Configure Azure Active Directory (English interface)
To set up single sign-on (SSO) to Yandex 360 services using Azure Active Directory, you need to first create and configure a SAML application.
Step 1. Create and configure a SAML application
- Log in to the Azure Active Directory Admin Center.
- In the Azure Active Directory section in the left panel, go to the Enterprise applications tab.
- Create a SAML application:
- Click New application.
- On the Browse Azure AD Gallery tab, click Create your own application.
- On the right side of the window that opens, enter the name of the application, for example
yandexsso. - Select Integrate any other application you don't find in the gallery (Non-gallery).
- Click Create.
The application will appear in the All applications list on the Enterprise applications tab.
Select your application from the list.
If you don't want to specify users who can use single sign-on (SSO), set the No value for the Assign Required parameter on the Properties tab. To save the settings, click Save at the top of the tab.
To specify individual users who can use single sign-on (SSO), set the Yes value for the Assign Required parameter on the Properties tab. Then go to the Users and groups tab, click Add user or group, and add users.
- Go to the Single sign-on tab and select SAML.
- In the Set up Single Sign-On with SAML window, click Edit in the Basic SAML Configuration section and set the following parameters:
- Identifier (Entity ID):
https://yandex.ru/(with a slash at the end). - Reply URL (Assertion Consumer Service URL):
https://passport.yandex.ru/auth/sso/commit. - Sign on URL (optional):
https://passport.yandex.ru/auth/sso/commit. - If your employees use the services not only in Russian, add the URLs with language-specific domains in the Reply URL (Assertion Consumer Service URL) and Sign on URL fields. For example:
https://passport.yandex.com/auth/sso/commit(for English)https://passport.yandex.kz/auth/sso/commit(for Kazakh)https://passport.yandex.uz/auth/sso/commit(for Uzbek)https://passport.yandex.com.tr/auth/sso/commit(for Turkish)
https://passport.yandex.com/auth/sso/commithttps://passport.yandex.az/auth/sso/commithttps://passport.yandex.by/auth/sso/commithttps://passport.yandex.co.il/auth/sso/commithttps://passport.yandex.com/auth/sso/commithttps://passport.yandex.com.am/auth/sso/commithttps://passport.yandex.com.ge/auth/sso/commithttps://passport.yandex.com.tr/auth/sso/commithttps://passport.yandex.ee/auth/sso/commithttps://passport.yandex.eu/auth/sso/commithttps://passport.yandex.fi/auth/sso/commithttps://passport.yandex.fr/auth/sso/commithttps://passport.yandex.kg/auth/sso/commithttps://passport.yandex.kz/auth/sso/commithttps://passport.yandex.lt/auth/sso/commithttps://passport.yandex.lv/auth/sso/commithttps://passport.yandex.md/auth/sso/commithttps://passport.yandex.pl/auth/sso/commithttps://passport.yandex.ru/auth/sso/commithttps://passport.yandex.tj/auth/sso/commithttps://passport.yandex.tm/auth/sso/commithttps://passport.yandex.ua/auth/sso/commithttps://passport.yandex.uz/auth/sso/commit
Full list - Click Save.
Step 2. Configure user attribute mapping
- Go to Enterprise applications → All applications → <your application> → SAML-based Sign-on to sync user attributes in Azure Active Directory and Yandex 360.
- In the Attributes & Claims section, select Unique User Identifier (Name ID).
- In order for the user's first and last name to be displayed correctly in Yandex 360, enter
user.mailin the Source attribute field of the Required claim settings group and click Save. - In the Additional claims settings group, change or delete and recreate the following parameters:
Claim name Value User.EmailAddress user.mail User.Firstname user.givenname User.Surname user.surname Claim name Value User.EmailAddress user.mail User.Firstname user.givenname User.Surname user.surname Example of a SAML request:
<Attribute Name="User.EmailAddress"> <AttributeValue>email@test.com</AttributeValue> </Attribute> <Attribute Name="User.Surname"> <AttributeValue>Surname</AttributeValue> </Attribute> <Attribute Name="User.Firstname"> <AttributeValue>Firstname</AttributeValue> </Attribute>
Step 3. Save the certificate
- Go to Enterprise applications → All applications → <your application> → SAML-based Sign-on.
- In the SAML Signing Certificate section, click Download next to the Certificate (Base64) parameter. Save the file to your hard drive.
You can open the saved
.cerfile in any text editor.
Step 4. Collect the data to be sent to Yandex 360
To continue the setup process in Yandex 360, you will need the certificate you downloaded at Step 3 and the values of the following configuration parameters:
- Login URL
- Azure AD Identifier
To save the parameter values:
- Open Enterprise applications → All applications → <your application> → SAML-based Sign-on, and then go to Set up <application name>.
- Copy and save the values of the Login URL and Azure AD Identifier fields.
After that, proceed to setting up Yandex 360 for Business.
Troubleshooting
If you enter invalid attribute values, when trying to log in via SSO you will see the "Login failed" message and one of the following error codes:
- email.no_in_response
-
Specify the attribute names in the format
User.Firstname,User.Surname,User.EmailAddress. If you use a different format, such asFirstname, you will not be able to log in. - samlresponse.invalid
-
This error occurs if you entered an invalid login page URL, identity provider publisher, or verification certificate. Check the SSO settings in Yandex 360 for Business.
- unsupportable_domain
-
Make sure that the domain in the
User.EmailAddressmail attribute in the SAML response is the same as your primary domain or one of the alias domains. If they don't match, you will get an error message.
