Setting up Yandex Identity Hub

To set up single sign-on (SSO) to Yandex 360 services using Avanpost FAM, you need to first create and configure a SAML application.

Step 1. Create and configure a SAML application

  1. Log in to Yandex Identity Hub.

  2. Open the organization account.

  3. On the left panel, select Applications.

  4. In the upper-right corner, click Create application.

  5. Set the main application settings:

    1. Select SAML as the single sign-on (SSO) method and enter your custom application name in the Name field, for example, "yandex360".

    2. Click Create application.

  6. Set the integration settings:

    1. Click Edit in the upper-right corner.

    2. In the field SP EntityID, enter https://yandex.ru/, and in the field ACS URL, enter Service URL: https://passport.yandex.ru/auth/sso/commit.

    3. Click Save

Step 2. Configure user attribute mapping

  1. On the SAML application settings page, go to the Attributes tab.

  2. In the column Attribute, edit the fields by clicking the desired row, entering a new attribute, and clicking the Update button:

    1. Instead of the attribute emailaddress, specify User.EmailAddress.

    2. Instead of the attribute givenname, specify User.Firstname.

    3. Instead of the attribute surname, specify User.Surname.

You won't need the attribute fullname, so it can be deleted.

Step 3. Add users to the SAML application

For users to be able to authenticate via a SAML application:

  1. On the SAML application settings page, go to the tab Users and groups.

  2. Add a user or a group of users:

    1. Click Add users and select users in the window that opens.

    2. Click Add.

To delete users from the SAML application, click the icon , select Delete, and confirm the deletion.

Step 4. Gather data to transmit to Yandex 360 for Business

On the SAML application settings page, go to the Overview tab.

To configure SSO in Yandex 360, you'll need the following data:

  • Identity provider publisher in the field Issuer/IdP EntityID.

  • URL of the entry point in the field Login URL.

  • Signature certificate for X.509 tokens — you'll need to download it.

After that, proceed to setting up Yandex 360 for Business.

Solving issues with syncing

If incorrect values were specified during the identity provider setup and you try to log in with SSO, you'll see a message that reads "Login failed" along with the error code:

email.no_in_response

Specify the attribute names in the format User.Firstname, User.Surname, User.EmailAddress. If you use a different format, such as Firstname, you will not be able to log in.

request_your_admin

The error occurs if the user directory administrator of your organization has restricted access to Yandex 360 for the account. For details, contact your organization's technical support team.

samlresponse.invalid

The error occurs if the entry point URL, identity provider publisher, or token signature certificate is specified incorrectly. It may also occur within 14 days before the verification certificate expires or after its expiration. Check the SSO settings in Yandex 360 for Business.

unsupportable_domain

Make sure that the domain in the User.EmailAddress mail attribute in the SAML response is the same as your primary domain or one of the alias domains of your Yandex 360 organization.

Previous
How to connect an identity provider
Next
Configure Active Directory (EN)