How to connect an identity provider

If you have an identity provider connected and configured, you can connect it to Yandex 360. To do this, you need to configure identity federation and then set up Yandex 360 for Business.

Requirements for organizations

To set up single sign-on (SSO), make sure that your organization:

  • Is using the Optimal or Advanced service plan. If you switch to the Basic plan, single sign-on (SSO) will be disabled.

  • Has a linked domain (only one).

  • Has no employee accounts created on the company's domain. Domain accounts have addresses like login@example.com, where @example.com is the name of your company (domain). These accounts are added manually by your organization's administrators in Users → Employees.

If you have several companies in Yandex 360 for Business, single sign-on (SSO) is simultaneously enabled for all companies.

Disabling single sign-on (SSO) works the same way. If you switch to the Basic plan in one of your companies, single sign-on (SSO) will be disabled for all your companies.

Step 1. Configure identity federation

In order for your identity federation to be able to interact with Yandex 360, you need to configure it.

See the instructions on how to do this for different identity providers:

If you have another identity provider, check out its documentation. You can also use our instructions as an example. When configuring your identity provider, be sure to specify the following parameters:

  • Service URL: https://passport.yandex.ru/auth/sso/commit.

  • ID: https://yandex.ru/ (with a slash at the end).

  • If your employees use services not only in Russian, add the URLs with other language-specific domains as POST endpoints. For example:

    • https://passport.yandex.com/auth/sso/commit (for English)

    • https://passport.yandex.kz/auth/sso/commit (for Kazakh)

    • https://passport.yandex.uz/auth/sso/commit (for Uzbek)

    • https://passport.yandex.com.tr/auth/sso/commit (for Turkish)

    Full list
    • https://passport.yandex.com/auth/sso/commit

    • https://passport.yandex.az/auth/sso/commit

    • https://passport.yandex.by/auth/sso/commit

    • https://passport.yandex.co.il/auth/sso/commit

    • https://passport.yandex.com/auth/sso/commit

    • https://passport.yandex.com.am/auth/sso/commit

    • https://passport.yandex.com.ge/auth/sso/commit

    • https://passport.yandex.com.tr/auth/sso/commit

    • https://passport.yandex.ee/auth/sso/commit

    • https://passport.yandex.eu/auth/sso/commit

    • https://passport.yandex.fi/auth/sso/commit

    • https://passport.yandex.fr/auth/sso/commit

    • https://passport.yandex.kg/auth/sso/commit

    • https://passport.yandex.kz/auth/sso/commit

    • https://passport.yandex.lt/auth/sso/commit

    • https://passport.yandex.lv/auth/sso/commit

    • https://passport.yandex.md/auth/sso/commit

    • https://passport.yandex.pl/auth/sso/commit

    • https://passport.yandex.ru/auth/sso/commit

    • https://passport.yandex.tj/auth/sso/commit

    • https://passport.yandex.tm/auth/sso/commit

    • https://passport.yandex.uz/auth/sso/commit

Get the login page URL, your identity provider ID, and the X.509 verification certificate. You'll need them in the next step.

Step 2. Set up Yandex 360 for Business

  1. Open Yandex 360 for Business.

  2. Go to General settings → Single sign-on (SSO).

  3. Click Set up.

  4. Fill in the fields with the required parameters:

    • Login page URL: SAML 2.0 endpoint URL.

    • Identity provider publisher: IdP subject ID.

    • Verification certificate: Certificate issued by your identity provider.

      If the current certificate expires soon, you can add a second one to replace it. To do so, click Add second certificate for updating.

  5. For AD FS: To update the list of employees in Yandex 360 automatically, set up synchronization and specify your application ID in the SCIM Synchronization section.

  6. Save your changes.

  7. Select Enable auto-save.

Step 3. Check authentication

  1. Open your browser in guest or incognito mode.

  2. Go to passport.yandex.com/auth, enter the account from the identity provider, and click Log in. If everything is configured correctly, you will be redirected to the login page that you specified in Step 2.

Debugging and troubleshooting

If incorrect values were specified during the identity provider setup and you try to log in with SSO, you'll see a message that reads "Login failed" along with the error code:

email.no_in_response

Specify the attribute names in the format User.Firstname, User.Surname, User.EmailAddress. If you use a different format, such as Firstname, you will not be able to log in.

request_your_admin

The error occurs if the user directory administrator of your organization has restricted access to Yandex 360 for the account. For details, contact your organization's technical support team.

samlresponse.invalid

This error occurs if you entered an invalid login page URL, identity provider publisher, or verification certificate. Check the SSO settings in Yandex 360 for Business.

unsupportable_domain

Make sure that the domain in the User.EmailAddress mail attribute in the SAML response is the same as your primary domain or one of the alias domains of your Yandex 360 organization.

SAML-tracer for troubleshooting

SAML-tracer is a browser extension that traces SAML events and helps to find and fix errors in single sign-on (SSO) configuration. You can export the tracking report in a JSON file.

Installing and launching

Install the extension by following the link:

To launch SAML-tracer, click the  icon in the browser's extension panel or press Alt + Shift + s.

Tracing SAML events

  1. Open your browser in guest or incognito mode and launch SAML-tracer. If there's no icon or the SAML-tracer window doesn't open, enable Allow Incognito mode in the extension settings.
  2. Go to passport.yandex.com/auth, enter the account from the identity provider, and click Log in. In the SAML-tracer window, you'll see entries GET and POST, with SAML events highlighted with orange and a label.
  3. To check the attributes and their values, select an entry with a SAML event and go to the SAML tab on the preview panel.

Exporting report to a file

  1. Select an entry with the desired SAML event.
  2. Click Export in the SAML-tracer toolbar.
  3. To hide confidential information, select Mask values.
  4. Click Export. The JSON file will be downloaded to your computer.

SSO restrictions

After you enable single sign-on (SSO), you won't be able to import employees and move departments.

If you've also connected the ADSCIM utility, management of mail aliases via the Yandex 360 for Business interface will be disabled.

Contact support

This is a service that stores and manages user credentials, such as Active Directory or Keycloak.

With federation of credentials, you can set up user authentication using the Single Sign-On (SSO) technology. With this approach, the identity provider (IdP), such as Active Directory or Keycloak, is responsible for authenticating users, while the service provider (SP), such as a service or app, manages access to resources.