User Without Email Single Sign On Implementation for Yammer


With Yammer we have the ability to configure Single-sign On for our customers using Active Directory Federation Services (ADFS) or any other Identity Provider (IDP) that supports SAML 1.1 or SAML 2.0. However some organisations have a mobile workforce, whom may not always have an email account, but still provide valuable information and feedback to the other aspects of the business.

How is such a workforce connected while reducing the overall cost on an organisations Active Directory [AD] infrastructure?

Some organisations with a high turnover of employees may not deem it fit to assign every member of its workforce with an email account, this is where the Users Without Email (UWE) SSO integration comes into effect.

What is UWE integration and how does it work?

User Without Email configuration, enables users to create accounts and log into a Yammer network via the organisation’s ADFS without the presence of an email address in the user’s Active Directory Account.

This works by the customer allocating a unique AD attribute value to a user and sending it through in a claim to Yammer.

Yammer then sends that value back in the form of a request to the customer’s ADFS, which then completes authentication based on the value for the user in AD and credentials.

Note: This document is written for ADFS scenarios, other IDP’s will require an expert in the product to assist with creating a customer claims rule based on the users account in AD.

It is also worth noting that Azure AD doesn't support claims rules at the time of writing.

How do I enable this feature?

Log a support request to configure Single Sign On your Organisation’s Yammer network from the Yammer Support site, on filling the SSO checklist documentation, indicate that there will be users without email addresses and mailboxes.

Yammer will then set the network flag to accept ‘Claims‘ from the network where a non-email value has been sent.

AD FS Custom Claims Rules

To enable this feature, you would be required to use Custom claims rules which utilizes the claims rule language in ADFS.

Select ‘Send Claims Using a Custom Rule’

From the Yammer Issuance Transform Rule – Insert Rule 1

The rule above checks the user AD account for an Email address.
Rule 2 – No Email – This stipulates

Rule 3 – Send SamAccountName for Users without Email

The rule above on confirming the conditions of Rule 2 to be ‘True’, would then send the attribute “SamAccountName” as a claim.
It must be noted that the attribute sent by a customer must be a value unlike an Email address, this means that Emails Addresses and UPNs may not be used or sent as Claims.
This can be a screen login name and this has to be a completely unique value to the user.

And the final rule is:
Rule 4 – LDAP Claims
This is the conventional rule for sending in Email Addresses which has an Outgoing Claim value of SAML_SUBJECT.

When all configurations have been completed, you will test the configuration with a Yammer Engin

Below are the rules which can be copied and pasted into ADFS.

Yammer Transform Claims Rules

@RuleName = "Check for  email"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

@RuleName = "No email"
NOT EXISTS([Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"])
 => add(Type = "http://emailCheck", Value = "NoEmail");

@RuleName = "Send samAccountName for users without email"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 && [Type == "http://emailCheck", Value == "NoEmail"]
 => issue(store = "Active Directory", types = ("SAML_SUBJECT"), query = ";samAccountName;{0}", param = c.Value);

@RuleTemplate = "LdapClaims"
@RuleName = "Send email to Yammer"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("SAML_SUBJECT"), query = ";mail;{0}", param = c.Value);

More Information:

Set up single sign-on in a Yammer network

About the writer

Esosa Igbinosun is member of the Yammer Support Escalation team.

Comments (1)

  1. Mark Ecclestone says:

    Hi unrelated question, I have been trying to sign up for yammer for about here weeks now, I have tied to sign up everyday and have no receive a conformation E mail. if someone could please help me out that would be great. Thanks

Skip to main content