directory sync single sign-on external network collaboration contoso.com customer network marketing...
TRANSCRIPT
Overview of configuring Yammer SSO & Directory SyncBrian LyttleSupport Escalation EngineerMicrosoft
SPC368
AgendaIdentity management
Yammer user and network internals
DemonstrationSingle Sign-On with SAML
Best Practices Wrap upUser provisioning with Directory Sync
Demonstration
Identity management
Identity managementHidden at the core of an enterprise Yammer launchImpacts your ability to create a trusted communityFundamentally a political challenge, and many SharePoint User Profile Sync talks have touched on this fact
Primary outputs
EngagementAn engaged user is “anyone who purposefully uses Yammer within a given time period”
Engagement needs to occur across silos to achieve success
Users engage more when it’s simple, and the environment is trusted
ComplianceDriven by the external environment, and the internal organizationAbout keeping bad guys out while enabling employees, contractors, and agents
DSync or SSO, or both?
Directory Sync
Single Sign-On
Sweet spot
Provisioning Authentication
User and network internals
External NetworkCollaboration
Networks are containers for users and groupsHome networks are associated with one, or more company email domainsExternal networks operate independently of email domain
Networks
con
toso
.com
Customer Network
Marketing
R&D Partnerships
Alumni
nort
hw
ind
.com
Press and Media
Northwind and AdventureWorks Collaboration
Guest Collaboration
UsersAlways belong to a home (canonical) networkSometimes users are members of an external networkGuests get direct access to other home networksExist in a limited number of states during lifetime
Pending
ActiveSuspende
dDeleted
User profiles
User confirms email, enters name, chooses a password, uploads a “mugshot”, and selects some groups.
An initial engagement point for end users
Limited administrator controls
Users have control over the values that appear in their profile
Mass updates to user profiles
Available to verified administrators in YammerProfiles can be created with a default password
Bulk update Yammer User API
Requires code, but allows integration with exotic identity systems
Single sign-on
SSO benefits
The same credentials used in the enterprise are used by YammerMakes multi-factor authentication a possibility
Federation User convenience
A single set of credentials to remember
Expected, but absent
Yammer delegates this responsibility to Directory Sync
Attribute exchange WS-Federation
SAML is the supported protocolADFS, Azure AD, and many other identity providers support this standard
Deployment processProvide identity provider metadata
Test SSO
Make email address changesActivate SSO
Process is not self-serviceIf you have a SAML 2.0 Identity Provider then configuration is pretty straightforwardTests happen against your Yammer network at a scheduled time
Frontline workersThese are kiosk workers who may not have email, but often have mobile devicesUsing SSO it is possible to enable “Users Without Emails” (UWE) modeMixed mode is possible in the same networkOnly some identity providers (IdPs) support this configuration
Enabling UWE with ADFSAdd email to the incoming claim
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/wind…", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("email"), query = ";mail;{0}", param = c.Value);
Add employee ID to the incoming claim
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/wind…", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("employee_id"), query = ";customAttribute;{0}", param = c.Value);
Add no_email flag to the incoming claim
NOT exists([Type == "email"])=> add(Type = "no_email", Value = "true");
Send employee ID if no_email flag set
c1:[Type == "no_email"]&& c2:[Type == "employee_id"]=> issue(Type = "SAML_SUBJECT", Value = c2.Value);
Send email if it exists
c:[Type == "email"] => issue(Type = "SAML_SUBJECT", Value = c.Value);
CreditEvan WeissJeremy Chamilliard
Applications and SSOYammer Embed is SSO-aware and will redirect usersMobile applications support SSO using an in-app web browserLegacy apps require a temporary password available from the App Directory after authenticationDevelopers should specify the network permalink to kick off SSO flow when authorizing an app
Single sign-on with Azure Active DirectoryDemo
User provisioning with Directory Sync
Core Functions
Custom invite and welcome emails
Adds and invitations
Prepopulate user profile fieldsOverwrite upon update to AD
Profile updates
Suspend users when they are disabled or deleted in AD
Suspensions
Expected, but absent
Not a good fit for a social scenario where users are empowered to create groups that fit with their workflow
Group synchronization User profile lockdown
Users are always identifiableAD is optimal for the pre-population of fieldsDefault settings respect values users have entered in Yammer
Installs on a single serverNo database requiredAD and LDAP expertise required to configure custom filters (queries)First sync sends all data, subsequent syncs are incremental
Deploying Directory SyncInstall Directory Sync
Connect to Yammer
Connect to AD
Validate user queries
Enable syncs
Yammer Directory Sync
Demo
Keep these simpleStart by querying for emails belonging to just your domainsFilters are automatically added for objectCategory and objectClassDifficult to exclude users
Custom queries// A good startmail=*@contoso.com
// Multiple domains, merged network(&(mail=*@contoso.com)(mail=*@contoso.co.uk))
// Redundant query(&(objectCategory=person)(objectClass=user)(mail=*))
// Is this replicated in AD?(&(mail=*@contoso.com)(!customAttribute=E))
Create a query for each OU with a GUID identifierSpecify an LDAP filterProvide a naming context for each OUSet ShowDeleted to false
Querying multiple OUs"Queries": [ { "Id": "a92b0946-5ea9-42c3-9541-736863f39d29", "Filter": "mail=*@consoso.com", "OverrideRootNamingContext": "OU=France,DC=contoso,DC=com", "ShowDeleted": false }, { "Id": "6bb94cbb-f9bb-46ab-a78b-58eae0f23836", "Filter": "mail=*@contoso.com", "OverrideRootNamingContext": "OU=Germany,DC=contoso,DC=com", "ShowDeleted": false }, { "Id": "33bf59b3-ecfe-41cb-899f-7d85e1eb0dee", "Filter": "", "OverrideRootNamingContext": "<WKGUID=ELIDED,DC=contoso,DC=com>", "ShowDeleted": true }]
USN-Changed is captured for each query after a successful syncThese values are used for subsequent LDAP queriesRemoving the incremental query cursor file forces a full sync
Incremental syncs{ "35ac4db9-c0ab-4cab-8cc6-6276ef3a7931": { "PropertyName": "usnchanged", "LastValue": 270047611 }, "f7d21d81-87c8-4c11-9f06-6dc095f881cf": { "PropertyName": "usnchanged", "LastValue": 269749469 } "371eff67-0ce8-4e1e-bba3-c7a98982552a": { "PropertyName": "usnchanged", "LastValue": 279149469 } "ec7829ef-a25c-47e8-8ff4-f0d6552b6a74": { "PropertyName": "usnchanged", "LastValue": 270849469 }}
Located at C:\ProgramData\Yammer\DirSync
Configuration and log files
File Purpose
globalsettings.config.json Main settings file for Directory Sync
lastvalidation.json Output from the last validation
incrementalquerycursors.config.json
Stores cursor position for incremental syncs
service.log Log for the Windows Service
ui.log Log for the User Interface
Service and UI executable configuration files in C:\Program Files (x86)\Yammer\Directory Sync allow you control log output settings.
Best practices
Planning
Will disturb few workersAn opportunity to give a better first experience with SSO
New Network Established Network
Always start with SSOImplement Directory Sync in suspend-only mode initiallyEnable adds and updates later
Best practices for SSO
Support mobile devices
Ensure your identity provider supports failover
Involve a range of users in testing
Test from inside and outside your network
Prepare appropriate communications for users
Email mismatches between Yammer and the SAML assertion can happen. This can be detected and fixed ahead of time.
Best practices for Directory Sync
Become friends with your Active Directory administrator(s)
Customize the activation and welcome emails
Understand and review the validation report
Include only users with email addresses matching your domain(s)
Prepare for DR with a standby instance
Understand attribute mappings and preferences, and how these will impact your Yammer Network
Document configuration for transition to BAU
Wrap up
Identity futures
Users can access Yammer from O365 without logging into Yammer
Simplified login
Users can more easily move between Yammer and O365
O365 navigation
Being looked at, but this is a long term item
Yammer Directory Sync replacement
Recommendations1. Implement Yammer SSO and Directory Sync
now2. Go with SSO before Directory Sync*3. Use a simple Directory Sync configuration4. Merge to avoid operating multiple Yammer
networks.5. Follow the Yammer Release Schedule for
identity updates
Single Sign-On
http://success.yammer.com/integrations/single-sign-on/
Directory Sync
http://success.yammer.com/integrations/directory-sync/
Documentation
#SPC14
Enterprise Social
Relate
d Content
See you at the 2 Social booth & 3 Social tables at Asks the Experts WED @6:15!
Session Session Room Time
A responsive organization stays ahead of the competition SPC104 Delphino 4001 MON 2:00
Trek Bikes: pedaling past complex collaboration problems in the enterprise
SPC386 Delphino 4005 MON 2:00Microsoft's vision and roadmap for Enterprise Social SPC282 Delphino 4005 MON 3:45
Microsoft: Our Enterprise Social Journey SPC280 Lido 3001 MON 3:45Nationwide: Building a World-Renowned Intranet with SP 2013 & Yammer
SPC311 Murano 3204 TUE 9:00Real-world, best practices for making enterprise social successful SPC239 Delphino 4005 TUE 9:00Make your SharePoint portal social in 1-2-3! SCP378 Palazzo M, N TUE 9:00Overview of Yammer app development SPC332 Palazzo O, P TUE 9:00Yammer External Networks: Engaging Customers and Partners SPC248 Murano 3204 TUE 10:45Cargill: Real-world challenges and value in introducing enterprise social SPC295 Delphino 4001 TUE 10:45Integrating Yammer and SharePoint using .NET SPC380 Palazzo O, P TUE 1:45Work like a network: The power of Enterprise Social SPC112 Marcello 4401 TUE 3:15Best practices for breaking down organizational barriers using Yammer SPC264 Delphino 4005 TUE 3:15Overview of configuring Yammer SSO & Directory Sync SPC368 Titian 2201 TUE 3:15Successful team collaboration with Yammer & SharePoint SPC247 Delphino 4005 TUE 5:00Driving enterprise social from the bottom up SPC266 Delphino 4005 WED 9:00Developing socially connected apps with Yammer, SharePoint and OpenGraph SPC371 Palazzo O, P WED 9:00
Giving voice to frontline workers via enterprise social SPC263 Delphino 4005 WED 10:45Yammer mining - dig in and "listen" to what your big *social* data is saying
SPC3991 Murano 3204 WED 1:45How to become a Yammer Power User in 75 minutes SPC275 Delphino 4005 WED 5:00Knowledge Management with SharePoint and Yammer SPC246 Delphino 4005 THU 9:00Measuring Business Value with Yammer SPC392 Delphino 4005 THU 10:30
#WorkLikeANetwork
Microsoft Enterprise Social ResourcesSites, Blogs & Twitter
Enterprise Social Customer Success - Yammer Success Center – EnterpriseSocial.com - The Responsive Org
Admin & IT - Developers - Yammer App Directory - Office Store - Yammer Ignite Blogs: Yammer Office 365 Twitter: @Yammer @Office365
Research/Whitepaper Gartner: Magic Quadrant for Social Software in the Workplace - Evolution of the networked enterprise:
McKinsey Global Survey results - Yammer’s 2013 Business Value Survey Results - The Rise Of Enterprise Social Networks
Press How Red Robin Transformed Its Business With Yammer -
How Teach for America gets the most out of Yammer on a shoestring budget - HK firm creates idea melting pot for 4,000 employees - LexisNexis found that employees who use Yammer are way happier - Switching to Yammer let this company slash helpdesk calls and save $1.5 million a year - How Microsoft got its own employees to use Yammer
Videos Move Faster Together Transform the Way You Work with Yammer
#WorkLikeANetwork
MySPCSponsored by
connect. reimagine. transform.
Evaluate sessionson MySPC using yourlaptop or mobile device:myspc.sharepointconference.com
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.