How to enable single sign-on (SSO)
If you have an identity provider connected and configured, you can connect it to Yandex 360. To do this, you need to configure identity federation and then set up Yandex 360 for Business.
Requirements for organizations
To set up single sign-on (SSO), make sure that your organization:
- Has a linked domain (only one).
- Has no employee accounts created on the company's domain. Domain accounts have addresses like
[email protected]
, where@example.com
is the name of your company (domain). These accounts are added manually by the company's admin on the Employees tab.
If you have several companies in Yandex 360 for Business, single sign-on (SSO) is simultaneously enabled for all companies.
Disabling single sign-on (SSO) works the same way. If you switch to the Basic plan in one of your companies, single sign-on (SSO) will be disabled for all your companies.
Step 1. Configure identity federation
For your identity federation to be able to interact with Yandex 360, you need to configure it.
See the instructions on how to do this for different identity providers:
If you have another identity provider, check out its documentation. You can also use our instructions as an example. When configuring your identity provider, be sure to specify the following parameters:
- Service URL:
https://passport.yandex.ru/auth/sso/commit
. - ID:
https://yandex.ru/
(with a slash at the end). If your employees use services not only in Russian, add the URLs with other language-specific domains as
POST
endpoints. For example:https://passport.yandex.com/auth/sso/commit
(for English)https://passport.yandex.kz/auth/sso/commit
(for Kazakh)https://passport.yandex.uz/auth/sso/commit
(for Uzbek)https://passport.yandex.com.tr/auth/sso/commit
(for Turkish)
https://passport.yandex.com/auth/sso/commit
https://passport.yandex.az/auth/sso/commit
https://passport.yandex.by/auth/sso/commit
https://passport.yandex.co.il/auth/sso/commit
https://passport.yandex.com/auth/sso/commit
https://passport.yandex.com.am/auth/sso/commit
https://passport.yandex.com.ge/auth/sso/commit
https://passport.yandex.com.tr/auth/sso/commit
https://passport.yandex.ee/auth/sso/commit
https://passport.yandex.eu/auth/sso/commit
https://passport.yandex.fi/auth/sso/commit
https://passport.yandex.fr/auth/sso/commit
https://passport.yandex.kg/auth/sso/commit
https://passport.yandex.kz/auth/sso/commit
https://passport.yandex.lt/auth/sso/commit
https://passport.yandex.lv/auth/sso/commit
https://passport.yandex.md/auth/sso/commit
https://passport.yandex.pl/auth/sso/commit
https://passport.yandex.ru/auth/sso/commit
https://passport.yandex.tj/auth/sso/commit
https://passport.yandex.tm/auth/sso/commit
https://passport.yandex.uz/auth/sso/commit
Full list
Get the login page URL, your identity provider ID, and the X.509 verification certificate. You'll need them in the next step.
Step 2. Set up Yandex 360 for Business
- Open Yandex 360 for Business.
- Go to the Single sign-on (SSO) tab.
- Click Set up.
Fill in the fields with the required parameters:
- Login page URL: SAML 2.0 endpoint URL.
- Identity provider publisher: IdP subject ID.
Verification certificate: Certificate issued by your identity provider.
If the current certificate expires soon, you can add a second one to replace it. To do so, click Add second certificate for updating.
- For AD FS: To update the list of employees in Yandex 360 automatically, set up synchronization and specify your application ID in the SCIM Synchronization section.
- Save changes.
- Click Enable.
Step 3. Check authentication
- Open your browser in guest or incognito mode.
- Go to passport.yandex.com/auth, enter the account from the identity provider and click Log in. If everything is configured correctly, you will be redirected to the login page that you specified in Step 2.
SSO restrictions
After you enable single sign-on (SSO), you won't be able toimport employees and move departments.
If you connect the ADSCIM utility, you won't be able to manage mailbox aliases through the Yandex 360 for Business interface.