Azure Active Directory (ingliz tilidagi interfeys) sozlash

Yandex 360 xizmatlariga Azure Active Directory orqali yagona kirishni (SSO) tashkil etish uchun oldindan SAML ilovasini yaratish va sozlash kerak.

1-qadam. SAML ilovasini yarating va sozlang

  1. Azure Active Directory boshqaruv markaziga kiring.

  2. Azure Active Directory bo‘limida panelning chap tomonidagi Enterprise applications varag‘iga o‘ting.

  3. SAML ilovasini yarating:

    1. New application tugmasini bosing.

    2. Browse Azure AD Gallery sahifasida Create your own application tugmasini bosing.

    3. Ochilgan oynaning o‘ng qismida ilova nomini kiriting, masalan, yandexsso.

    4. Ilova variantini tanlang: Integrate any other application you don't find in the gallery (Non-gallery).

    5. Create tugmasini bosing.

    Enterprise applications sahifasida All applications ro‘yxatida yaratilgan ilova qo‘shiladi.

  4. Ro‘yxatda ilovangizni tanlang.

    Agar yagona kirishdan (SSO) foydalana oladigan foydalanuvchilarni maxsus tayinlashni xohlamasangiz, Properties varag‘ida Assign Required parametri uchun No qiymatini tanlang. Sozlamalarni saqlash uchun varaq yuqorisidagi Save tugmasini bosing.

    Yagona kirishdan (SSO) foydalanish uchun alohida foydalanuvchilarni tayinlash uchun Properties varag‘ida Assign Required parametri uchun Yes qiymatini tanlang. Keyin Foydalanuvchilar va guruhlar varag‘iga o‘ting, Foydalanuvchi yoki guruh qo‘shish tugmasini bosing va kerakli foydalanuvchilarni kiriting.

  5. Single sign-on varag‘iga kiring va SAML yagona kirish usulini tanlang.

  6. Set up Single Sign-On with SAML oynasida Basic SAML Configuration bo‘limida Edit tugmasini bosing va parametrlarni o‘rnating:

    1. Identifier (Entity ID): https://yandex.ru/ (albatta oxirida qiyshiq chiziq bilan).

    2. Reply URL (Assertion Consumer Service URL): https://passport.yandex.ru/auth/sso/commit.

    3. Sign on URL (majburiy bo‘lmagan parametr): https://passport.yandex.ru/auth/sso/commit.

    4. Agar xodimlaringiz xizmatlardan faqat rus tilida foydalanmasa, Reply URL (Assertion Consumer Service URL) va Sign on URL maydonlarida qo‘shimcha ravishda boshqa til domenlarining URL manzillarini kiriting. Masalan:

      https://passport.yandex.com/auth/sso/commit — ingliz tili uchun;

      https://passport.yandex.kz/auth/sso/commit — qozoq tili uchun;

      https://passport.yandex.uz/auth/sso/commit — o‘zbek tili uchun;

      https://passport.yandex.com.tr/auth/sso/commit — turk tili uchun.

      To‘liq ro‘yxat

      https://passport.yandex.com/auth/sso/commit

      https://passport.yandex.az/auth/sso/commit

      https://passport.yandex.by/auth/sso/commit

      https://passport.yandex.co.il/auth/sso/commit

      https://passport.yandex.com/auth/sso/commit

      https://passport.yandex.com.am/auth/sso/commit

      https://passport.yandex.com.ge/auth/sso/commit

      https://passport.yandex.com.tr/auth/sso/commit

      https://passport.yandex.ee/auth/sso/commit

      https://passport.yandex.eu/auth/sso/commit

      https://passport.yandex.fi/auth/sso/commit

      https://passport.yandex.fr/auth/sso/commit

      https://passport.yandex.kg/auth/sso/commit

      https://passport.yandex.kz/auth/sso/commit

      https://passport.yandex.lt/auth/sso/commit

      https://passport.yandex.lv/auth/sso/commit

      https://passport.yandex.md/auth/sso/commit

      https://passport.yandex.pl/auth/sso/commit

      https://passport.yandex.ru/auth/sso/commit

      https://passport.yandex.tj/auth/sso/commit

      https://passport.yandex.tm/auth/sso/commit

      https://passport.yandex.ua/auth/sso/commit

      https://passport.yandex.uz/auth/sso/commit

    5. Save tugmasini bosing.

2-qadam. Foydalanuvchi atributlarini taqqoslashni sozlang

  1. Foydalanuvchi atributlarini Azure Active Directory va Yandex 360 bilan sinxronlash uchun Enterprise applicationsAll applicationsSAML-based Sign-on rukniga kiring.

  2. Attributes & Claims bo‘limida Unique User Identifier (Name ID) bandini tanlang.

  3. Foydalanuvchining ismi va familiyasi Yandex 360 platformasida bexato ko‘rsatilishi uchun Required claim sozlamalar guruhining Source attribute maydoniga user.mail kiriting, keyin esa Save tugmasini bosing.

  4. Additional claims sozlamalar guruhida mavjud da’volarni o‘zgartiring yoki ularni o‘chirib tashlang va qaytadan yarating:

    Claim name

    Value

    User.EmailAddress

    user.mail

    User.Firstname

    user.givenname

    User.Surname

    user.surname

    SAML so‘rov namunasi:

    <Attribute Name="User.EmailAddress">
   <AttributeValue>email@test.com</AttributeValue>
</Attribute>
<Attribute Name="User.Surname">
   <AttributeValue>Surname</AttributeValue>
</Attribute>
<Attribute Name="User.Firstname">
   <AttributeValue>Firstname</AttributeValue>
</Attribute>

3-qadam. Sertifikatni saqlab oling

  1. Enterprise applications → All applications →  → SAML-based Sign-on rukniga kiring.

  2. SAML Signing Certificate bo‘limida Certificate (Base64) parametri yonida Download tugmasini bosing. Faylni qattiq diskka saqlab oling.
    .cer kengaytmali saqlangan faylni istalgan matn muharririda ochish mumkin.

4-qadam. Yandex 360 platformasiga uzatilishi kerak bo‘lgan ma’lumotlarni to‘plang

Keyinchalik Yandex 360 platformasida sozlash uchun sizga 3-bosqichda olingan sertifikat va konfiguratsiya parametrlarining qiymatlari kerak bo‘ladi:

  • Login URL

  • Azure AD Identifier

Parametr qiymatini saqlash uchun:

  1. Enterprise applications → All applications →  → SAML-based Sign-onSet up bo‘limiga o‘ting.

  2. Istalgan qulay joyga Login URL va Azure AD Identifier maydonlari qiymatini nusxalang.

Bundan keyin Biznes uchun Yandex 360 sozlashga o‘ting.

Sozlama bilan aloqador muammolarni hal qilish

Agar sertifikat provayderini sozlash jarayonida noto‘g‘ri qiymatlar berilgan bo‘lsa, SSO orqali kirishga uringaningizda “Avtorizatsiya muvaffaqiyatsiz” xabarini va xato kodini ko‘rasiz:

email.no_in_response

User.Firstname, User.Surname, User.EmailAddress formatida atribut nomlari kiriting. Agar boshqa format, masalan, Ism berilsa, avtorizatsiya qilinmaydi.

request_your_admin

Tashkilotingiz foydalanuvchilari katalogi administratori hisob uchun Yandex 360 platformasiga kirishni cheklagan bo‘lsa, xatolik yuz beradi. Batafsil ma’lumot olish uchun tashkilotingizning texnik yordam mutaxassislariga murojaat qiling.

samlresponse.invalid

Agar kirish sahifasi URL, guvohnomalar emitenti yoki tekshiruv sertifikati noto‘g‘ri ko‘rsatilgan bo‘lsa, xatolik yuz beradi. Shuningdek, u tekshiruv sertifikatining amal qilish muddati tugashidan oldin yoki uning amal qilish muddati tugagandan keyin 14 kun ichida yuzaga kelishi mumkin. Biznes uchun Yandex 360 SSO sozlamalari to‘g‘riligini tekshiring.

unsupportable_domain

User.EmailAddress pochta atributidagi domen SAML javobidagi asosiy domen yoki Yandex 360 tashkilotining alias domenlaridan biri bilan bir xil ekanligini tekshiring. Agar ular mos kelmasa, xato haqida xabar ko‘rasiz.
Yordam xizmatiga yozish
Avvalgisi
Azure Active Directory sozlanishi
Keyingisi
Keycloak 18-versiyasini sozlash