Configure Keycloak version 18

1. Log in to the Keycloak admin account.
2. Open the management console by clicking Administration Console.
3. Create a SAML application:

   1. In the panel on the left, select Clients and click Create.
   2. In the Client ID field, enter https://yandex.ru/ (with a slash at the end).
   3. In the Client Protocol field, enter saml.
   4. In the Client SAML Endpoint field, enter Service URL: https://passport.yandex.ru/auth/sso/commit. Click Save.
4. On the Settings tab, set up the parameters of the SAML application:

   1. In the Name field, specify the name of the application (for example, yandex360).
   2. Disable the Client Signature Required option if it is enabled.
   3. Leave options that are filled in by default (Enabled, Include AuthnStatement, Sign Documents, and so on) unchanged.
   4. In the Name ID Format field, select "email". In order for the selected format to be used regardless of the Yandex 360 settings, enable the Force Name ID format option.

      Note.

      The NameID value is used to identify the user in Yandex ID and cannot be changed. If you change your UPN, set one of the immutable user attributes as NameID in your LDAP directory.

      If you need a customizable NameID, set it by default in the user attribute mapping settings: in the Mappers menu, create a new User Attribute Mapper For NameID.
   5. In the Valid Redirect URIs, Base URL, and Master SAML Processing URL fields, enter Service URL: https://passport.yandex.ru/auth/sso/commit. Click Save.
   6. If your employees use Yandex 360 services not only on the Russian domain, add the URLs with language-specific domains as endpoints to the Valid Redirect URIs field.

      

      Endpoints for language-specific domains:

      • https://passport.yandex.com/auth/sso/commit (for English)
      • https://passport.yandex.kz/auth/sso/commit (for Kazakh)
      • https://passport.yandex.uz/auth/sso/commit (for Uzbek)
      • https://passport.yandex.com.tr/auth/sso/commit (for Turkish)

      Full list

      • https://passport.yandex.com/auth/sso/commit
      • https://passport.yandex.az/auth/sso/commit
      • https://passport.yandex.by/auth/sso/commit
      • https://passport.yandex.co.il/auth/sso/commit
      • https://passport.yandex.com/auth/sso/commit
      • https://passport.yandex.com.am/auth/sso/commit
      • https://passport.yandex.com.ge/auth/sso/commit
      • https://passport.yandex.com.tr/auth/sso/commit
      • https://passport.yandex.ee/auth/sso/commit
      • https://passport.yandex.eu/auth/sso/commit
      • https://passport.yandex.fi/auth/sso/commit
      • https://passport.yandex.fr/auth/sso/commit
      • https://passport.yandex.kg/auth/sso/commit
      • https://passport.yandex.kz/auth/sso/commit
      • https://passport.yandex.lt/auth/sso/commit
      • https://passport.yandex.lv/auth/sso/commit
      • https://passport.yandex.md/auth/sso/commit
      • https://passport.yandex.pl/auth/sso/commit
      • https://passport.yandex.ru/auth/sso/commit
      • https://passport.yandex.tj/auth/sso/commit
      • https://passport.yandex.tm/auth/sso/commit
      • https://passport.yandex.uz/auth/sso/commit

1. On the Scope tab, disable the Full Scope Allowed option.
2. Go to the Mappers tab and click Add Builtin.
3. Check the attributes in the list and click Add selected:

   • X500 email: Email address.
   • X500 surname: Last name.
   • X500 givenName: First name.

   

4. Set up syncing of Keycloak and Yandex 360 attributes by opening each attribute and changing the value of SAML Attribute Name. The SAML Attribute Name values that are supported in Yandex 360 are listed below.

   SAML Attribute Name	Value
   User.EmailAddress	X500 email
   User.Firstname	X500 givenName
   User.Surname	X500 surname

   SAML Attribute Name	Value
   User.EmailAddress	X500 email
   User.Firstname	X500 givenName
   User.Surname	X500 surname

   The resulting attribute mapping will look like this:

   

   

   

The SAML response should look like this:

<Attribute Name="User.EmailAddress">
    <AttributeValue>email@test.com</AttributeValue>
</Attribute>
<Attribute Name="User.Surname">
    <AttributeValue>Surname</AttributeValue>
</Attribute>
<Attribute Name="User.Firstname">
    <AttributeValue>Firstname</AttributeValue>
</Attribute>

Login page URL

Entry point address.

To get it:

1. In the management console on the left panel, select Realm Settings and click SAML 2.0 Identity Provider Metadata.

   

2. Copy the value of the Location field.

   

Identity provider publisher

Domain entity ID.

You can get one the same way as the login page URL. It is located in the entityID field.

Verification certificate

X.509 token-signing certificate.

You can get one the same way as the login page URL. It is located in the X509Certificate field.

You can also copy the certificate from the Keys tab:

1. Go to line RS256.
2. Copy the contents of the Certificate field.

If you have two active token-signing certificates and you are not sure which certificate is currently being used, repeat the same actions for the second certificate.

After that, proceed to setting up Yandex 360 for Business.

If you enter invalid attribute values, when trying to log in via SSO you will see the "Login failed" message and one of the following error codes:

email.no_in_response

Specify the attribute names in the format User.Firstname, User.Surname, User.EmailAddress. If you use a different format, such as Firstname, you will not be able to log in.

samlresponse.invalid

This error occurs if you entered an invalid login page URL, identity provider publisher, or verification certificate. Check the SSO settings in Yandex 360 for Business.

unsupportable_domain

Make sure that the domain in the User.EmailAddress mail attribute in the SAML response is the same as your primary domain or one of the alias domains. If they don't match, you will get an error message.