Yammer SSO Implementation Guide

Contents
Overview ....................................................................................................................................................... 2
Prerequisites ................................................................................................................................................. 2
Identity provider configuration..................................................................................................................... 2
Implementing SSO......................................................................................................................................... 3
Certificate updates........................................................................................................................................ 3
Yammer service provider information .......................................................................................................... 4
Overview
Single Sign-On (SSO) enables your users to log into Yammer with the same credentials used for other
federated applications within your environment. To setup SSO, sometimes referred to as federation, you
need to provide various pieces of information to Microsoft in order to enable this for your Yammer
network.

Enabling SSO changes the authentication process for Yammer. When users attempt to authenticate at
yammer.com they will be redirected to your identity provider. This is a server, or service, that you use to
handle authentication. Upon successful authentication, users will then be redirected back to
yammer.com and signed in.

NOTE It is your responsibility to select and operate an identity provider product. If this product is not
operating correctly then users will be unable to access Yammer, or have a poor experience. We strongly
recommend reviewing the FAQs and following the communications guide to ensure a successful rollout.
Problems with your identity provider should be directed to support channels for that product.

Prerequisites
 An identity provider that uses the SAML 1.1 or 2.0 protocols. A product supporting SAML 2.0 is
strongly recommended.
 An endpoint URI that is externally accessible. An endpoint URI accessible only from a corporate
network or VPN can impact mobile users.
 An engineer who is familiar with configuring your identity provider product.
 A plan for managing signing and encryption certificates which expire on a regular basis.

Identity provider configuration

Yammer uses the primary email address as the identifier for users. This means that your identity
provider must send a value in the format domain@company.com. The domain must match the domain
used by your Yammer network. If you send a value with a domain that is not associated with your
Yammer network then access will be denied for the user.

In most cases your identity provider should be configured to send the primary email address of the user
in the subject field of the SAML assertion. The formatting of the field name is case sensitive, so please
ensure that it is SAML_SUBJECT. Any other fields and values will be ignored.

Please see the FAQs if you plan on enabling the “users without email addresses” feature. The FAQs
include other important information that administrators should review.
 Implementing SSO
Implementing SSO is a multi-step process that requires your input. This document and the supporting
FAQs provide detail on the requirements so that the process can be as straightforward as possible.

When submitting a support case you should note that SSO is not “break/fix” case and will be prioritized
along with other cases that engineers are handling. Please ensure that you leave adequate time for
configuration and testing (2-3 weeks is recommended.)

Customer Microsoft Support

Open a new support case for SSO
1 configuration.

Creates a new service provider

2 connection (relying party trust) in
1
Identity Provider.

Export the connection metadata Creates Identity Provider (IdP) 4

3 (preferred), or provide the following to connection using metadata or settings.
the support engineer:
 Entity ID
 Endpoint URI
 Public certificate
 SAML version (SAML 2.0
preferred)

Imports service provider metadata file, or Exports service provider metadata for
6 5
inputs settings (below) to complete SSO customer.
setup.

Emails support engineer with a range of Activates SSO for testing, and in most
7 8
dates for testing SSO, and sends cases deactivates following testing in
communications to users. preparation for rollout.

Emails support engineer with a suggested Support engineer confirms “go live”
9
“go live” date. date.

Support engineer enables SSO at the

arranged “go live” date.

Certificate updates
Certificate updates require a support case to be opened and can take time to process. The support
engineer can configure the new certificate as a secondary certificate avoiding the need for downtime. In
the case you should include the following:

 A certificate file with the new public signing or encryption key(s).

 The domain of the Yammer network being upgraded. E.g. @company.com. Yammer service
provider information
Yammer service provider information
Many identity providers allow you to import the metadata file provided by the Microsoft support
engineer. If this is not possible then you should use the values below.

Setting Value
Entity ID yammer.com
IdP-Initiated SSO True
SP-Initiated SSO True
Endpoint URI https://saml.yammer.com/sp/ACS.saml2
Allowable Bindings POST