Active Directory (ingliz tilidagi interfeys) sozlash

Yandex 360 xizmatlariga Active Directory federatsiya xizmati orqali yagona kirishni (SSO) tashkil etish uchun oldindan SAML ilovasini yaratish va sozlash kerak.

1-qadam. Tekshiruvchi tomon bilan ishonchli munosabat o‘rnating

  1. AD FS serveringizga kiring va Server Manager ruknini oching.

  2. Boshqaruv konsolini oching: ToolsAD FS Management tugmalarini bosing.

  3. Amallar ro‘yxatida Ishonchli tomon ishonchini qo‘shish bandini tanlang.

  4. Claims aware bandini tanlang va Start tugmasini bosing.

  5. Munosabatni avtomatik sozlash uchun Select Data Source bosqichida Import data about the relying party published online or on a local network bandini tanlang va URL manzilini kiriting: https://passport.yandex.ru/auth/sso/metadata.

    Next tugmasini bosing.

    Munosabatni qo‘lda qanday sozlash mumkin

    1. Select Data Source qadamida Enter data about the relying party manually bandini tanlang. Keyin Next tugmasini bosing.

    2. Munosabatga istalgan nom bering, masalan, “Yandex 360”. Next tugmasini bosing.

    3. Configure Certificate bosqichini o‘tkazib yuboring — buning uchun Next tugmasini bosing.

    4. Enable support for the SAML 2.0 WebSSO protocol belgilang va Xizmat URL manzilini ko‘rsating: https://passport.yandex.ru/auth/sso/commit. Next tugmasini bosing.

    5. https://yandex.ru/ identifikatorini qo‘shing (oxirida qiyshiq chiziq bo‘lishi shart) — uni maydonga joylashtiring va Add tugmasini bosing. Keyin Next tugmasini bosing.

    6. Choose Access Control Policy bandini tashlab keting.

  6. Ma’lumotlarni tekshiring. Advanced varag‘ida SHA-256 xeshlash algoritmi tanlanganini tekshiring. Agar hammasi joyida bo‘lsa, NextClose tugmasini bosing.

    Agar munosabatni avtomatik sozlashdan foydalangan bo‘lsangiz, darhol 3-qadamga o‘ting. Munosabatni qo‘lda yaratishda 2-qadamni bajaring.

2-qadam. Til domenlari uchun oxirgi nuqtalarni kiriting

Diqqat

1-qadamning 5-bandida munosabatlarni avtomatik sozlashni tanlagan bo‘lsangiz, bu qadamni o‘tkazib yuboring.

Agar xodimlaringiz Yandex 360 xizmatlaridan nafaqat rus domenida foydalansa, qo‘shimcha ravishda til domenlarining URL manzillarini oxirgi nuqtalar sifatida qo‘shing:

  1. Boshqaruv konsolida Trust RelationshipsRelying Party Trusts tugmasini bosing.

  2. 1-qadamda yaratilgan munosabat sozlamalarini oching — buning uchun uni ikki marta bosing.

  3. Endpoints varag‘iga kiring.

  4. Sizga kerakli oxirgi nuqtalarni qo‘shing.

    Til domeni uchun oxirgi nuqtani qo‘shish uchun Add SAML tugmasini bosing, Binding qiymatida POST ni tanlang va URL manzilini kiriting:

    • https://passport.yandex.com/auth/sso/commit — ingliz tili uchun;

    • https://passport.yandex.kz/auth/sso/commit — qozoq tili uchun;

    • https://passport.yandex.uz/auth/sso/commit — o‘zbek tili uchun;

    • https://passport.yandex.com.tr/auth/sso/commit — turk tili uchun.

    To‘liq ro‘yxat

    • https://passport.yandex.com/auth/sso/commit

    • https://passport.yandex.az/auth/sso/commit

    • https://passport.yandex.by/auth/sso/commit

    • https://passport.yandex.co.il/auth/sso/commit

    • https://passport.yandex.com/auth/sso/commit

    • https://passport.yandex.com.am/auth/sso/commit

    • https://passport.yandex.com.ge/auth/sso/commit

    • https://passport.yandex.com.tr/auth/sso/commit

    • https://passport.yandex.ee/auth/sso/commit

    • https://passport.yandex.eu/auth/sso/commit

    • https://passport.yandex.fi/auth/sso/commit

    • https://passport.yandex.fr/auth/sso/commit

    • https://passport.yandex.kg/auth/sso/commit

    • https://passport.yandex.kz/auth/sso/commit

    • https://passport.yandex.lt/auth/sso/commit

    • https://passport.yandex.lv/auth/sso/commit

    • https://passport.yandex.md/auth/sso/commit

    • https://passport.yandex.pl/auth/sso/commit

    • https://passport.yandex.ru/auth/sso/commit

    • https://passport.yandex.tj/auth/sso/commit

    • https://passport.yandex.tm/auth/sso/commit

    • https://passport.yandex.uz/auth/sso/commit

    Keyin OK tugmasini bosing.

3-qadam. Claims Mapping sozlash

Fikrlarni taqqoslashni sozlash uchun atributni ko‘rsatish kerak. U foydalanuvchini Yandex ID orqali identifikatsiya qilish uchun ishlatiladi. Siz atributni tanlaganingizdan so‘ng, uni o‘zgartirish mumkin bo‘lmaydi.

  • Agar foydalanuvchilar kirishi uchun nomlar o‘zgarmasa, “UPN” atributini ko‘rsating.

  • Agar tashkilotingizda foydalanuvchilarning UPN o‘zgarishiga olib kelishi mumkin bo‘lgan domen yoki biznes jarayonlarini o‘zgartirish rejalashtirilgan bo‘lsa, boshqa atribut: “objectSID,” “objectGUID” yoki boshqasini tanlashingiz kerak bo‘ladi.

Atributni qanday ko‘rsatish kerak:

  1. Trust Relationships blokida sichqonchaning o‘ng tugmasi bilan 1-qadamda yaratilgan munosabatni bosing va Edit Claim Issuance Policy bandini tanlang.

  2. Add Rule tugmasini bosing.

  3. Claim rule template sifatida Transform an Incoming Claim bandini tanlang va Next tugmasini bosing.

  4. “NameID” kabi istalgan qoida nomini o‘ylab toping va uni Claim rule name maydonida ko‘rsating.

    Outgoing claim type maydonida Name ID bandini tanlang. Finish tugmasini bosing.

  5. Yana qoida yarating: yana Add Rule tugmasini bosing. Send LDAP Attributes as Claims andozani tanlang va Next tugmasini bosing.

  6. Qoidaga nom bering, masalan, “LDAPATTR”. Qolgan maydonlarni quyida ko‘rsatilgandek to‘ldiring.

    Keyin Finish tugmasini bosing.

    Atribut nomlari format va registrga sezgir. Nomlarni rasmdagidek ko‘rsating: User.Firstname, User.Surname, User.EmailAddress. Aks holda, avtorizatsiyada xatoliklar yuzaga kelishi mumkin, masalan, email.no_in_response.

  1. Trust Relationships blokida sichqonchaning o‘ng tugmasi bilan 1-qadamda yaratilgan munosabatni bosing va Edit Claim Issuance Policy bandini tanlang.

  2. Add Rule tugmasini bosing. Send LDAP Attributes as Claims andozani tanlang va Next tugmasini bosing.

  3. Qoidaga nom bering, masalan, “LDAPATTR”. Qolgan maydonlarni quyida ko‘rsatilgandek to‘ldiring. “Name ID” turi qarshisida “objectGUID,” “objectSID” yoki boshqa atributni ko‘rsating.

    Keyin Finish tugmasini bosing.

    Atribut nomlari format va registrga sezgir. Nomlarni rasmdagidek ko‘rsating: User.Firstname, User.Surname, User.EmailAddress. Aks holda, avtorizatsiyada xatoliklar yuzaga kelishi mumkin, masalan, email.no_in_response.

4-qadam. Yandex 360 platformasiga uzatilishi kerak bo‘lgan ma’lumotlarni to‘plang

Kirish URL

Kirish nuqtasi manzili. Qoida tariqasida bu https://domen/adfs/ls.

Boshqaruv panelida Endpoints oching va Proxy Enabled parametri uchun /adfs/ls/ Yes qiymati o‘rnatilganligiga ishonch hosil qiling. Bu parametr tashqaridan kirish mumkin bo‘lishi kerak bo‘lgan AD FS autentifikatsiya sahifasini faollashtirish uchun javobgardir — https://domen_ADFS/adfs/ls/idpinitiatedsignon.aspx manzili.

Sertifikatlar provayderi nashriyoti

Domen Entity ID. Qoida tariqasida bu http://domen/adfs/services/trust.

Uni olish uchun boshqaruv konsolida Action varag‘iga o‘ting va Federation Service Properties bandini tanlang.

Kerakli qiymat Federation Service identifier maydonida joylashgan.

Tekshiruv sertifikati

X.509 formatidagi tokenlar imzosining Base64 dagi sertifikati. Olish uchun:

1. Boshqaruv konsolida Certificates oching.

2. Token-signing sertifikatingizni ikki marta bosing.

3. Details varag‘iga o‘ting va Copy to File tugmasini bosing.

4. Sertifikat turini tanlang Base-64 encoded X.509 (.CER) va Next tugmasini bosing.

5. Faylni qattiq diskka saqlab oling.

Agar sizda ikkita faol token imzosi sertifikati bo‘lsa va hozir qaysi sertifikat ishlatilayotganini aniq bilmasangiz, ikkinchi sertifikat uchun xuddi shunday harakatlarni takrorlang.

5-qadam. SCIM xodimlarini sinxronlashni sozlang

Standart bo‘yicha yangi xodimlar Yandex 360 platformasida faqat birinchi avtorizatsiyadan keyin paydo bo‘ladi, sobiq xodimlarni esa qo‘lda o‘chirish kerak. Agar AD FS xodimlar ro‘yxatini biznes uchun Yandex 360 bilan avtomatik sinxronlamoqchi bo‘lsangiz, SCIM sinxronizatsiyasini yoqing.

Sozlash bilan aloqador muammolar

Agar atributlarning qiymatlari noto‘g‘ri ko‘rsatilgan bo‘lsa, SSO orqali kirishda “Avtorizatsiya muvaffaqiyatsiz” xabarini va xato kodini ko‘rasiz:

email.no_in_response

User.Firstname, User.Surname, User.EmailAddress formatida atribut nomlari kiriting. Agar boshqa format, masalan, Ism berilsa, avtorizatsiya qilinmaydi.

request_your_admin

Agar tashkilotingiz foydalanuvchilari katalogi administratori, masalan, Active Directory yoki Keycloak, hisob uchun Yandex 360 tizimi‘ga kirishni cheklagan bo‘lsa, xatolik paydo bo‘ladi. Batafsil ma’lumot olish uchun tashkilotingizning texnik yordam mutaxassislariga murojaat qiling.

samlresponse.invalid

Agar kirish sahifasi URL, guvohnomalar emitenti yoki tekshiruv sertifikati noto‘g‘ri ko‘rsatilgan bo‘lsa, xatolik yuz beradi. Shuningdek, u tekshiruv sertifikatining amal qilish muddati tugashidan oldin yoki uning amal qilish muddati tugagandan keyin 14 kun ichida yuzaga kelishi mumkin. Biznes uchun Yandex 360 SSO sozlamalari to‘g‘riligini tekshiring.

unsupportable_domain

User.EmailAddress pochta atributidagi domen SAML javobidagi asosiy domen yoki Yandex 360 tashkilotining alias domenlaridan biri bilan bir xil ekanligini tekshiring.
Yordam xizmatiga yozish

Turli tizimlar va ilovalarga ruxsat uchun yagona kirishni tashkillashga imkon beradigan Microsoft kompaniyasidan texnologiya. Active Directory federatsiyasi xizmatlari sharhi

Avvalgisi
Active Directory sozlanishi
Keyingisi
Azure Active Directory sozlanishi