Configure Multifactor

To set up single sign-on (SSO) for Yandex 360 services via Multifactor, you need to first configure the MultiFactor SelfService Portal and create a SAML application.

Your users need to be created in advance with the YandexADSCIM utility (for NameID, you need to set UPN with the domain specified).

Step 1. Create and configure a SAML application

1. Log in to your Multifactor administrator account.

2. Create a SAML application:

   1. On the left panel, select Resources and click Add resource → SAML application.

   2. In the Name field, specify any name for the application. For example, yandex360.

   3. Leave the Address field blank.

   4. In the Identity Provider field, select Active Directory.

   5. In the Portal address field, enter the address (external or internal) of your configured MultiFactor SelfService Portal.

   6. Enable the Register new users option.

   7. Click Save. The SAML application settings page opens.

   

3. Configure the SAML application settings:

   1. Create an XML file with the name sp_metadata.xml and add the following code to it:

      <?xml version="1.0"?>
      <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
                            entityID="https://yandex.ru/">
          <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
              <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
                            Location="https://passport.yandex.ru/auth/sso/commit" index="1" />
          </md:SPSSODescriptor>
      </md:EntityDescriptor>
      

   2. Specify the parameters and save the file:

      • entityID — https://yandex.ru/ (with a slash at the end).
      • Location — https://passport.yandex.ru/auth/sso/commit.

   3. On the SAML application settings page, in the Service Provider section, click Upload Metadata and upload the sp_metadata.xml file you've just created.

   

Step 2. Collect the data to be sent to Yandex 360

1. On the SAML application settings page, in the Multifactor Metadata section, click Open Link.

2. The XML file will open. You'll need the following information for SSO:

   • Login page URL — The entry point address. You can find this value in the Location field, SingleSignOnService line.

   • Identity provider publisher — Domain's Entity ID. The value is specified in the entityID field.

   • Verification certificate — Certificate for signing X.509 tokens. The value is specified in the X509Certificate field.

   

After that, proceed to setting up Yandex 360 for Business.

Troubleshooting

If incorrect values were specified during the identity provider setup and you try to log in with SSO, you'll see a message that reads "Login failed" along with the error code:

email.no_in_response

Specify the attribute names in the format User.Firstname, User.Surname, User.EmailAddress. If you use a different format, such as Firstname, you will not be able to log in.

request_your_admin

The error occurs if the user directory administrator of your organization has restricted access to Yandex 360 for the account. For details, contact your organization's technical support team.

samlresponse.invalid

This error occurs if you entered an invalid login page URL, identity provider publisher, or verification certificate. Check the SSO settings in Yandex 360 for Business.

unsupportable_domain

Make sure that the domain in the User.EmailAddress mail attribute in the SAML response is the same as your primary domain or one of the alias domains of your Yandex 360 organization. If they don't match, you will get an error message.