Getting Ready to Implement SAML SSO

Before you begin configuring a SAML SSO implementation, make sure you read about the requirements and best practices.

A successful SAML implementation requires the following prerequisites.

An identity provider that complies with the SAML 2.0 standard. For more information, see SAML Identity Providers. You should make sure you have expert knowledge of how to configure your identity provider before proceeding.
Familiarity with the SAML 2.0 specification. Before you begin the process of configuring Jive as a SAML 2.0 service provider to your IdP, you need to understand the details of how SAML works or else enlist the assistance of a SAML professional. The links that follow can supply some of this information.
- Oasis SAML Technical Overview (.pdf)
- Wikipedia entry on SAML 2.0

SSL Implementation

It is theoretically possible to implement SSO without SSL, but this raises some difficult security challenges. You should implement SSL, and you'll find it much easier to set up SSO if your jiveURL uses https, not http.

Disable Storage Provider File System Caching

Before you begin setting up SAML, go to System > Settings > Storage Providerand click Edit. Then select No under Cache Enabled. You won't be able to modify your IdP metadata unless caching is disabled.

LDAP Integration

If you're going to use LDAP in conjunction with SAML, we recommend using SAML for authentication only, while using LDAP for user provisioning, user deprovisioning, and profile synchronization. LDAP setup can be a lengthy process including VPN setup and testing, so allow time for this setup process if you're implementing LDAP as part of your SSO implementation.

Migrating Existing Jive Users

Before you implement SAML, make sure you have a migration strategy for any existing Jive users. Implementing SSO without migrating your users to your new authentication provider will orphan existing user accounts, so users can't access their community content. If you use LDAP sync, CSV sync, or web services to auto-provision users, you can use Username Identity to look up existing users by username. If you don't, you can manually create users in the new jiveexternalidentity table. Please contact Support for help if you're planning to use this approach.

If you use Username Identity, you need to make sure your existing users are marked as federated users. Jive Support can help you with this step.

Required Information

Before you begin the configuration process, you must have the following information available:

The IdP metadata (URL location or file content). Specifying a URL usually makes updates easier. Your metadata needs to include the following information:
- The IdP entity ID
- The IdP KeyInfo element
- The IdP Location that defines your endpoints
If you can't verify that this information is included, talk to your IdP administrator.
Note: To integrate Jive with SAML, you need the complete metadata file, not just the information described above.
The friendly attribute names sent with each SAML assertion.

Planning for Jive User Provisioning and Profile Synchronization

When you implement SAML, you need to decide on a strategy for which members of your organization will be included in the Jive Community, and with what rights. For example, you'll need to decide whether all your organization's users should be able to create accounts in the Jive community, and whether you will assign them to authorization groups. If you're primarily responsible for the technical implementation of this feature, make sure you discuss these decisions with your Community Administrator.