Overview of configuring Yammer SSO & Directory SyncBrian LyttleSupport Escalation EngineerMicrosoft

SPC368

AgendaIdentity management

Yammer user and network internals

DemonstrationSingle Sign-On with SAML

Best Practices Wrap upUser provisioning with Directory Sync

Demonstration

Identity management

Identity managementHidden at the core of an enterprise Yammer launchImpacts your ability to create a trusted communityFundamentally a political challenge, and many SharePoint User Profile Sync talks have touched on this fact

Primary outputs

EngagementAn engaged user is “anyone who purposefully uses Yammer within a given time period”

Engagement needs to occur across silos to achieve success

Users engage more when it’s simple, and the environment is trusted

ComplianceDriven by the external environment, and the internal organizationAbout keeping bad guys out while enabling employees, contractors, and agents

DSync or SSO, or both?

Directory Sync

Single Sign-On

Sweet spot

Provisioning Authentication

User and network internals

External NetworkCollaboration

Networks are containers for users and groupsHome networks are associated with one, or more company email domainsExternal networks operate independently of email domain

Networks

con

toso

.com

Customer Network

Marketing

R&D Partnerships

Alumni

nort

hw

ind

.com

Press and Media

Northwind and AdventureWorks Collaboration

Guest Collaboration

UsersAlways belong to a home (canonical) networkSometimes users are members of an external networkGuests get direct access to other home networksExist in a limited number of states during lifetime

Pending

ActiveSuspende

dDeleted

User profiles

User confirms email, enters name, chooses a password, uploads a “mugshot”, and selects some groups.

An initial engagement point for end users

Limited administrator controls

Users have control over the values that appear in their profile

Mass updates to user profiles

Available to verified administrators in YammerProfiles can be created with a default password

Bulk update Yammer User API

Requires code, but allows integration with exotic identity systems

Single sign-on

SSO benefits

The same credentials used in the enterprise are used by YammerMakes multi-factor authentication a possibility

Federation User convenience

A single set of credentials to remember

Expected, but absent

Yammer delegates this responsibility to Directory Sync

Attribute exchange WS-Federation

SAML is the supported protocolADFS, Azure AD, and many other identity providers support this standard

Deployment processProvide identity provider metadata

Test SSO

Make email address changesActivate SSO

Process is not self-serviceIf you have a SAML 2.0 Identity Provider then configuration is pretty straightforwardTests happen against your Yammer network at a scheduled time

Frontline workersThese are kiosk workers who may not have email, but often have mobile devicesUsing SSO it is possible to enable “Users Without Emails” (UWE) modeMixed mode is possible in the same networkOnly some identity providers (IdPs) support this configuration

Enabling UWE with ADFSAdd email to the incoming claim

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/wind…", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("email"), query = ";mail;{0}", param = c.Value);

Add employee ID to the incoming claim

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/wind…", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("employee_id"), query = ";customAttribute;{0}", param = c.Value);

Add no_email flag to the incoming claim

NOT exists([Type == "email"])=> add(Type = "no_email", Value = "true");

Send employee ID if no_email flag set 

c1:[Type == "no_email"]&& c2:[Type == "employee_id"]=> issue(Type = "SAML_SUBJECT", Value = c2.Value);

Send email if it exists

c:[Type == "email"] => issue(Type = "SAML_SUBJECT", Value = c.Value);

CreditEvan WeissJeremy Chamilliard

Applications and SSOYammer Embed is SSO-aware and will redirect usersMobile applications support SSO using an in-app web browserLegacy apps require a temporary password available from the App Directory after authenticationDevelopers should specify the network permalink to kick off SSO flow when authorizing an app

Single sign-on with Azure Active DirectoryDemo

User provisioning with Directory Sync

Core Functions

Custom invite and welcome emails

Adds and invitations

Prepopulate user profile fieldsOverwrite upon update to AD

Profile updates

Suspend users when they are disabled or deleted in AD

Suspensions

Expected, but absent

Not a good fit for a social scenario where users are empowered to create groups that fit with their workflow

Group synchronization User profile lockdown

Users are always identifiableAD is optimal for the pre-population of fieldsDefault settings respect values users have entered in Yammer

Installs on a single serverNo database requiredAD and LDAP expertise required to configure custom filters (queries)First sync sends all data, subsequent syncs are incremental

Deploying Directory SyncInstall Directory Sync

Connect to Yammer

Connect to AD

Validate user queries

Enable syncs

Yammer Directory Sync

Demo

Keep these simpleStart by querying for emails belonging to just your domainsFilters are automatically added for objectCategory and objectClassDifficult to exclude users

Custom queries// A good startmail=*@contoso.com

// Multiple domains, merged network(&(mail=*@contoso.com)(mail=*@contoso.co.uk))

// Redundant query(&(objectCategory=person)(objectClass=user)(mail=*))

// Is this replicated in AD?(&(mail=*@contoso.com)(!customAttribute=E))

Create a query for each OU with a GUID identifierSpecify an LDAP filterProvide a naming context for each OUSet ShowDeleted to false

Querying multiple OUs"Queries": [ { "Id": "a92b0946-5ea9-42c3-9541-736863f39d29", "Filter": "mail=*@consoso.com", "OverrideRootNamingContext": "OU=France,DC=contoso,DC=com", "ShowDeleted": false }, { "Id": "6bb94cbb-f9bb-46ab-a78b-58eae0f23836", "Filter": "mail=*@contoso.com", "OverrideRootNamingContext": "OU=Germany,DC=contoso,DC=com", "ShowDeleted": false }, { "Id": "33bf59b3-ecfe-41cb-899f-7d85e1eb0dee", "Filter": "", "OverrideRootNamingContext": "<WKGUID=ELIDED,DC=contoso,DC=com>", "ShowDeleted": true }]

USN-Changed is captured for each query after a successful syncThese values are used for subsequent LDAP queriesRemoving the incremental query cursor file forces a full sync

Incremental syncs{ "35ac4db9-c0ab-4cab-8cc6-6276ef3a7931": { "PropertyName": "usnchanged", "LastValue": 270047611 }, "f7d21d81-87c8-4c11-9f06-6dc095f881cf": { "PropertyName": "usnchanged", "LastValue": 269749469 } "371eff67-0ce8-4e1e-bba3-c7a98982552a": { "PropertyName": "usnchanged", "LastValue": 279149469 } "ec7829ef-a25c-47e8-8ff4-f0d6552b6a74": { "PropertyName": "usnchanged", "LastValue": 270849469 }}

Located at C:\ProgramData\Yammer\DirSync

Configuration and log files

File Purpose

globalsettings.config.json Main settings file for Directory Sync

lastvalidation.json Output from the last validation

incrementalquerycursors.config.json

Stores cursor position for incremental syncs

service.log Log for the Windows Service

ui.log Log for the User Interface

Service and UI executable configuration files in C:\Program Files (x86)\Yammer\Directory Sync allow you control log output settings.

Best practices

Planning

Will disturb few workersAn opportunity to give a better first experience with SSO

New Network Established Network

Always start with SSOImplement Directory Sync in suspend-only mode initiallyEnable adds and updates later

Best practices for SSO

Support mobile devices

Ensure your identity provider supports failover

Involve a range of users in testing

Test from inside and outside your network

Prepare appropriate communications for users

Email mismatches between Yammer and the SAML assertion can happen. This can be detected and fixed ahead of time.

Best practices for Directory Sync

Become friends with your Active Directory administrator(s)

Customize the activation and welcome emails

Understand and review the validation report

Include only users with email addresses matching your domain(s)

Prepare for DR with a standby instance

Understand attribute mappings and preferences, and how these will impact your Yammer Network

Document configuration for transition to BAU

Wrap up

Identity futures

Users can access Yammer from O365 without logging into Yammer

Simplified login

Users can more easily move between Yammer and O365

O365 navigation

Being looked at, but this is a long term item

Yammer Directory Sync replacement

Recommendations1. Implement Yammer SSO and Directory Sync

now2. Go with SSO before Directory Sync*3. Use a simple Directory Sync configuration4. Merge to avoid operating multiple Yammer

networks.5. Follow the Yammer Release Schedule for

identity updates

Single Sign-On

http://success.yammer.com/integrations/single-sign-on/

Directory Sync

http://success.yammer.com/integrations/directory-sync/

Documentation

#SPC14

Enterprise Social

Relate

d Content

See you at the 2 Social booth & 3 Social tables at Asks the Experts WED @6:15!

Session Session Room Time

A responsive organization stays ahead of the competition SPC104 Delphino 4001 MON 2:00

Trek Bikes: pedaling past complex collaboration problems in the enterprise

SPC386 Delphino 4005 MON 2:00Microsoft's vision and roadmap for Enterprise Social SPC282 Delphino 4005 MON 3:45

Microsoft: Our Enterprise Social Journey SPC280 Lido 3001 MON 3:45Nationwide: Building a World-Renowned Intranet with SP 2013 & Yammer

SPC311 Murano 3204 TUE 9:00Real-world, best practices for making enterprise social successful SPC239 Delphino 4005 TUE 9:00Make your SharePoint portal social in 1-2-3! SCP378 Palazzo M, N TUE 9:00Overview of Yammer app development SPC332 Palazzo O, P TUE 9:00Yammer External Networks: Engaging Customers and Partners SPC248 Murano 3204 TUE 10:45Cargill: Real-world challenges and value in introducing enterprise social SPC295 Delphino 4001 TUE 10:45Integrating Yammer and SharePoint using .NET SPC380 Palazzo O, P TUE 1:45Work like a network: The power of Enterprise Social SPC112 Marcello 4401 TUE 3:15Best practices for breaking down organizational barriers using Yammer SPC264 Delphino 4005 TUE 3:15Overview of configuring Yammer SSO & Directory Sync SPC368 Titian 2201 TUE 3:15Successful team collaboration with Yammer & SharePoint SPC247 Delphino 4005 TUE 5:00Driving enterprise social from the bottom up SPC266 Delphino 4005 WED 9:00Developing socially connected apps with Yammer, SharePoint and OpenGraph SPC371 Palazzo O, P WED 9:00

Giving voice to frontline workers via enterprise social SPC263 Delphino 4005 WED 10:45Yammer mining - dig in and "listen" to what your big *social* data is saying

SPC3991 Murano 3204 WED 1:45How to become a Yammer Power User in 75 minutes SPC275 Delphino 4005 WED 5:00Knowledge Management with SharePoint and Yammer SPC246 Delphino 4005 THU 9:00Measuring Business Value with Yammer SPC392 Delphino 4005 THU 10:30

#WorkLikeANetwork

Microsoft Enterprise Social ResourcesSites, Blogs & Twitter

Enterprise Social Customer Success - Yammer Success Center – EnterpriseSocial.com - The Responsive Org

Admin & IT - Developers - Yammer App Directory - Office Store - Yammer Ignite Blogs: Yammer Office 365 Twitter: @Yammer @Office365

Research/Whitepaper Gartner: Magic Quadrant for Social Software in the Workplace - Evolution of the networked enterprise:

McKinsey Global Survey results - Yammer’s 2013 Business Value Survey Results - The Rise Of Enterprise Social Networks

Press How Red Robin Transformed Its Business With Yammer -

How Teach for America gets the most out of Yammer on a shoestring budget - HK firm creates idea melting pot for 4,000 employees - LexisNexis found that employees who use Yammer are way happier - Switching to Yammer let this company slash helpdesk calls and save $1.5 million a year - How Microsoft got its own employees to use Yammer

Videos Move Faster Together Transform the Way You Work with Yammer

#WorkLikeANetwork

MySPCSponsored by

connect. reimagine. transform.

Evaluate sessionson MySPC using yourlaptop or mobile device:myspc.sharepointconference.com

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.