Configure Avanpost FAM
To set up single sign-on (SSO) to Yandex 360 services using Avanpost FAM, you need to first create and configure a SAML application.
Step 1. Create and configure a SAML application
-
Log in to Avanpost.
-
Open the Avanpost FAM web interface.
-
Create a SAML application: go to Приложения (Applications) and click Добавить приложение (Add application).
-
Set the Основные настройки (Basic settings) of the application:
-
Наименование (Name) — Set a name for the application, such as "Yandex360".
-
Тип (Type) — Select SAML.
-
Make sure that the option Показывать приложение пользователям (Show application to users) is enabled.
-
Click Next.
-
-
Set the Настройки интеграции (Integration settings):
-
In the Issuer field, enter
https://yandex.ru/(with a slash at the end). -
In the ACS field, enter the Service URL:
https://passport.yandex.ru/auth/sso/commit. -
Leave the fields Базовый URL (Base URL) and Logout empty.
-
Set NameID Format — select Постоянный (Permanent) from the list.
-
In the Значение NameID (NameID value) field, select the ID you'll use as the NameID for SAML SSO: Имя пользователя (Username) or Адрес электронной почты (Email address).
-
Click Next.
-
-
Configure the Настройки аутентификации (Authentication settings):
-
For the new authentication process, set the username and password verification: enable the Password method in the provided list of factors.
-
Leave the remaining methods disabled.
-
Click Next.
-
-
Activate the application:
-
Select the option Сделать приложение активным (Make the application active).
-
Click Save.
-
Step 2. Configure user attribute mapping
-
In the Приложения (Applications) section of the Avanpost FAM web interface, select the SAML application you created in Step 1.
-
In the window that opens, go to the Attributes tab.
-
Click
and add three attributes one by one:-
User.EmailAddress— Email address. -
User.Surname— Last name. -
User.Firstname— First name.
-
-
Configure the synchronization of Avanpost FAM and Yandex 360 attributes: open each attribute and change the value source parameters.
See the table below for the SAML Attribute Name values supported in Yandex 360 for Business.
SAML Attribute Name
Value
User.EmailAddress
user.email
User.Firstname
user.family_name
User.Surname
user.given_name
The resulting attribute mapping will look like this:
Step 3. Gather data to transmit to Yandex 360 for Business
You can get the main parameters for configuring SSO using a link of the following format:
http://<avanpost hostmane/IP>/.well-known/samlidp.xml
where <avanpost hostmane/IP> is the hostname or IP address for accessing the service.
For SSO, you'll need the following information:
-
Login page URL — The entry point address. The value is specified in the
Locationfield. -
Identity provider publisher — Domain's Entity ID. The value is specified in the
entityIDfield. -
Verification certificate — Certificate for signing X.509 tokens. The value is specified in the
X509Certificatefield.
Troubleshooting
If incorrect values were specified during the identity provider setup and you try to log in with SSO, you'll see a message that reads "Login failed" along with the error code:
email.no_in_response
- Specify the attribute names in the format
User.Firstname,User.Surname,User.EmailAddress. If you use a different format, such asFirstname, you will not be able to log in.
request_your_admin
- The error occurs if the user directory administrator of your organization has restricted access to Yandex 360 for the account. For details, contact your organization's technical support team.
samlresponse.invalid
- This error occurs if you entered an invalid login page URL, identity provider publisher, or verification certificate. Check the SSO settings in Yandex 360 for Business.
unsupportable_domain
- Make sure that the domain in the
User.EmailAddressmail attribute in the SAML response is the same as your primary domain or one of the alias domains of your Yandex 360 organization. If they don't match, you will get an error message.