Yammer supports any SAML 2.0 compliant Identity Provider (IdP). These include ADF 2.0 & 3.0, Windows Azure AD, Shibboleth, OneLogin, PingFed, Okta etc. The first step to implementing Single Sign-On (SSO) with Yammer is to open a yammer SSO service request. You will be asked to provide your IdP metadata and token signing certificate so you may want to speed up the data collection phase by providing the required files as soon as you open the service request. In the case of ADFS IdP, the metadata can be downloaded from - https://your-server-URL/FederationMetadata/2007-06/FederationMetadata.xml and you may use this instruction to extract the token signing certificate. You should zip the token signing certificate before sending it to the Yammer support rep. because .cer files are quarantined by Microsoft IT.
Once you’ve provided the required files, Yammer support will create the connection and respond back with the Yammer Service Provider (SP) metadata. At this point, the connection is inactive and there will be no impact on users' experience. Download the metadata file and start the process of creating the relying party trust and claims rule as described below.
Add Relying Party Trust
- In ADFS Management Console, navigate to Trust Relationships ->Replying Party Trusts
- Right Click Relying Party Trusts and click Add Relying Party Trust
- Click Start
- Select "Import data about the relying party from a file", browse to the metadata file that was provided by Yammer Support and click Next.
- Add a Display name (and Notes if necessary) and click Next
- Multi-factor authentication is not required, click Next
- Permit all users to access this relying party, Next.
- Check the Edit Claim Rules box
Edit Claim Rules for Relying Party Trust
- In the Issuance Transform Rules tab, click Add Rule
- In the Select Rule Template, leave "Send LDAP Attributes as Claims" selected
- In the Configure Claim Rule page, enter Get attributes in the Claim rule name box
- In the Attribute store list, select Active Directory
- In the Mapping of LDAP attributes create the following mappings: E-mail-Addresses - SAML_SUBJECT
- Click Finish
Testing your Single Sign-On Connection