There’s a lot to think about when planning your Enterprise Yammer implementation. How will I get users into Yammer? How will users login to Yammer? Which password will they use? How will users who leave my organization be handled in Yammer? What software do I really need to implement?
This post is all about Yammer DirSync and SSO. SSO in Yammer is a generalized term, as any SSO provider can be connected with Yammer. For purposes of this post, we will focus on AD FS, as that is Microsoft’s SSO software.
What is Yammer DirSync?
Directory Sync synchronizes your internal Active Directory with Yammer to automate the provisioning and de-provisioning of users:
- On a regular schedule, the DirSync utility will run a lightweight directory access protocol (LDAP) query against your AD DS that returns accounts that have been modified since the last successful sync.
- The utility then connects to your Yammer network via a Yammer service account and sends a payload of instructions to add, suspend, and update users according to the changes that occurred in your AD DS.
What is AD FS?
AD FS enables SSO and a host of other services like – Web Service Interoperability, Federated Partner Management, and Claim Mapping. Please visit here for more info on AD FS.
What is Yammer SSO?
SSO lets you quickly and easily access Yammer in just one click from a single-sign-on portal (such as AD FS), where all your enterprise applications are already located. Yammer’s SSO server connects to your existing SAML-based SSO server (AD FS) to automatically log in your users based on authentication mechanisms.
What are the benefits of Yammer DirSync?
Directory Sync makes it easy to manage your users’ accounts through automation:
- DirSync will automatically invite users to your Yammer network when they are added to AD. Automatically inviting new employees to your Yammer network will improve the adoption of your Yammer network.
- DirSync will automatically update a user’s Yammer profile fields when an applicable attribute is updated in the user’s AD record. If a user chooses to change a Yammer profile field that was prepopulated from an AD attribute, future changes to that AD attribute will not override the user-specified profile field in Yammer.
- DirSync will automatically remove a user from your Yammer network when the user’s account is disabled in AD. A removed user’s Yammer account is suspended (i.e. they can no longer log in), but all of their old Yammer messages are retained. DSync is designed to handle the case where AD records are disabled before they are finally deleted. If your AD business process is significantly different than this (e.g. if you delete users from AD without disabling them first), then see the Advanced Configuration Guide.
What profile fields can be populated in Yammer from AD?
- Given name
- Family name
- Job title
- Office location
- Telephone number
- Mobile phone
What are the benefits of SSO?
- Users won’t need to remember unique Yammer login details, saving time and reducing the risk of phishing attacks
- SSO makes mobile access frictionless. After the first time, users on mobile devices will never have to re-enter their credentials.
- System Administrators only need to manage a single, centralized SAML server for authentication
- It is a common misconception that DirSync or SSO alone can be used to secure or limit access to a Yammer network.
- DirSync should be used to auto de-provision the users and all their corresponding app authorizations.
- DirSync only suspends users that were deleted in AD and only on a regular schedule, it is not real time, and if users have access to their email that can re-activate their accounts.
Do I need both DirSync and AD FS (SSO)?
YES! Every enterprise deployment of Yammer should include both DirSync and AD FS (SSO). If you want to gain all of the benefits of these automation utilities, you should absolutely implement both.
However, it is not at technical requirement of the Yammer network to implement one or both. You have the choice.
What if I can’t implement AD FS (SSO)?
SSO gives users a great experience. However, if you cannot implement SSO, Yammer out-of-the-box provides user management capabilities through the GUI:
- Individually invite local users and out-of-network guests to join the network or use bulk import to add uses from a .csv file
- Deactivate users and chose to keep or delete their messages
- Block users from joining the network
- Delegate the ability to invite and manage users to others
- View the activity of individual users
The above features highlight Yammer’s built in capabilities should you decide not to implement SSO.
What if I already implemented DirSync for Office 365?
DirSync for Office 365 is a separate utility and cannot be used for Yammer. A second DirSync server will be required specifically for Yammer. According to Microsoft’s Office 365 Roadmap, Single Identity for Yammer and Office 365 is in development.
Can I use my existing Office 365 AD FS infrastructure for Yammer?
Yes! If you already have AD FS implemented, that can be extended for SSO with Yammer.
While you do have a choice on whether to implement DirSync, AD FS (SSO) or both – Perficient highly recommends any organization that wishes to have an Enterprise deployment of Yammer to implement both options. If you have any questions or need help implementing DirSync or AD FS (SSO) for your Yammer network, please contact us at Perficient.