Configuring Windows Azure Active Directory for 3rd Party Single Sign-On

You can add 3rd party applications like Yammer, Twitter, Skype, etc to be enabled for Single Sign-On using WAAD integrated through your on-premises Active Directory. Users can access these applications through the new Azure Access Panel.

Windows Azure AD supports two different modes for signing onto 3rd party applications:

  • Federation using standard protocols
  • Password-based single sign-on

Federation-based single sign-on

Configuring Federation-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Windows Azure AD using the user account information from Windows Azure AD. In this scenario, when you have already been logged into Windows Azure AD, and you want to access resources that are controlled by a third-party SaaS application, federation eliminates the need for a user to be re-authenticated. Federated SSO is available for end user browsers which support JavaScript and CSS.

In this release of WAAD, the following applications support Federation-based SSO:

Box

Citrix GoToMeeting

Google Apps

Salesforce

Workday

Office 365 Exchange Online and SharePoint Online

Password-based single sign-on

Configuring password-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Windows Azure AD using the user account information from the third-party SaaS application. When you enable this feature, Windows Azure AD collects and securely stores the user account information and the related password.

Password-based SSO relies on a browser extension to securely retrieve the application and user specific information from Windows Azure AD and apply it to the service. Most third-party SaaS applications that are supported by Windows Azure AD support this feature.

For password-based SSO, the end user’s browsers can be:

  • IE 8, IE9 and IE10 on Windows 7 or later
  • Chrome on Windows 7 or later or MacOS X or later

  

Testing out Yammer with Password-based single sign-on

To try it out, I am going to add Yammer to the Active Directory applications. In this release of WAAD, Yammer only supports ‘Password-based single sign-on’ and not Federation-based SSO.


Note: If you already have ADFS on-premise, that is the recommended SSO integration for Yammer, as that is a better end-user experience than Password-based SSO. For information on configuring Yammer with your on-premise ADFS, see the Yammer SSO Implementation guide here: http://success.yammer.com/wp-content/uploads/2012/06/SSO-Implementation-Guide.pdf 

  

The first step is to add Yammer to my Applications. So within Azure, click on the Active Directory icon from the left navigation pane

Then click on the Directory that you just added.

Then click on the Applications tab

Then click Add

Select ‘Add an application for my organization to use’

Click on the Social Category and select Yammer

After adding Yammer, the next step is to assign which users will be assigned this application for SSO on their Access Panel.

As of this writing I am not aware of any powershell cmdlets for automating the assignment of users to applications. I checked the WAAD Powershell reference, which is where I would have expected to find those commands. Please email me at Joe.Stocker AT CatapultSystems.com if you are aware of cmdlets to manage this and I will update this post. thanks!

http://technet.microsoft.com/en-us/library/jj151815.aspx#BKMK_sso 

  

After highlighting a user(s) click the Assign button at the bottom of the screen

You will be prompted with an option of entering their Yammer credentials on their behalf. Otherwise the user will have the option of entering their password themselves later.

Note: The Access Panel is a web-based portal that allows an end user with an organizational account in Windows Azure Active Directory to view and launch cloud-based applications to which they have been granted access by the Windows Azure AD administrator. For more information about the Access Panel see http://technet.microsoft.com/en-us/library/dn308586.aspx

During the preview period for Access Panel, the following URL must be distributed to all users who will be signing into applications integrated with Windows Azure AD.

https://account.activedirectory.windowsazure.com/applications

For example, for my user account, I have access to Exchange Online, SharePoint Online and Yammer. Therefore I see all three applications on my Access Panel.

I can then click on the settings icon in the bottom-right of Yammer to configure my current Yammer username and password.

When clicking Update Credentials I am then prompted to install some software.

This will prompt the user to download ‘Access Panel Extension.msi’ (1.53MB)

You are then brought to a Post Installation screen to insure you enable the add-on when prompted.

In my case, running Internet Explorer 11 on Windows 8.1, I had to manually enable the Add-on.

Now when I go back to step 1 to store my Yammer credentials, it allows me to do so.

Now when I click on the Yammer Icon, I am brought right into Yammer with no prompts.

  

Note: If a user’s credentials change in a Password-based single sign-on application like Yammer, the user must update their credentials in the lower-right of the application tile, and select “update credentials” to re-enter the username and password for that application.

Leave a Reply