This is only for on-premises miners that use a SAML server-side login plus an additional login from the browser. This is a more complex arrangement and not the preferred setup, most customers should see the following article instead: Migration to Azure (or Office) OAuth Authentication for Microsoft Viva Engage
The old Yammer logins used a Yammer app, however as Microsoft progressed to Viva Engage, there has been increasing integration with Azure (or Microsoft Office). For this reason those Yammer apps need to migrate over to Entra ID (Azure) apps which link back to the Yammer app. Please follow the steps below and check the screen shots.
Register a Single-Tenant App on the Customer Side
The single tenant app does three jobs:
- Initial login on the server side is via SAML.
- secondary login by the web browser uses SPA and PKCE.
- Login for the miner, and running a token for ongoing data mining.
This screen shot shows an example application registration. Three items are highlighted with the orange arrows.
The SWOOP URL will vary from customer to customer, but this articles uses the URL https://example-test.swoopanalytics.com/ which is shown below. NOTE: this uses an SPA (Single Page Application) and it must have the green tick with the comment "Your Redirect URI is eligible for the Authorization Code Flow with PKCE". It also uses a Web application (screen shot further below) for the miner URL which is https://miner-example-test.swoopanalytics.com/ in this example. The miner does not need to be using a swoop analytics domain, it can use the customer's domain or a private domain.
Implicit grant and hybrid flows are not needed. These can be left unticked.
Configure App ID URI for SAML
See screen shot below, the full ID in this example is as follows:
https://example-test.swoopanalytics.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
Configure App Permissions
See screen shot below, the Yammer permission is what allows the app to access Viva Engage when a user logs in, it is a "delegated" permission therefore it always needs a user account in order to operate. The "offline_access" is what allows the token to refresh for up to 90 days. This is how the data miner collects metadata.
App Secrets
A Secret is needed for the miner, but do not send any app secrets to SWOOP support.
Customers are responsible for setting the App ID and App Secret into the on-premises miner.
Information Required by SWOOP Support.
- Tenant ID for the customer tenant (will be used in the login URL).
- Application ID from the "Overview" blade in Azure Active Directory.
NOTE: server login using SAML and browser login using PKCE does NOT require any client secrets, but they are needed for the miner. Customers should have internal technical staff install secrets into the miner.
First Login to Miner.
This is the login button on the data miner web page.
Permissions, and "Consent on behalf of your organization". Needs Global Admin to consent.
The name of your app will show up on the consent form, this is just an example application.
After the login is complete, set the account in the miner and it will keep running data mining in the background.
Linkage of Yammer app ID to Entra App ID.
This part requires a Microsoft Support ticket. You need the old (existing) Yammer app and link it to the newly created app above. If this part fails then the following error will happen right after login to the Analytics Engine.
Access to XMLHttpRequest at 'https://api.yammer.com/api/v1/users/current.json' from origin 'https://example-test.swoopanalytics.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Once the apps are linked, CORS problems should go away. The Yammer App needs to use the same URL as the actual Analytics Engine page, because this becomes the allowed origin for requests. Since the Data Miner and the Analytics Engine are now on the same app, only one consent process is necessary.
References
How to Implement Authentication
https://learn.microsoft.com/en-us/rest/api/yammer/authentication-1
"Please provide details about your Azure Active Directory application and Yammer Application by creating a Microsoft Support ticket to request mapping of both those application IDs to solve for CORS permissions issues."
Microsoft quick-start application registration.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Microsoft "Native Mode" concepts and migration of Yammer sites.
https://learn.microsoft.com/en-us/yammer/configure-your-yammer-network/overview-native-mode
Comments
0 comments
Please sign in to leave a comment.