How to connect an identity provider
If you have an identity provider connected and configured, you can connect it to Yandex 360. To do this, you need to configure identity federation and then set up Yandex 360 for Business.
Requirements for organizations
To set up single sign-on (SSO), make sure that your organization:
-
Is using the Optimal or Advanced service plan. If you switch to the Basic plan, single sign-on (SSO) will be disabled.
-
Has a linked domain (only one).
-
Has no employee accounts created on the company's domain. Domain accounts have addresses like
login@example.com
, where@example.com
is the name of your company (domain). These accounts are added manually by your organization's administrators in Users → Employees.
If you have several companies in Yandex 360 for Business, single sign-on (SSO) is simultaneously enabled for all companies.
Disabling single sign-on (SSO) works the same way. If you switch to the Basic plan in one of your companies, single sign-on (SSO) will be disabled for all your companies.
Step 1. Configure identity federation
In order for your identity federation to be able to interact with Yandex 360, you need to configure it.
See the instructions on how to do this for different identity providers:
If you have another identity provider, check out its documentation. You can also use our instructions as an example. When configuring your identity provider, be sure to specify the following parameters:
-
Service URL:
https://passport.yandex.ru/auth/sso/commit
. -
ID:
https://yandex.ru/
(with a slash at the end). -
If your employees use services not only in Russian, add the URLs with other language-specific domains as
POST
endpoints. For example:-
https://passport.yandex.com/auth/sso/commit
(for English) -
https://passport.yandex.kz/auth/sso/commit
(for Kazakh) -
https://passport.yandex.uz/auth/sso/commit
(for Uzbek) -
https://passport.yandex.com.tr/auth/sso/commit
(for Turkish)
Full list
-
https://passport.yandex.com/auth/sso/commit
-
https://passport.yandex.az/auth/sso/commit
-
https://passport.yandex.by/auth/sso/commit
-
https://passport.yandex.co.il/auth/sso/commit
-
https://passport.yandex.com/auth/sso/commit
-
https://passport.yandex.com.am/auth/sso/commit
-
https://passport.yandex.com.ge/auth/sso/commit
-
https://passport.yandex.com.tr/auth/sso/commit
-
https://passport.yandex.ee/auth/sso/commit
-
https://passport.yandex.eu/auth/sso/commit
-
https://passport.yandex.fi/auth/sso/commit
-
https://passport.yandex.fr/auth/sso/commit
-
https://passport.yandex.kg/auth/sso/commit
-
https://passport.yandex.kz/auth/sso/commit
-
https://passport.yandex.lt/auth/sso/commit
-
https://passport.yandex.lv/auth/sso/commit
-
https://passport.yandex.md/auth/sso/commit
-
https://passport.yandex.pl/auth/sso/commit
-
https://passport.yandex.ru/auth/sso/commit
-
https://passport.yandex.tj/auth/sso/commit
-
https://passport.yandex.tm/auth/sso/commit
-
https://passport.yandex.uz/auth/sso/commit
-
Get the login page URL, your identity provider ID, and the X.509 verification certificate. You'll need them in the next step.
Step 2. Set up Yandex 360 for Business
-
Open Yandex 360 for Business.
-
Go to General settings → Single sign-on (SSO).
-
Click Set up.
-
Fill in the fields with the required parameters:
-
Login page URL: SAML 2.0 endpoint URL.
-
Identity provider publisher: IdP subject ID.
-
Verification certificate: Certificate issued by your identity provider.
If the current certificate expires soon, you can add a second one to replace it. To do so, click Add second certificate for updating.
-
-
For AD FS: To update the list of employees in Yandex 360 automatically, set up synchronization and specify your application ID in the SCIM Synchronization section.
-
Save your changes.
-
Select Enable auto-save.
Step 3. Check authentication
-
Open your browser in guest or incognito mode.
-
Go to passport.yandex.com/auth, enter the account from the identity provider, and click Log in. If everything is configured correctly, you will be redirected to the login page that you specified in Step 2.
Debugging and troubleshooting
If incorrect values were specified during the identity provider setup and you try to log in with SSO, you'll see a message that reads "Login failed" along with the error code:
email.no_in_response
- Specify the attribute names in the format
User.Firstname
,User.Surname
,User.EmailAddress
. If you use a different format, such asFirstname
, you will not be able to log in.
request_your_admin
- The error occurs if the user directory administrator of your organization has restricted access to Yandex 360 for the account. For details, contact your organization's technical support team.
samlresponse.invalid
- This error occurs if you entered an invalid login page URL, identity provider publisher, or verification certificate. Check the SSO settings in Yandex 360 for Business.
unsupportable_domain
- Make sure that the domain in the
User.EmailAddress
mail attribute in the SAML response is the same as your primary domain or one of the alias domains of your Yandex 360 organization.
SAML-tracer for troubleshooting
SAML-tracer is a browser extension that traces SAML events and helps to find and fix errors in single sign-on (SSO) configuration. You can export the tracking report in a JSON
file.
Installing and launching
-
Install the extension by following the link:
- SAML-tracer for Yandex Browser, Google Chrome, and Microsoft Edge.
- SAML-tracer for Mozilla Firefox.
To launch SAML-tracer, click the
icon in the browser's extension panel or press
Alt
+Shift
+s
.
Tracing SAML events
- Open your browser in guest or incognito mode and launch SAML-tracer. If there's no
icon or the SAML-tracer window doesn't open, enable Allow Incognito mode in the extension settings.
- Go to passport.yandex.com/auth, enter the account from the identity provider, and click Log in. In the SAML-tracer window, you'll see entries
GET
andPOST
, with SAML events highlighted with orange and a label. - To check the attributes and their values, select an entry with a SAML event and go to the SAML tab on the preview panel.
Exporting report to a file
- Select an entry with the desired SAML event.
- Click Export in the SAML-tracer toolbar.
- To hide confidential information, select Mask values.
- Click Export. The
JSON
file will be downloaded to your computer.
SSO restrictions
After you enable single sign-on (SSO), you won't be able to import employees and move departments.
If you've also connected the ADSCIM utility, management of mail aliases via the Yandex 360 for Business interface will be disabled.
This is a service that stores and manages user credentials, such as Active Directory or Keycloak.
With federation of credentials, you can set up user authentication using the Single Sign-On (SSO) technology. With this approach, the identity provider (IdP), such as Active Directory or Keycloak, is responsible for authenticating users, while the service provider (SP), such as a service or app, manages access to resources.