and Yandex Browser for organizations integration management console work correctly, authenticate as one of the administrators you added to the app. Follow these steps:

1. In your browser, go to the Yandex Browser for organizations management console login page.
1. If you were previously logged in, log out.
1. On the authentication page, click **Log in via SSO**.
1. On the Yandex Cloud authentication page, enter the email address and user password. The user or group they belong to must be added to the application. The user must also be a management console administrator.
1. Make sure you have successfully authenticated in the Yandex Browser management console.