When integrating Facebook at Work into Azure you get two pre-built options from Microsoft;
- Single Sing On (using Azure AD)
- User Provisioning (using a pre-built Azure AD SCIM connector to facebook)
Configure Single Sign On
Below is a short guide for setting up Single Sign On between Facebook and Azure AD:
- Create a Azure AD user (with email) email@example.com
- Create a Facebook user with username firstname.lastname@example.org
(make this user a global admin)
- Logon to Facebook at Work and Azure with your newly created users
(there will be a match check when setting up
- Logon to your Facebook at Work instance
- Community Center > Settings
- Note down information under SAML configuration
- Audience URL
- Recipient URL
- ACS URL
- Add Azure application: Facebook at Work
- Assign the Azure email@example.com as a user to Facebook at Work app
- Setup SSO
- Sign on URL = Tenant URL for Facebook (https://yourcompany.facebook.com)
- Identifier = Audience URL (from above)
- Reply URL = ACS URL (from above)
- Certificate; create a new 3 year certificate
- Store information from Azuire
- Download the certificate file
- Note down the SAML SSO URL
- Note down the SAML Issure URI
- Community > Settings
- SSO settings
- Change to SSO logon: SSO Only
- Expire setting: 3 weeks
- Certificate = Open the cert-file downloaded and paste the text
- SAML URL = SAML SSO URL from Azure
- SAML Issuer URI = SAML Issuer URI from Azure
- Click "TEST SSO"
SSO should now work and be successful. Save settings. Remember that now must all authentication go through the Azure AD (not possible with multiple authentication providers in Facebook at Work at the moment).
- Add a notification email (for errors on certificate)
It's also easy to setup SCIM provisioning to Facebook.
- Logon to Facebook at Work
- Community > Settings
- Note down Access token
- Note down SCIM URL
- Note down Community ID
- Azure AD > Applications > Facebook at Work > Configure
- Setup provisioning
- User Security Token = Facebook Access token
- Facebook at Work Tenant URL = SCIM URL
- Test the connection
- Setup notification email (for errors on provisioning)
Username vs. E-mail address
Facebook as a cloud service provider expects that the users logon name and e-mail address are the same (at the moment). In a standard configuration Azure will create users with [UserPrincipalName] and expect these to work. You can suppressEmail (however not recommended as the service uses e-mail for driving engagement and remind users to check posts in Facebook AtWork).
When new users are provisioned by Azure (using the SCIM integration) the service will send a invite e-mail to the newly provisioned user. This is to quickly get the user onboarded and active on the Facebook AtWork social platform.
Prevent e-mail invitation (and e-mail communication): Facebook at Work have a property suppressEmail that will stop Facebook from sending e-mails to the user.
This is possible to configure using the Azure provisioning engine. The settings are changed in the Azure > Applications > Facebook AtWork > Attributes > Provisioning:
To add the "SuppressEmail" click on "add attribute mapping", choose "suppressEmail" (in the Facebook AtWork attribute) and then you have two options.
- Suppress all email communications for all users (using Constant = true)
- Suppress email communications for e-mail less users - no mail attribute in Azure AD(and allow for users with mail)
This will check the mail attribute on the users in Azure AD, if present set suppressEmail to "false" and if blank set it to "true". My little piece of magic!