Understanding SSO with Kerberos

When you implement single sign-on (SSO) with Kerberos, LDAP handles all the authorization and user synchronization, while Kerberos handles authentication.

Note: As of Jive 7, Kerberos will only be supported for on-premise installations of Jive. It will not be available for Jive-hosted communities.

Kerberos is an authentication protocol that is meant to be used in conjunction with an LDAP-enabled instance. LDAP handles all authorization and user synchronization, while Kerberos handles authentication. On Windows and Mac machines that are joined to an Active Directory domain, users can seamlessly log into Jive without entering a username or password, or even seeing a login screen. Users who are not logged into the domain on their computers will still see a standard login form. Because authentication uses a single token passed from the operating systems, no redirect is required. The token is verified against the configured Key Domain Controller (KDC), and if it's valid, the user is logged in.

Communication with the KDC typically uses the standard service principal string and password. However, you can also specify a keytab and krb5.conf file.