How to connect an identity provider

If you have an identity provider connected and configured, you can connect it to Yandex 360. To do this, you need to configure identity federation and then set up Yandex 360 for Business.

Requirements for organizations

To set up single sign-on (SSO), make sure that your organization:

• Uses a plan where SSO is available.

• Has a domain connected.

• Has no employee accounts created on the company's domain. Domain accounts have addresses like login@example.com, where @example.com is the name of your company (domain). These accounts are added manually by your organization's administrators in Users → Employees.

Step 1. Configure identity federation

In order for your identity federation to be able to interact with Yandex 360, you need to configure it.

See the instructions on how to do this for different identity providers:

• Configure Yandex Identity Hub

• Configure Active Directory

• Configure Azure Active Directory

• Configure Keycloak version 18

• Configure Keycloak version 19 and above

• Configure Avanpost FAM

• Configure Multifactor

Make sure that your identity provider is compatible with the directory service you are using. Check the compatibility table.

Directory service	Identity provider
Microsoft Active Directory	Microsoft AD FS Keycloak Avanpost FAM Multifactor
Samba DC	Keycloak Avanpost FAM Multifactor
Red ADM	Keycloak Avanpost FAM Multifactor
ALD Pro	Keycloak Avanpost FAM Multifactor
FreeIPA	Keycloak Avanpost FAM Multifactor

If you have another identity provider, check out its documentation. You can also use our instructions as an example. When configuring your identity provider, be sure to specify the following parameters:

• Service URL: https://passport.yandex.ru/auth/sso/commit.

• Identifier: https://yandex.ru/ (must include a trailing slash).

• If your employees use services not only in Russian, add the URLs with other language-specific domains as POST endpoints. In particular:

  • https://passport.yandex.com/auth/sso/commit (for English)

  • https://passport.yandex.kz/auth/sso/commit (for Kazakh)

  • https://passport.yandex.uz/auth/sso/commit (for Uzbek)

  • https://passport.yandex.com.tr/auth/sso/commit (for Turkish)

  Full list

  • https://passport.yandex.com/auth/sso/commit

  • https://passport.yandex.az/auth/sso/commit

  • https://passport.yandex.by/auth/sso/commit

  • https://passport.yandex.co.il/auth/sso/commit

  • https://passport.yandex.com/auth/sso/commit

  • https://passport.yandex.com.am/auth/sso/commit

  • https://passport.yandex.com.ge/auth/sso/commit

  • https://passport.yandex.com.tr/auth/sso/commit

  • https://passport.yandex.ee/auth/sso/commit

  • https://passport.yandex.eu/auth/sso/commit

  • https://passport.yandex.fi/auth/sso/commit

  • https://passport.yandex.fr/auth/sso/commit

  • https://passport.yandex.kg/auth/sso/commit

  • https://passport.yandex.kz/auth/sso/commit

  • https://passport.yandex.lt/auth/sso/commit

  • https://passport.yandex.lv/auth/sso/commit

  • https://passport.yandex.md/auth/sso/commit

  • https://passport.yandex.pl/auth/sso/commit

  • https://passport.yandex.ru/auth/sso/commit

  • https://passport.yandex.tj/auth/sso/commit

  • https://passport.yandex.tm/auth/sso/commit

  • https://passport.yandex.uz/auth/sso/commit

Get the login page URL, your identity provider ID, and the X.509 verification certificate. You'll need them in the next step.

Step 2. Set up Yandex 360 for Business

1. Open Yandex 360 for Business.

2. Go to General settings → Single sign-on (SSO).

3. Click Set up.

4. Fill in the fields with the required parameters:

   • Login page URL: SAML 2.0 endpoint URL.

   • Identity provider publisher: IdP subject ID.

   • Verification certificate: Certificate issued by your identity provider.

     If the current certificate expires soon, you can add a second one to replace it. To do so, click Add second certificate for updating.

5. For syncing accounts from LDAP directories: to update the list of employees in Yandex 360 automatically, set up syncing and specify your application ID in the SCIM synchronization section.

6. Save changes.

7. Click Enable.

Step 3. Check authentication

1. Open your browser in guest or incognito mode.

2. Go to passport.yandex.com/auth, enter the username of the account from the identity provider, and click Log in. If everything is configured correctly, you will be redirected to the login page that you specified in Step 2.

Debugging and troubleshooting

If incorrect values were specified during the identity provider setup and you try to log in with SSO, you'll see a message that reads "Login failed" along with the error code:

email.no_in_response

Specify the attribute names in the format User.Firstname, User.Surname, User.EmailAddress. If you use a different format, such as Firstname, you will not be able to log in.

request_your_admin

The error occurs if the user directory administrator of your organization has restricted access to Yandex 360 for the account. For details, contact your organization's technical support team.

samlresponse.invalid

This error occurs if you entered an invalid login page URL, identity provider publisher, or verification certificate. It may also occur within 14 days before the verification certificate expires or after its expiration. Check the SSO settings in Yandex 360 for Business.

unsupportable_domain

Make sure that the domain in the User.EmailAddress mail attribute in the SAML response is the same as your primary domain or one of the alias domains of your Yandex 360 organization.

SAML-tracer for troubleshooting

SAML-tracer is a browser extension that traces SAML events and helps to find and fix errors in single sign-on (SSO) configuration. You can export the tracking report in a JSON file.

Installing and launching

Install the extension by following the link:

• SAML-tracer — for Yandex Browser, Google Chrome, and Microsoft Edge;
• SAML-tracer — for Mozilla Firefox.

To launch SAML-tracer, click the  icon in the browser's extension panel or press Alt + Shift + s.

Tracing SAML events

1. Open your browser in guest or incognito mode and launch SAML-tracer. If there's no icon or the SAML-tracer window doesn't open, enable Allow Incognito mode in the extension settings.
2. Go to passport.yandex.com/auth, enter the username of the account from the identity provider, and click Log in. In the SAML-tracer window, you'll see entries GET and POST, with SAML events highlighted with orange and a label.
3. To check the attributes and their values, select an entry with a SAML event and go to the SAML tab on the preview panel.

Exporting report to a file

1. Select an entry with the desired SAML event.
2. Click Export in the SAML-tracer toolbar.
3. To hide confidential information, select Mask values.
4. Click Export. The JSON file will be downloaded to your computer.

SSO restrictions

After you enable single sign-on (SSO), you won't be able to import employees and move departments.

If you've also connected the ADSCIM utility, management of mail aliases via the Yandex 360 for Business interface will be disabled.

If you have several companies in Yandex 360 for Business, single sign-on (SSO) is simultaneously enabled for all companies.

Disabling single sign-on (SSO) works the same way. If you switch to the Basic plan in one of your companies, single sign-on (SSO) will be disabled for all your companies.

A service that stores and manages user credentials, such as Active Directory or Keycloak.

With federation of credentials, you can set up user authentication using the Single Sign-On (SSO) technology. With this approach, the identity provider (IdP), such as Active Directory or Keycloak, is responsible for authenticating users, while the service provider (SP), such as a service or app, manages access to resources.