Configure Active Directory (English interface)
To set up single sign-on (SSO) to Yandex 360 services using Active Directory, you need to first configure the server.
Step 1. Create a trust relationship with the relying party
-
Log in to your AD FS server and open Server Manager.
-
Open the management console by clicking Tools → AD FS Management.
-
In the list of actions, select Add Relying Party Trust.
-
Select Claims aware and click Start.
-
To set up the relationship automatically, at the Select Data Source step, select Import data about the relying party published online or on a local network and enter the following URL:
https://passport.yandex.ru/auth/sso/metadata.Click Next.
How to set up the relationship manually
-
Under Select Data Source, select Enter data about the relying party manually. Then click Next.
-
Specify any relationship name, for example, “Yandex 360”. Click Next.
-
Skip the Configure Certificate step by clicking Next.
-
Select Enable support for the SAML 2.0 WebSSO protocol and specify the Service URL:
https://passport.yandex.ru/auth/sso/commit. Click Next.
-
Add the identifier
https://yandex.ru/(with a slash at the end) by pasting it into the field and clicking Add. Then click Next.
-
Skip Choose Access Control Policy.
-
-
Check the data. Make sure the
SHA-256hash algorithm is selected on the Advanced tab. If everything's okay, click Next → Close.
If you used automatic setup, go straight to Step 3. If you set up the relationship manually, follow Step 2.
Step 2. Add endpoints for language-specific domains
Alert
Skip this step if you used automatic setup in Part 5 of Step 1.
If your employees use Yandex 360 services not only on the Russian domain, add the URLs with language-specific domains as endpoints:
-
In the management console, click Trust Relationships → Relying Party Trusts.
-
Open the settings of the relationship created in Step 1 by double-clicking it.
-
Go to the Endpoints tab.
-
Add endpoints.
To add an endpoint for a language-specific domain, click Add SAML, select
POSTunder Binding, and specify the URL:-
https://passport.yandex.com/auth/sso/commit(for English) -
https://passport.yandex.kz/auth/sso/commit(for Kazakh) -
https://passport.yandex.uz/auth/sso/commit(for Uzbek) -
https://passport.yandex.com.tr/auth/sso/commit(for Turkish)
Full list
-
https://passport.yandex.com/auth/sso/commit -
https://passport.yandex.az/auth/sso/commit -
https://passport.yandex.by/auth/sso/commit -
https://passport.yandex.co.il/auth/sso/commit -
https://passport.yandex.com/auth/sso/commit -
https://passport.yandex.com.am/auth/sso/commit -
https://passport.yandex.com.ge/auth/sso/commit -
https://passport.yandex.com.tr/auth/sso/commit -
https://passport.yandex.ee/auth/sso/commit -
https://passport.yandex.eu/auth/sso/commit -
https://passport.yandex.fi/auth/sso/commit -
https://passport.yandex.fr/auth/sso/commit -
https://passport.yandex.kg/auth/sso/commit -
https://passport.yandex.kz/auth/sso/commit -
https://passport.yandex.lt/auth/sso/commit -
https://passport.yandex.lv/auth/sso/commit -
https://passport.yandex.md/auth/sso/commit -
https://passport.yandex.pl/auth/sso/commit -
https://passport.yandex.ru/auth/sso/commit -
https://passport.yandex.tj/auth/sso/commit -
https://passport.yandex.tm/auth/sso/commit -
https://passport.yandex.uz/auth/sso/commit
Then click OK.
-
Step 3. Configure Claims Mapping
To set up claims mapping, you need to specify an attribute. It will be used to identify the user in Yandex ID. Once you select an attribute, you won't be able to change it.
-
Specify the UPN attribute if usernames for logging in won't change.
-
Specify objectSID, objectGUID, or another attribute if there are planned changes to the domain or business processes that may result in changes to user UPNs.
How to specify an attribute:
-
In the Trust Relationships block, right-click on the relationship created in Step 1 and select Edit Claim Issuance Policy.
-
Click Add Rule.
-
Under Claim rule template, select Transform an Incoming Claim and click Next.
-
Come up with a name for the rule, such as "NameID", and enter it in the Claim rule name field.
In the Outgoing claim type field, select
Name ID. Click Finish.
-
Create another rule by clicking Add Rule again. Select the Send LDAP Attributes as Claims template and click Next.
-
Come up with a name for the rule, such as "LDAPATTR". Fill in the rest of the fields as follows:
Then click Finish.
Attribute names are case- and format-sensitive. Make sure to specify the names exactly as shown in the image: User.Firstname, User.Surname, User.EmailAddress. Otherwise, there may be authorization errors, such as email.no_in_response.
-
In the Trust Relationships block, right-click on the relationship created in Step 1 and select Edit Claim Issuance Policy.
-
Click Add Rule. Select the Send LDAP Attributes as Claims template and click Next.
-
Come up with a name for the rule, such as "LDAPATTR". Fill in the remaining fields as specified below. Next to the "Name ID" type, specify an attribute: "objectGUID", "objectSID", or another attribute.
Then click Finish.
Attribute names are case- and format-sensitive. Make sure to specify the names exactly as shown in the image:
User.Firstname,User.Surname,User.EmailAddress. Otherwise, there may be authorization errors, such as email.no_in_response.
Step 4. Collect the data to be sent to Yandex 360
Login page URL
-
Entry point address. Usually, it is
https://domain/adfs/ls.In the management console, open Endpoints and make sure that the value of the Proxy Enabled parameter is set to
Yesfor/adfs/ls/. This parameter is responsible for activating the authentication page in AD FS that should be accessible from the outside (the address looks like this:https://domain_ADFS/adfs/ls/idpinitiatedsignon.aspx).
Identity provider publisher
-
Domain entity ID. Usually, it is
http://domain/adfs/services/trust.To get it, go to the Action tab in the management console and select Edit Federation Service Properties.
The identifier is specified in the Federation Service identifier field.
Verification certificate
-
Base64-encoded X.509 token-signing certificate. To get it:
-
1. In the management console, open Certificates.
2. Click twice on your Token-signing certificate.
3. Go to the Details tab and click Copy to File.
4. Select Base-64 encoded X.509 (.CER) as the type of certificate and click Next.
5. Save the file to your hard drive.
If you have two active token-signing certificates and you are not sure which certificate is currently being used, repeat the same actions for the second certificate.
-
Step 5. Set up synchronization of SCIM employees
By default, new employees appear in Yandex 360 after they log in to the service for the first time, and former employees can only be deleted manually. If you want to automatically sync the list of employees from AD FS with Yandex 360 for Business, enable SCIM synchronization.
Troubleshooting
If you enter invalid attribute values, when trying to log in via SSO you will see the "Login failed" message and one of the following error codes:
email.no_in_response
- Specify the attribute names in the format
User.Firstname,User.Surname,User.EmailAddress. If you use a different format, such asFirstname, you will not be able to log in.
request_your_admin
- The error occurs if the admin of your organization's user directory (for example, Active Directory or Keycloak) has restricted access to Yandex 360 for the account. For details, contact your organization's technical support team.
samlresponse.invalid
- This error occurs if you entered an invalid login page URL, identity provider publisher, or verification certificate. Check the SSO settings in Yandex 360 for Business.
unsupportable_domain
- Make sure that the domain in the
User.EmailAddressmail attribute in the SAML response is the same as your primary domain or one of the alias domains of your Yandex 360 organization.
A Microsoft technology that provides a single sign-on access to various systems and applications. Overview of Active Directory Federation Services