Overview of configuring Yammer SSO & Directory Sync

Overview of configuring Yammer SSO & Directory Sync

SPC368 Overview of configuring Yammer SSO & Directory Sync Brian Lyttle Support Escalation Engineer Microsoft Agenda Identity management Yammer user and network internals Single Sign-On

with SAML Demonstration User provisioning with Directory Sync Demonstration Best Practices Wrap up Identity management

Identity management Hidden at the core of an enterprise Yammer launch Impacts your ability to create a trusted community Fundamentally a political challenge, and many SharePoint User Profile Sync talks have touched on this fact Primary outputs Engagement An engaged user is anyone who purposefully uses Yammer within a given time period Engagement needs to occur across silos to achieve success Users engage more when its simple, and the environment is trusted Compliance

Driven by the external environment, and the internal organization About keeping bad guys out while enabling employees, contractors, and agents DSync or SSO, or both? Director y Sync Provisioning Sweet spot Single Sign-On Authenticatio n

User and network internals Networks Customer Network Marketing R&D Partnerships Alumni Guest Collaboration northwind.com

contoso.com Networks are containers for users and groups Home networks are associated with one, or more company email domains External networks operate independently of email domain External Network Collaboration Press and

Media Northwind and AdventureWork s Collaboration Users Always belong to a home (canonical) network Sometimes users are members of an external network Guests get direct access to other home networks Exist in a limited

Pending Deleted Active Suspende d User profiles An initial engagement point for end users Limited administrator controls User confirms email, enters name, chooses a

password, uploads a mugshot, and selects some groups. Users have control over the values that appear in their profile Mass updates to user profiles Bulk update Yammer User API Available to verified administrators in Yammer Profiles can be created with a default password

Requires code, but allows integration with exotic identity systems Single sign-on SSO benefits Federation User convenience The same credentials used in the enterprise are used by Yammer Makes multi-factor authentication a possibility A single set of credentials to

remember Expected, but absent Attribute exchange WS-Federation Yammer delegates this responsibility to Directory Sync SAML is the supported protocol ADFS, Azure AD, and many other identity providers support this standard Deployment process

Process is not selfservice If you have a SAML 2.0 Identity Provider then configuration is pretty straightforward Tests happen against your Yammer network at a Frontline workers These are kiosk workers who may not have email, but often have mobile devices Using SSO it is possible to enable Users Without Emails (UWE) mode Mixed mode is possible in the same network Only some identity providers (IdPs) support this configuration

Enabling UWE with ADFS Add email to the incoming claim c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/wind", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("email"), query = ";mail;{0}", param = c.Value); Add employee ID to the incoming claim c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/wind", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("employee_id"), query = ";customAttribute;{0}", param = c.Value); Add no_email flag to the incoming claim NOT exists([Type == "email"]) => add(Type = "no_email", Value = "true"); Send employee ID if no_email flag set c1:[Type == "no_email"] && c2:[Type == "employee_id"]

=> issue(Type = "SAML_SUBJECT", Value = c2.Value); Send email if it exists c:[Type == "email"] => issue(Type = "SAML_SUBJECT", Value = c.Value); Credit Evan Weiss Jeremy Chamilliard Applications and SSO Yammer Embed is SSO-aware and will redirect users Mobile applications support SSO using an in-app web browser Legacy apps require a temporary password available from the App Directory after

authentication Developers should specify the network permalink to kick off SSO flow when authorizing an app Single sign-on with Azure Active Directory Demo User provisioning with Directory Sync Core Functions Adds and invitations Profile updates

Suspensions Custom invite and welcome emails Prepopulate user profile fields Overwrite upon update to AD Suspend users when they are disabled or deleted in AD Expected, but absent Group synchronization

User profile lockdown Not a good fit for a social scenario where users are empowered to create groups that fit with their workflow Users are always identifiable AD is optimal for the prepopulation of fields Default settings respect values users have entered in Deploying Directory Sync Installs on a single server No database required AD and LDAP expertise required to configure custom filters (queries)

First sync sends all data, subsequent syncs are incremental Yammer Directory Sync Demo Custom queries Keep these simple Start by querying for emails belonging to just your domains Filters are automatically added for objectCategory and objectClass Difficult to exclude

users // A good start mail=*@contoso.com // Multiple domains, merged network (&(mail=*@contoso.com)(mail=*@contoso.co.uk)) // Redundant query (&(objectCategory=person)(objectClass=user) (mail=*)) // Is this replicated in AD? (&(mail=*@contoso.com)(!customAttribute=E)) Querying multiple OUs Create a query for each OU with a GUID identifier Specify an LDAP filter Provide a naming

context for each OU Set ShowDeleted to false "Queries": [ { "Id": "a92b0946-5ea9-42c3-9541-736863f39d29", "Filter": "mail=*@consoso.com", "OverrideRootNamingContext": "OU=France,DC=contoso,DC=com", "ShowDeleted": false }, { "Id": "6bb94cbb-f9bb-46ab-a78b-58eae0f23836", "Filter": "mail=*@contoso.com", "OverrideRootNamingContext": "OU=Germany,DC=contoso,DC=com", "ShowDeleted": false }, {

"Id": "33bf59b3-ecfe-41cb-899f-7d85e1eb0dee", "Filter": "", "OverrideRootNamingContext": "", "ShowDeleted": true } ] Incremental syncs USN-Changed is captured for each query after a successful sync These values are used for subsequent LDAP queries Removing the incremental query

cursor file forces a full sync { "35ac4db9-c0ab-4cab-8cc6-6276ef3a7931": { "PropertyName": "usnchanged", "LastValue": 270047611 }, "f7d21d81-87c8-4c11-9f06-6dc095f881cf": { "PropertyName": "usnchanged", "LastValue": 269749469 } "371eff67-0ce8-4e1e-bba3-c7a98982552a": { "PropertyName": "usnchanged", "LastValue": 279149469 } "ec7829ef-a25c-47e8-8ff4-f0d6552b6a74": {

"PropertyName": "usnchanged", "LastValue": 270849469 } } Configuration and log files Located at C:\ProgramData\Yammer\DirSync File Purpose globalsettings.config.json Main settings file for Directory Sync lastvalidation.json Output from the last validation

incrementalquerycursors.config .json Stores cursor position for incremental syncs service.log Log for the Windows Service ui.log Log for the User Interface Service and UI executable configuration files in C:\ Program Files (x86)\Yammer\Directory Sync allow you control log output settings.

Best practices Planning New Network Established Network Will disturb few workers An opportunity to give a better first experience with SSO Always start with SSO Implement Directory Sync in suspend-only mode initially Enable adds and updates later Best practices for SSO

Email mismatches between Yammer and the SAML assertion can happen. This can be detected and fixed ahead of time. Support mobile devices Involve a range of users in testing Prepare appropriate communication

s for users Test from inside and outside your network Ensure your identity provider supports failover Best practices for Directory Sync Understand attribute mappings and preferences, and how these will impact your Yammer Network

Understand and review the validation report Include only users with email addresses matching your domain(s) Become friends with your Active Directory administrator

(s) Prepare for DR with a standby instance Customize the activation and welcome emails Document configuration for transition to BAU Wrap up Identity futures

Simplified login O365 navigation Yammer Directory Sync replacement Users can access Yammer from O365 without logging into Yammer Users can more easily move between Yammer and O365

Being looked at, but this is a long term item Recommendations 1. Implement Yammer SSO and Directory Sync 2. 3. 4. 5. now Go with SSO before Directory Sync* Use a simple Directory Sync configuration Merge to avoid operating multiple Yammer networks. Follow the Yammer Release Schedule for

identity updates Documentation Single Sign-On http://success.yammer.com/integrations/single-sign-o n/ Directory Sync http://success.yammer.com/integrations/directory-syn c/ #S PC 14 Ent erp rise Soc ial

Rel ate d Co nte nt Session Session A responsive organization stays ahead of the competition SPC104 Trek Bikes: pedaling past complex collaboration problems in the enterpri SPC386 se Microsoft's vision and roadmap for Enterprise Social SPC282 Microsoft: Our Enterprise Social Journey SPC280 Nationwide: Building a World-Renowned Intranet with SP 2013 & Yamme SPC311

rReal-world, best practices for making enterprise social successful SPC239 Make your SharePoint portal social in 1-2-3! SCP378 Overview of Yammer app development SPC332 Yammer External Networks: Engaging Customers and Partners SPC248 Cargill: Real-world challenges and value in introducing enterprise social SPC295 Integrating Yammer and SharePoint using .NET SPC380 Work like a network: The power of Enterprise Social SPC112 Best practices for breaking down organizational barriers using Yammer SPC264 Overview of configuring Yammer SSO & Directory Sync SPC368 Successful team collaboration with Yammer & SharePoint SPC247

Driving enterprise social from the bottom up SPC266 Developing socially connected apps with Yammer, SharePoint and SPC371 OpenGraph Giving voice to frontline workers via enterprise social SPC263 Yammer mining - dig in and "listen" to what your big *social* data is sayi SPC3991 ng How to become a Yammer Power User in 75 minutes SPC275 Knowledge Management with SharePoint and Yammer SPC246 Measuring Business Value with Yammer SPC392 Room Time

Delphino 4001 MON 2:00 Delphino 4005 MON 2:00 Delphino 4005 MON 3:45 Lido 3001 Murano 3204 Delphino 4005 Palazzo M, N Palazzo O, P Murano 3204 Delphino 4001 Palazzo O, P Marcello 4401 Delphino 4005 Titian 2201 Delphino 4005 Delphino 4005 MON 3:45

TUE 9:00 TUE 9:00 TUE 9:00 TUE 9:00 TUE 10:45 TUE 10:45 TUE 1:45 TUE 3:15 TUE 3:15 TUE 3:15 TUE 5:00 WED 9:00 Palazzo O, P WED 9:00 Delphino 4005

Murano 3204 Delphino 4005 Delphino 4005 Delphino 4005 WED 10:45 WED 1:45 WED 5:00 THU 9:00 THU 10:30 #WorkLikeANetwork See you at the 2 Social booth & 3 Social tables at Asks the Experts WED @6:15! Microsoft Enterprise Social Resources

Sites, Blogs & Twitter Enterprise Social Customer Success - Yammer Success Center EnterpriseSocial.com The Responsive Org Admin & IT - Developers - Yammer App Directory - Office Store - Yammer Ignite Blogs: Yammer Office 365 Twitter: @Yammer @Office365 Research/Whitepaper Gartner: Magic Quadrant for Social Software in the Workplace - Evolution of the networked enterprise: McKinsey Global Survey results - Yammers 2013 Business Value Survey Results The Rise Of Enterprise Social Networks Press How Red Robin Transformed Its Business With Yammer - How Teach for America gets the most out of Yammer on a shoestring budget HK firm creates idea melting pot for 4,000 employees LexisNexis found that employees who use Yammer are way happier Switching to Yammer let this company slash helpdesk calls and save $1.5 million a year How Microsoft got its own employees to use Yammer Videos Move Faster Together Transform the Way You Work with Yammer #WorkLikeANetwork

Sponsored by MySPC Evaluate sessions on MySPC using your laptop or mobile device: myspc.sharepointconference.com connect. reimagine. transform. 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recently Viewed Presentations

  • Polygonal Texturing - Kennesaw State University

    Polygonal Texturing - Kennesaw State University

    Under the "Rendering" set of menus (Texturing->3D Paint Tool-> ) Make sure the Attribute to Paint is set to Color. Assign/Edit Textures: Flood paint(and then Set Erase Image) Directly paint on the Geometry. Turn on File Textures->Extend Seam Color.
  • Symbolic and Concolic Testing - cs.toronto.edu

    Symbolic and Concolic Testing - cs.toronto.edu

    Based on slides by Azadeh Farzan and Marsha Chechik. Caroline Hu. Symbolic Execution Summary. A static analysis technique . Symbolic values instead of concrete inputs. At each program location, the state is defined by: current assignments to symbolic values and...
  • How Much Does Seawater Desalination Cost? Water Water

    How Much Does Seawater Desalination Cost? Water Water

    Cost of Water of Recent Desalination Projects. Cost of Water , US$/kgal Cost of Water US$/kgal 108 MGD Sorek, Israel 132 MGD Mactaa, Algeria 87 MGD Hadera, Israel 98 MGD Askelon, Israel 0.6 MGD Sand City, CA
  • The Elements of Design - Boone County Schools

    The Elements of Design - Boone County Schools

    Elements of Design. Six integral components in the creation of a design. Line. Shapes & Form. Color. Light & Shadow. Space. Texture. Design Elements. PLTW Gateway® Unit 1 - Lesson 1.2 - Design Elements
  • Chapter 6 COST-VOLUME-PROFIT (CVP) ANALYSIS

    Chapter 6 COST-VOLUME-PROFIT (CVP) ANALYSIS

    COST-VOLUME-PROFIT (CVP) ANALYSIS CVP analysis examines the interaction of a firm's sales volume, selling price, cost structure, and profitability. It is a powerful tool in making managerial decisions including marketing, production, investment, and financing decisions.
  • U.S. Low-Level Radioactive Waste Classification System 10 CFR

    U.S. Low-Level Radioactive Waste Classification System 10 CFR

    Boby Abu-Eid, Ph.D. SLS Advisor. Division of Decommissioning, Uranium Recovery and Waste Programs. U.S. Nuclear Regulatory Commission. ... Class C: Concentration exceeds 0.1 the values in Table 1 but does not exceed Column 1 values in Table 1; It also...
  • CB WNS H&S Induction - Health & Safety Hub

    CB WNS H&S Induction - Health & Safety Hub

    Martin Potter, CB Contract Director. SHEQ Team - Liam May, Pat Savage, Trevor Waller, Mara Figueira, Simon Cox. Cappagh Browne Boards. Colleagues from Thames Water & Lanes. There is no planned fire alarm test today
  • Palo Alto College Baldrige 101 Employee Development Day

    Palo Alto College Baldrige 101 Employee Development Day

    Everyone will need to have institutional knowledge-what is PAC's organizational structure, what is our mission, vision and values, how many students do we have, where are the tutoring labs located, where can a student go to get an ID, even...