You can add 3rd party applications like Yammer, Twitter, Skype, etc to be enabled for Single Sign-On using WAAD integrated through your on-premises Active Directory. Users can access these applications through the new Azure Access Panel.
Windows Azure AD supports two different modes for signing onto 3rd party applications:
- Federation using standard protocols
- Password-based single sign-on
Federation-based single sign-on
In this release of WAAD, the following applications support Federation-based SSO:
Office 365 Exchange Online and SharePoint Online
Password-based single sign-on
Configuring password-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Windows Azure AD using the user account information from the third-party SaaS application. When you enable this feature, Windows Azure AD collects and securely stores the user account information and the related password.
Password-based SSO relies on a browser extension to securely retrieve the application and user specific information from Windows Azure AD and apply it to the service. Most third-party SaaS applications that are supported by Windows Azure AD support this feature.
For password-based SSO, the end user’s browsers can be:
- IE 8, IE9 and IE10 on Windows 7 or later
- Chrome on Windows 7 or later or MacOS X or later
Testing out Yammer with Password-based single sign-on
To try it out, I am going to add Yammer to the Active Directory applications. In this release of WAAD, Yammer only supports ‘Password-based single sign-on’ and not Federation-based SSO.
Note: If you already have ADFS on-premise, that is the recommended SSO integration for Yammer, as that is a better end-user experience than Password-based SSO. For information on configuring Yammer with your on-premise ADFS, see the Yammer SSO Implementation guide here: http://success.yammer.com/wp-content/uploads/2012/06/SSO-Implementation-Guide.pdf
The first step is to add Yammer to my Applications. So within Azure, click on the Active Directory icon from the left navigation pane
Then click on the Directory that you just added.
Then click on the Applications tab
Then click Add
Select ‘Add an application for my organization to use’
Click on the Social Category and select Yammer
After adding Yammer, the next step is to assign which users will be assigned this application for SSO on their Access Panel.
As of this writing I am not aware of any powershell cmdlets for automating the assignment of users to applications. I checked the WAAD Powershell reference, which is where I would have expected to find those commands.
After highlighting a user(s) click the Assign button at the bottom of the screen
You will be prompted with an option of entering their Yammer credentials on their behalf. Otherwise the user will have the option of entering their password themselves later.
Note: The Access Panel is a web-based portal that allows an end user with an organizational account in Windows Azure Active Directory to view and launch cloud-based applications to which they have been granted access by the Windows Azure AD administrator. For more information about the Access Panel see http://technet.microsoft.com/en-us/library/dn308586.aspx
During the preview period for Access Panel, the following URL must be distributed to all users who will be signing into applications integrated with Windows Azure AD.
For example, for my user account, I have access to Exchange Online, SharePoint Online and Yammer. Therefore I see all three applications on my Access Panel.
I can then click on the settings icon in the bottom-right of Yammer to configure my current Yammer username and password.
When clicking Update Credentials I am then prompted to install some software.
This will prompt the user to download ‘Access Panel Extension.msi’ (1.53MB)
You are then brought to a Post Installation screen to insure you enable the add-on when prompted.
In my case, running Internet Explorer 11 on Windows 8.1, I had to manually enable the Add-on.
Now when I go back to step 1 to store my Yammer credentials, it allows me to do so.
Now when I click on the Yammer Icon, I am brought right into Yammer with no prompts.
Note: If a user’s credentials change in a Password-based single sign-on application like Yammer, the user must update their credentials in the lower-right of the application tile, and select “update credentials” to re-enter the username and password for that application.
In my next post, I will configure Federation-based single sign-on with Google-Apps.