Managing Yammer SAML SSO Deprecation Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000xa9osac&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fmanaging-yammer-saml-sso-deprecation
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Managing Yammer SAML SSO Deprecation
Published: Nov 11, 2016   -   Updated: Feb 16, 2018

This article is applicable for admins of Okta org(s) that have the Yammer SAML single-sign-on or Provisioning integration enabled. 

The Yammer SAML SSO integration will stop working on December 1, 2016 when Microsoft deprecates the SSO service that this integration relies on as part their migration of Yammer identity into Office 365 identity. If no mitigating action is taken by you, the deprecation could mean that end-users will have to revert back to signing-in to Yammer via username/password, which they may not know. To avoid this, we recommend that you migrate Yammer identities to Office 365 and then use Okta’s Office 365 integration for both SSO and provisioning. The rest of this article provides details on the deprecation and the exact migration steps for your scenario.

Microsoft might be able to provide your organization with an extension for this deadline. You must contact Microsoft directly to request and obtain such extension.  For more details, please see the bottom of Microsoft's Yammer SSO article.

Applicable Releases

The actions described in this article can be completed once code changes are shipped in Okta's Preview Release 2016.45 (week of 11/9) and Production Release 2016.45 (week of 11/16).

Microsoft References

We recommend reviewing the following Microsoft support articles for context on what is getting deprecated. Okta's recommendations are also based on these articles.

Scenarios

There are several potential scenarios that your Okta org and IT environment could be in that dictate your options for managing the deprecation. See each applicable scenario and their corresponding steps:


1: I am using SWA for SSO to Yammer

If your org only uses SWA (aka password-vault) to sign-in to Yammer, then you will not be impacted by the deprecation as it will continue to work. Note that you may still be impacted if you are using the Yammer Directory Sync (DSync) tool (see Scenario 6: I want to continue automated provisioning of Yammer users).


2: I am using Yammer with Yammer SAML SSO, but I am OK if it stops working

After December 1, 2016, the Yammer SAML SSO integration will stop working. If no mitigating action is taken, end-users will have to revert back to signing-in to Yammer using their username/password, which they may not know. If you are fine with this result, then no action is needed.


3: I am using Yammer with Yammer SAML SSO and am already using Office 365 with WS-Federation SSO configured in Okta

If your org currently uses Yammer SAML SSO and also uses Okta's Office 365 integration with WS-Federation SSO configured, the following migration can be applied to enable an easy transition:

  1. Activate Yammer in Office 365 as per the Yammer Activation Guide if not already done. As per their FAQ, any users, data and content from a Yammer Basic network will be migrated to Yammer Enterprise as long as the same domain is activated in the Office 365 tenant and selected when activating.

  2. Ensure that all the domains associated with the Yammer network are verified in the Office 365 tenant (see Add a TXT or MX record for verification for more information).

  3. Ensure that all existing Yammer users have a corresponding Office 365 user with an appropriate license that includes Yammer (if they were previously using Yammer Directory Sync this may require using AADConnect or Okta with Universal Sync to sync across all of their users from AD to Azure Active Directory). As per Plan for Yammer SSO and DSync deprecation, users are mapped to an Office 365 user by using their primary email, proxy addresses and user principal name (UPN), in that order.

  4. Enable the OFFICE_365_ENABLE_ADMIN_CONSENT_FLOW Early Access (EA) feature flag for your org.

  5. In the org's Office 365 app instance:

    • In the org's Office 365 app instance, the Office 365 Admin should perform the following steps to enable Yammer Office 365 chiclet for users:

      • Enable the Yammer chiclet via the Office 365 Application > General Settings Tab, then select Display the following links:

        User-added image

      • Go to the Office 365 Application > Provisioning Tab and complete the Advanced API Access grant by Authenticating with Microsoft Office 365.

        User-added image

      • This will open up the Admin consent screen following login. Acknowledge consent by clicking Accept. This allows the Okta OAuth client to perform advanced provisioning and Yammer SSO using Office 365.

        User-added image

      • Perform an import via the Import tab to bring in any users from Office 365 that are currently not assigned to the app instance.

      • In Yammer, check Enforce Office 365 Identity in the Yammer dashboard (see Enforce Office 365 identity for Yammer users for more information) to force the SSO changeover to Office 365.

      • Inform users about the change.


4: I am using Yammer with Yammer SAML SSO and am already using Office 365 but without WS-Federation SSO configured in Okta

If your org currently uses Yammer SSO and also uses Office 365 but the WS-Federation SSO integration is not currently configured, then the migration is similar to the case where WS-Federation is configured except for an extra step to configure WS-Federation:

  1. Activate Yammer in Office 365 as per the Yammer Activation Guide if not already done. As per their FAQ, any users, data and content from a Yammer Basic network will be migrated to Yammer Enterprise as long as the same domain is activated in the Office 365 tenant and selected when activating.

  2. Ensure that all the domains associated with the Yammer network are verified in the Office 365 tenant (see Add a TXT or MX record for verification for more information).

  3. Ensure that all existing Yammer users have a corresponding Office 365 user with an appropriate license that includes Yammer (if they were previously using Yammer Directory Sync this may require using AADConnect or Okta with Universal Sync to sync across all of their users from AD to Azure Active Directory). As per Plan for Yammer SSO and DSync deprecation, users are mapped to an Office 365 user by using their primary email, proxy addresses and user principal name (UPN), in that order.

  4. Enable the OFFICE_365_ENABLE_ADMIN_CONSENT_FLOW EA feature flag for your org.

  5. Configure the Office 365 app instance to use WS-Federation via the Sign On tab.
  6. Follow the steps outlined in Scenario 3 to provide Admin Consent and enable Yammer for the Office 365 app instance.

  7. Perform an import via the Import tab to bring in any users from Office 365 that are currently not assigned to the app instance.

  8. In Yammer, check Enforce Office 365 Identity in the Yammer dashboard (see Enforce Office 365 identity for Yammer users for more information) to force the SSO changeover to Office 365.

  9. Inform users about the change.

Note: WS-Federation is an all or nothing solution. That is, if SSO is enabled for Yammer then it will also be enabled for Office 365 and it is not possible to have Yammer use SSO and Office 365 use SWA (and vice versa).


5: I am using Yammer with Yammer SAML SSO, but I do not have an Office 365 tenant

Due to the deprecation, if a customer wishes to continue to have SSO with Yammer, then they will have to purchase the Office 365 tenant from Microsoft and then use Okta's O365 WS-Federation SSO integration. Previously it was possible to just buy Yammer Enterprise Standalone licenses. However these are being discontinued by Microsoft, as per Microsoft to retire Yammer Enterprise stand-alone plan by January 2017. Instead the customers would be required to buy bundle licenses such as Business Essentials, E1, E3, etc.

This migration path is very similar to the scenario where you already have Office 365, with the following small changes:

  1. Purchase Office 365 licenses which include Yammer and set up the Office 365 tenant.

  2. Activate Yammer in Office 365 as per the Yammer Activation Guide if not already done. Per their FAQ, any users, data and content from a Yammer Basic network will be migrated to Yammer Enterprise as long as the same domain is activated in the Office 365 tenant and selected when activating.

  3. Ensure that all the domains associated with the Yammer network are verified in the Office 365 tenant (see Add a TXT or MX record for verification for more information).

  4. Ensure that all existing Yammer users have a corresponding Office 365 user with an appropriate license that includes Yammer (if they were previously using Yammer Directory Sync this may require using AADConnect or Okta with Universal Sync to sync across all of their users from AD to Azure Active Directory). As per Plan for Yammer SSO and DSync deprecation, users are mapped to an Office 365 user by using their primary email, proxy addresses and user principal name (UPN), in that order.

  5. Follow the steps outlined in Scenario 3 to provide Admin Consent and enable Yammer for the Office 365 app instance.

  6. Perform an import via the Import tab to bring in any users from Office 365 that are currently not assigned to the app instance.

  7. In Yammer, check Enforce Office 365 Identity in the Yammer dashboard (see Enforce Office 365 identity for Yammer users for more information) to force the SSO changeover to Office 365.

  8. Inform users about the change.


6: I want to continue automated provisioning of Yammer users

Along with Yammer SSO, Microsoft is also deprecating a tool called Directory Sync (DSync) that syncs users from Active Directory to Yammer. If you are using this tool, you can use the Office 365 integration for both SSO and Provisioning of Yammer users. Once you've enforced Office 365 identity for Yammer users, provisioning to an Office 365 user also updates the corresponding Yammer user.

Post a Comment