General SAML Integration Settings

The following settings on the General tab are used in a typical SSO configuration.

Debug Mode
Enable to provide detailed logging for troubleshooting authentication problems. You need to enable this setting during setup and validation, but turn it off in production.
SSO Service Binding
Defines whether Jive should send the request to the IDP with an HTTP GET Redirect or a POST. The default service binding is HTTP-Redirect, but the most common value is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. (Make sure that the Location binding is in the IDP metadata.) POST is preferred because older versions of Internet Explorer and some firewalls have restrictions on the length of the HTTP path.
Note: If you're configuring ADFS, keep in mind that using POST can cause problems for users on Safari.
Username Identity
When Username Identity is enabled, existing users that have been marked as federated, which also have a matching username or email address, will be mapped to the External ID the first time they log in. You should select this checkbox if you use LDAP sync, CSV sync, or web services to auto-provision users, or if you already have existing users in the instance who will be using SAML from now on. For more information about using this setting when you have existing Jive users, see Migrating Existing Users.
Logout URL

By default, /sso/logged-out.jspa is a page that doesn't require authentication. If guest access is disabled, users need to land on a non-authentication-requiring page. (Otherwise they'd be automatically logged in again.) If guest access is enabled, you can also set this value to /. Another option is to set it to the IDP logout URL, so that the user is logged out of both Jive and the IDP. We do not support the SAML SingleLogout (SLO) protocol.

Changing this setting requires you to restart the Jive server.

Sync user profile on login
Enable this setting to update users based on the remote user profile each time they log in. This setting is enabled by default and should not be disabled unless you seeded the Jive community with users before enabling SSO.
Maximum Authentication Age
Identifies the maximum session time (in seconds) that's set for the IdP. The default setting is 28800 seconds, or 8 hours. However, to avoid login failures, you need to set this to match the maximum session set on the IdP. (Some IdPs are set to expire sessions less often.)
Response Skew
Specifies the maximum permitted time between the timestamps in the SAML Response and the clock on the Jive instance. The default value is 120 seconds. If there is a significant amount of clock drift between the IDP and Jive, you can increase this value. The same value is also used for the skew in the NotBefore check in the response. If you see an error indicating a problem with the NotBefore check and you aren't able to fix the clock difference problem, you can try increasing this value. However, increasing the response skew value can increase your security risk.
Sign Assertions
This option is enabled by default, and it allows AuthnResponse validation to pass if either the Response or the Assertions within the Response are signed. Clearing the checkbox enforces that the Response must be signed. Most IDPs sign the Assertions section in the AuthnResponse. If you use SFDC, however, you should clear this checkbox, because SFDC only signs the entire Response.
Request Signed
This setting determines whether the saml request is signed or not. Enabling this setting can increase security, but it's incompatible with some IdPs. This setting is disabled by default.
Include Scoping
This check box is selected by default. If you use ADFS, you should clear it.
Proxy Count
This setting specifies the maximum number of proxies any request can go through in the request to the IdP. The default value is 2. If your IdP needs more than 2 proxy redirects, adjust this value upward.