Tuesday, December 2, 2014

Yammer SSO gotcha - ADFS certificate autorenewal

This is a fast publish post, it is subject to change. - 12/2/2014

My organization uses Active Directory Federation Services (ADFS) to enable federation with Office365, as well as some other services.  O365 started warning about the signing certificates upcoming expiration a few weeks ago, and our investigation resulted in us determining that this is an automated process which O365 should handle gracefully.

Fast forward to last week, Thanksgiving (naturally), and Office365 is seeing our ADFS updated cert just fine.

Fast forward to Monday, and Yammer Single Sign-On is no longer working.  After doing some investigation with Yammer's DSYNC application (not SSO related, but it had some issues as well) and then looking at the Yammer configuration in ADFS, everything seemed happy.  I decided to dig into Yammer's support documentation, since I knew the ADFS certificate used for signing our SAML tokens was updated.

Per the Yammer SSO Implementation Guide, the certificate needs to be updated with Yammer Support manually. In this case, a MS Premier case was needed to get this accomplished.  Provided we have advance knowledge this is coming in the future, we could probably get away with a lower cost change method going forward.

Yammer Support needs the new ADFS Token Signing certificate.  Open up the ADFS console, browse to Service > Certificates, and select the new Token-Signing certificate (highlighted below).

 View this Certificate, go to the Details tab, and click Copy to File...  This opens the Certificate Export Wizard.  Click Next > to get the export format selection page of the wizard. Select DER encoded Binary X.509 (.CER)

Pick a file path to save the exported certificate, then ZIP it and send it to Yammer Support.  .CER files commonly come across as unsafe attachments in outlook, thus the need to ZIP it.)

Once Yammer has the cert, have them verify the details.  They need the current ADFS Token Signing certificate for your ADFS environment.  I mistakenly send them the Token Decrypting cert, thus exacerbating a production outage. :(

The moral of the story:  ADFS uses a lot of certificates.  O365 will autorenew (gracefully in our case, your mileage may vary), but Yammer requires intervention and planning if you're using SSO.  I would guess the same goes for any third party federation that uses SAML2 instead of native ADFS.