Configuring SSO with SAML

SAML configuration

Fastpath: Admin Console: People > Settings > Single Sign On > SAML

Understanding SSO with SAML

CAUTION:
Before you configure SSO, make sure you have a migration strategy for any existing Jive users. Implementing SSO without migrating your users to your new authentication provider will orphan existing user accounts, so users can't access their community content.
You can use the SAML settings dialog to set up single sign-on with an SAML identity provider, or to enable, disable, or tweak a configured SAML SSO configuration.
Note: Before you begin configuring SAML setup, please read Getting Ready to Implement SAML SSO.

Setting Up the IdP Connection

To begin setting up the connection between Jive and your identity provider, use the following steps:
  1. In the Metadata tab, type the metadata URL for your SAML provider and click Load. If you don't have a metadata URL, you can click Edit Metadata to paste in the XML containing the connection metadata. If there's a firewall between the Jive server and your IdP server, you'll have to use the cut-and-paste method. Note that this is the only time a connection between these two servers is required.
  2. Optionally, edit the metadata if it contains any non-conforming code and click Save Settings to load it.
  3. In the User Attribute Mapping tab, map the user attributes in the Jive profile to your IdP's attributes. For more information about this topic, see User Attribute Mapping. Note that importing or saving your metadata populates the General tab with a list of attributes from your IdP, so you can use it as a reference when you specify the attributes you want to map.
  4. If you want to assign users to groups by passing a special group attribute from your IdP to Jive, select Group Mapping Enabled.
  5. Click Save Settings.
  6. Click Download Jive SP Metadata at the top right of the SAML tab to download the Service Provider metadata you'll need to complete your IdP-side configuration.

User Attribute Mapping

User Attribute Mapping is used to identify fields in the Jive profile that you plan to populate from the IdP profile by synchronizing them on login. To map a field, specify the IdP attribute used to identify it in the text box and select the Federated check box. Any fields you don't map will be user-configurable in the Jive profile settings. (A field that you specify, but do not mark as federated, will be populated with the specified value but still configurable.) By default, Jive uses the NameID property as the key unique identifier for a user. You can select Override Subject NameID for Username and specify a different attribute if you want to use a different key identifier.

Group Mapping

You can assign users to security groups automatically by passing a special group attribute from the IdP to Jive. Select Group Mapping Enabled on the Advanced tab to enable this functionality and provide the group mapping attribute. The group mapping attribute will be used to get security group names from each assertion. If the corresponding groups with these names don't exist, they will be created when you synchronize, and users will be added to these groups. Note that SAML SSO does not support mixed group management. You can either manage your permissions groups using the IdP, or using permission groups created in Jive.