Configure Azure Active Directory (English interface)

To set up single sign-on (SSO) to Yandex 360 services using Azure Active Directory, you need to first create and configure a SAML application.

Step 1. Create and configure a SAML application

  1. Log in to the Azure Active Directory Admin Center.

  2. In the Azure Active Directory section in the left panel, go to the Enterprise applications tab.

  3. Create a SAML application:

    1. Click New application.

    2. On the Browse Azure AD Gallery tab, click Create your own application.

    3. On the right side of the window that opens, enter the name of the application, for example yandexsso.

    4. Select Integrate any other application you don't find in the gallery (Non-gallery).

    5. Click Create.

    The application will appear in the All applications list on the Enterprise applications tab.

  4. Select your application from the list.

    If you don't want to specify users who can use single sign-on (SSO), set the No value for the Assign Required parameter on the Properties tab. To save the settings, click Save at the top of the tab.

    To specify individual users who can use single sign-on (SSO), set the Yes value for the Assign Required parameter on the Properties tab. Then go to the Users and groups tab, click Add user or group, and add users.

  5. Go to the Single sign-on tab and select SAML.

  6. In the Set up Single Sign-On with SAML window, click Edit in the Basic SAML Configuration section and set the following parameters:

    1. Identifier (Entity ID): https://yandex.ru/ (with a slash at the end).

    2. Reply URL (Assertion Consumer Service URL): https://passport.yandex.ru/auth/sso/commit.

    3. Sign on URL (optional): https://passport.yandex.ru/auth/sso/commit.

    4. If your employees use the services not only in Russian, add the URLs with language-specific domains in the Reply URL (Assertion Consumer Service URL) and Sign on URL fields. For example:

      https://passport.yandex.com/auth/sso/commit (for English)

      https://passport.yandex.kz/auth/sso/commit (for Kazakh)

      https://passport.yandex.uz/auth/sso/commit (for Uzbek)

      https://passport.yandex.com.tr/auth/sso/commit (for Turkish)

      Full list

      https://passport.yandex.com/auth/sso/commit

      https://passport.yandex.az/auth/sso/commit

      https://passport.yandex.by/auth/sso/commit

      https://passport.yandex.co.il/auth/sso/commit

      https://passport.yandex.com/auth/sso/commit

      https://passport.yandex.com.am/auth/sso/commit

      https://passport.yandex.com.ge/auth/sso/commit

      https://passport.yandex.com.tr/auth/sso/commit

      https://passport.yandex.ee/auth/sso/commit

      https://passport.yandex.eu/auth/sso/commit

      https://passport.yandex.fi/auth/sso/commit

      https://passport.yandex.fr/auth/sso/commit

      https://passport.yandex.kg/auth/sso/commit

      https://passport.yandex.kz/auth/sso/commit

      https://passport.yandex.lt/auth/sso/commit

      https://passport.yandex.lv/auth/sso/commit

      https://passport.yandex.md/auth/sso/commit

      https://passport.yandex.pl/auth/sso/commit

      https://passport.yandex.ru/auth/sso/commit

      https://passport.yandex.tj/auth/sso/commit

      https://passport.yandex.tm/auth/sso/commit

      https://passport.yandex.ua/auth/sso/commit

      https://passport.yandex.uz/auth/sso/commit

    5. Click Save.

Step 2. Configure user attribute mapping

  1. Go to Enterprise applications → All applications →  → SAML-based Sign-on to synchronize user attributes in Azure Active Directory and Yandex 360.

  2. Under Attributes & Claims, select Unique User Identifier (Name ID).

  3. In order for the user's first and last name to be displayed correctly in Yandex 360, enter user.mail in the Source attribute field of the Required claim settings group and click Save.

  4. In the Additional claims settings group, change or delete and recreate the following parameters:

    Claim name

    Value

    User.EmailAddress

    user.mail

    User.Firstname

    user.givenname

    User.Surname

    user.surname

    Example of a SAML request:

    <Attribute Name="User.EmailAddress">
       <AttributeValue>email@test.com</AttributeValue>
    </Attribute>
    <Attribute Name="User.Surname">
       <AttributeValue>Surname</AttributeValue>
    </Attribute>
    <Attribute Name="User.Firstname">
       <AttributeValue>Firstname</AttributeValue>
    </Attribute>
    

Step 3. Save the certificate

  1. Go to Enterprise applications → All applications →  → SAML-based Sign-on.

  2. In the SAML Signing Certificate section, click Download next to the Certificate (Base64) parameter. Save the file to your hard drive.
    You can open the saved .cer file in any text editor.

Step 4. Collect the data to be sent to Yandex 360

To continue the setup process in Yandex 360, you will need the certificate you downloaded at Step 3 and the values of the following configuration parameters:

  • Login URL

  • Azure AD Identifier

To save the parameter values:

  1. Enterprise applications → All applications →  → SAML-based Sign-on and go to Set up .

  2. Copy and save the values of the Login URL and Azure AD Identifier fields.

After that, proceed to setting up Yandex 360 for Business.

Troubleshooting

If incorrect values were specified during the identity provider setup and you try to log in with SSO, you'll see a message that reads "Login failed" along with the error code:

email.no_in_response

Specify the attribute names in the format User.Firstname, User.Surname, User.EmailAddress. If you use a different format, such as Firstname, you will not be able to log in.

request_your_admin

The error occurs if the user directory administrator of your organization has restricted access to Yandex 360 for the account. For details, contact your organization's technical support team.

samlresponse.invalid

This error occurs if you entered an invalid login page URL, identity provider publisher, or verification certificate. Check the SSO settings in Yandex 360 for Business.

unsupportable_domain

Make sure that the domain in the User.EmailAddress mail attribute in the SAML response is the same as your primary domain or one of the alias domains of your Yandex 360 organization. If they don't match, you will get an error message.
Contact support