Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing...
-
Upload
rafe-richards -
Category
Documents
-
view
217 -
download
0
Transcript of Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing...
![Page 1: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/1.jpg)
![Page 2: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/2.jpg)
Overview of configuring Yammer SSO & Directory SyncBrian LyttleSupport Escalation EngineerMicrosoft
SPC368
![Page 3: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/3.jpg)
AgendaIdentity management
Yammer user and network internals
DemonstrationSingle Sign-On with SAML
Best Practices Wrap upUser provisioning with Directory Sync
Demonstration
![Page 4: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/4.jpg)
Identity management
![Page 5: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/5.jpg)
Identity managementHidden at the core of an enterprise Yammer launchImpacts your ability to create a trusted communityFundamentally a political challenge, and many SharePoint User Profile Sync talks have touched on this fact
![Page 6: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/6.jpg)
Primary outputs
EngagementAn engaged user is “anyone who purposefully uses Yammer within a given time period”
Engagement needs to occur across silos to achieve success
Users engage more when it’s simple, and the environment is trusted
ComplianceDriven by the external environment, and the internal organizationAbout keeping bad guys out while enabling employees, contractors, and agents
![Page 7: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/7.jpg)
DSync or SSO, or both?
Directory Sync
Single Sign-On
Sweet spot
Provisioning Authentication
![Page 8: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/8.jpg)
User and network internals
![Page 9: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/9.jpg)
External NetworkCollaboration
Networks are containers for users and groupsHome networks are associated with one, or more company email domainsExternal networks operate independently of email domain
Networks
con
toso
.com
Customer Network
Marketing
R&D Partnerships
Alumni
nort
hw
ind
.com
Press and Media
Northwind and AdventureWorks Collaboration
Guest Collaboration
![Page 10: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/10.jpg)
UsersAlways belong to a home (canonical) networkSometimes users are members of an external networkGuests get direct access to other home networksExist in a limited number of states during lifetime
Pending
ActiveSuspende
dDeleted
![Page 11: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/11.jpg)
User profiles
User confirms email, enters name, chooses a password, uploads a “mugshot”, and selects some groups.
An initial engagement point for end users
Limited administrator controls
Users have control over the values that appear in their profile
![Page 12: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/12.jpg)
Mass updates to user profiles
Available to verified administrators in YammerProfiles can be created with a default password
Bulk update Yammer User API
Requires code, but allows integration with exotic identity systems
![Page 13: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/13.jpg)
Single sign-on
![Page 14: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/14.jpg)
SSO benefits
The same credentials used in the enterprise are used by YammerMakes multi-factor authentication a possibility
Federation User convenience
A single set of credentials to remember
![Page 15: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/15.jpg)
Expected, but absent
Yammer delegates this responsibility to Directory Sync
Attribute exchange WS-Federation
SAML is the supported protocolADFS, Azure AD, and many other identity providers support this standard
![Page 16: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/16.jpg)
Deployment processProvide identity provider metadata
Test SSO
Make email address changesActivate SSO
Process is not self-serviceIf you have a SAML 2.0 Identity Provider then configuration is pretty straightforwardTests happen against your Yammer network at a scheduled time
![Page 17: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/17.jpg)
Frontline workersThese are kiosk workers who may not have email, but often have mobile devicesUsing SSO it is possible to enable “Users Without Emails” (UWE) modeMixed mode is possible in the same networkOnly some identity providers (IdPs) support this configuration
![Page 18: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/18.jpg)
Enabling UWE with ADFSAdd email to the incoming claim
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/wind…", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("email"), query = ";mail;{0}", param = c.Value);
Add employee ID to the incoming claim
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/wind…", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("employee_id"), query = ";customAttribute;{0}", param = c.Value);
Add no_email flag to the incoming claim
NOT exists([Type == "email"])=> add(Type = "no_email", Value = "true");
Send employee ID if no_email flag set
c1:[Type == "no_email"]&& c2:[Type == "employee_id"]=> issue(Type = "SAML_SUBJECT", Value = c2.Value);
Send email if it exists
c:[Type == "email"] => issue(Type = "SAML_SUBJECT", Value = c.Value);
CreditEvan WeissJeremy Chamilliard
![Page 19: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/19.jpg)
Applications and SSOYammer Embed is SSO-aware and will redirect usersMobile applications support SSO using an in-app web browserLegacy apps require a temporary password available from the App Directory after authenticationDevelopers should specify the network permalink to kick off SSO flow when authorizing an app
![Page 20: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/20.jpg)
Single sign-on with Azure Active DirectoryDemo
![Page 21: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/21.jpg)
User provisioning with Directory Sync
![Page 22: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/22.jpg)
Core Functions
Custom invite and welcome emails
Adds and invitations
Prepopulate user profile fieldsOverwrite upon update to AD
Profile updates
Suspend users when they are disabled or deleted in AD
Suspensions
![Page 23: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/23.jpg)
Expected, but absent
Not a good fit for a social scenario where users are empowered to create groups that fit with their workflow
Group synchronization User profile lockdown
Users are always identifiableAD is optimal for the pre-population of fieldsDefault settings respect values users have entered in Yammer
![Page 24: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/24.jpg)
Installs on a single serverNo database requiredAD and LDAP expertise required to configure custom filters (queries)First sync sends all data, subsequent syncs are incremental
Deploying Directory SyncInstall Directory Sync
Connect to Yammer
Connect to AD
Validate user queries
Enable syncs
![Page 25: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/25.jpg)
Yammer Directory Sync
Demo
![Page 26: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/26.jpg)
Keep these simpleStart by querying for emails belonging to just your domainsFilters are automatically added for objectCategory and objectClassDifficult to exclude users
Custom queries// A good startmail=*@contoso.com
// Multiple domains, merged network(&(mail=*@contoso.com)(mail=*@contoso.co.uk))
// Redundant query(&(objectCategory=person)(objectClass=user)(mail=*))
// Is this replicated in AD?(&(mail=*@contoso.com)(!customAttribute=E))
![Page 27: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/27.jpg)
Create a query for each OU with a GUID identifierSpecify an LDAP filterProvide a naming context for each OUSet ShowDeleted to false
Querying multiple OUs"Queries": [ { "Id": "a92b0946-5ea9-42c3-9541-736863f39d29", "Filter": "mail=*@consoso.com", "OverrideRootNamingContext": "OU=France,DC=contoso,DC=com", "ShowDeleted": false }, { "Id": "6bb94cbb-f9bb-46ab-a78b-58eae0f23836", "Filter": "mail=*@contoso.com", "OverrideRootNamingContext": "OU=Germany,DC=contoso,DC=com", "ShowDeleted": false }, { "Id": "33bf59b3-ecfe-41cb-899f-7d85e1eb0dee", "Filter": "", "OverrideRootNamingContext": "<WKGUID=ELIDED,DC=contoso,DC=com>", "ShowDeleted": true }]
![Page 28: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/28.jpg)
USN-Changed is captured for each query after a successful syncThese values are used for subsequent LDAP queriesRemoving the incremental query cursor file forces a full sync
Incremental syncs{ "35ac4db9-c0ab-4cab-8cc6-6276ef3a7931": { "PropertyName": "usnchanged", "LastValue": 270047611 }, "f7d21d81-87c8-4c11-9f06-6dc095f881cf": { "PropertyName": "usnchanged", "LastValue": 269749469 } "371eff67-0ce8-4e1e-bba3-c7a98982552a": { "PropertyName": "usnchanged", "LastValue": 279149469 } "ec7829ef-a25c-47e8-8ff4-f0d6552b6a74": { "PropertyName": "usnchanged", "LastValue": 270849469 }}
![Page 29: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/29.jpg)
Located at C:\ProgramData\Yammer\DirSync
Configuration and log files
File Purpose
globalsettings.config.json Main settings file for Directory Sync
lastvalidation.json Output from the last validation
incrementalquerycursors.config.json
Stores cursor position for incremental syncs
service.log Log for the Windows Service
ui.log Log for the User Interface
Service and UI executable configuration files in C:\Program Files (x86)\Yammer\Directory Sync allow you control log output settings.
![Page 30: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/30.jpg)
Best practices
![Page 31: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/31.jpg)
Planning
Will disturb few workersAn opportunity to give a better first experience with SSO
New Network Established Network
Always start with SSOImplement Directory Sync in suspend-only mode initiallyEnable adds and updates later
![Page 32: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/32.jpg)
Best practices for SSO
Support mobile devices
Ensure your identity provider supports failover
Involve a range of users in testing
Test from inside and outside your network
Prepare appropriate communications for users
Email mismatches between Yammer and the SAML assertion can happen. This can be detected and fixed ahead of time.
![Page 33: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/33.jpg)
Best practices for Directory Sync
Become friends with your Active Directory administrator(s)
Customize the activation and welcome emails
Understand and review the validation report
Include only users with email addresses matching your domain(s)
Prepare for DR with a standby instance
Understand attribute mappings and preferences, and how these will impact your Yammer Network
Document configuration for transition to BAU
![Page 34: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/34.jpg)
Wrap up
![Page 35: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/35.jpg)
Identity futures
Users can access Yammer from O365 without logging into Yammer
Simplified login
Users can more easily move between Yammer and O365
O365 navigation
Being looked at, but this is a long term item
Yammer Directory Sync replacement
![Page 36: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/36.jpg)
Recommendations1. Implement Yammer SSO and Directory Sync
now2. Go with SSO before Directory Sync*3. Use a simple Directory Sync configuration4. Merge to avoid operating multiple Yammer
networks.5. Follow the Yammer Release Schedule for
identity updates
![Page 37: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/37.jpg)
Single Sign-On
http://success.yammer.com/integrations/single-sign-on/
Directory Sync
http://success.yammer.com/integrations/directory-sync/
Documentation
![Page 38: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/38.jpg)
#SPC14
Enterprise Social
Relate
d Content
See you at the 2 Social booth & 3 Social tables at Asks the Experts WED @6:15!
Session Session Room Time
A responsive organization stays ahead of the competition SPC104 Delphino 4001 MON 2:00
Trek Bikes: pedaling past complex collaboration problems in the enterprise
SPC386 Delphino 4005 MON 2:00Microsoft's vision and roadmap for Enterprise Social SPC282 Delphino 4005 MON 3:45
Microsoft: Our Enterprise Social Journey SPC280 Lido 3001 MON 3:45Nationwide: Building a World-Renowned Intranet with SP 2013 & Yammer
SPC311 Murano 3204 TUE 9:00Real-world, best practices for making enterprise social successful SPC239 Delphino 4005 TUE 9:00Make your SharePoint portal social in 1-2-3! SCP378 Palazzo M, N TUE 9:00Overview of Yammer app development SPC332 Palazzo O, P TUE 9:00Yammer External Networks: Engaging Customers and Partners SPC248 Murano 3204 TUE 10:45Cargill: Real-world challenges and value in introducing enterprise social SPC295 Delphino 4001 TUE 10:45Integrating Yammer and SharePoint using .NET SPC380 Palazzo O, P TUE 1:45Work like a network: The power of Enterprise Social SPC112 Marcello 4401 TUE 3:15Best practices for breaking down organizational barriers using Yammer SPC264 Delphino 4005 TUE 3:15Overview of configuring Yammer SSO & Directory Sync SPC368 Titian 2201 TUE 3:15Successful team collaboration with Yammer & SharePoint SPC247 Delphino 4005 TUE 5:00Driving enterprise social from the bottom up SPC266 Delphino 4005 WED 9:00Developing socially connected apps with Yammer, SharePoint and OpenGraph SPC371 Palazzo O, P WED 9:00
Giving voice to frontline workers via enterprise social SPC263 Delphino 4005 WED 10:45Yammer mining - dig in and "listen" to what your big *social* data is saying
SPC3991 Murano 3204 WED 1:45How to become a Yammer Power User in 75 minutes SPC275 Delphino 4005 WED 5:00Knowledge Management with SharePoint and Yammer SPC246 Delphino 4005 THU 9:00Measuring Business Value with Yammer SPC392 Delphino 4005 THU 10:30
#WorkLikeANetwork
![Page 39: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/39.jpg)
Microsoft Enterprise Social ResourcesSites, Blogs & Twitter
Enterprise Social Customer Success - Yammer Success Center – EnterpriseSocial.com - The Responsive Org
Admin & IT - Developers - Yammer App Directory - Office Store - Yammer Ignite Blogs: Yammer Office 365 Twitter: @Yammer @Office365
Research/Whitepaper Gartner: Magic Quadrant for Social Software in the Workplace - Evolution of the networked enterprise:
McKinsey Global Survey results - Yammer’s 2013 Business Value Survey Results - The Rise Of Enterprise Social Networks
Press How Red Robin Transformed Its Business With Yammer -
How Teach for America gets the most out of Yammer on a shoestring budget - HK firm creates idea melting pot for 4,000 employees - LexisNexis found that employees who use Yammer are way happier - Switching to Yammer let this company slash helpdesk calls and save $1.5 million a year - How Microsoft got its own employees to use Yammer
Videos Move Faster Together Transform the Way You Work with Yammer
#WorkLikeANetwork
![Page 40: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/40.jpg)
MySPCSponsored by
connect. reimagine. transform.
Evaluate sessionson MySPC using yourlaptop or mobile device:myspc.sharepointconference.com
![Page 41: Directory Sync Single Sign-On External Network Collaboration contoso.com Customer Network Marketing R&D Partnerships Alumni northwind.com.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc55503460f94ab8902/html5/thumbnails/41.jpg)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.