Configuring SSO with SAML

SAML configuration

Admin Console: People > Settings > Single Sign On > SAML

Understanding SSO with SAML

CAUTION:
Before you configure SSO, make sure you have a migration strategy for any existing Jive users. Implementing SSO without migrating your users to your new authentication provider will orphan existing user accounts, so users can't access their community content.
You can use the SAML settings dialog to set up single sign-on with an SAML identity provider, or to enable, disable, or tweak a configured SAML SSO configuration.
Note: Before you begin configuring SAML setup, please read Getting Ready to Implement SAML SSO.

Setting Up the IdP Connection

To begin setting up the connection between Jive and your identity provider, use the following steps:
  1. Enter the metadata URL for your SAML provider and click Load. (If you don't have a metadata URL, you can click Edit Metadata to paste in the XML containing the connection metadata.)
  2. Optionally, edit the metadata if it contains any non-conforming code and click Save Settings to load it.
  3. Map the user attributes in the Jive profile to your IdP's attributes. For more information about this topic, see User Attribute Mapping. Note that importing or saving your metadata populates the General tab with a list of attributes from your IdP, so you can use it as a reference when you specify the attributes you want to map.
  4. If you want to assign users to groups by passing a special group attribute from your IdP to Jive, select Group Mapping Enabled.
  5. Click Save Settings.
  6. Go to your Jive instance URL and append /saml/metadata to the end. The browser will display the required SP metadata for configuring your IdP. Use this information to complete the configuration on your end.

User Attribute Mapping

User Attribute Mapping is used to identify fields in the Jive profile that you plan to populate from the IdP profile by synchronizing them on login. To map a field, specify the IdP attribute used to identify it in the text box and select the Federated check box. Any fields you don't map will be user-configurable in the Jive profile settings. (A field that you specify, but do not mark as federated, will be populated with the specified value but still configurable.) By default, Jive uses the NameID property as the key unique identifier for a user. You can select Override Subject NameID for Username and specify a different attribute if you want to use a different key identifier.

Group Mapping

You can assign users to security groups automatically by passing a special group attribute from the IdP to Jive. Select Group Mapping Enabled to enable this functionality and provide the group mapping attribute. The group mapping attribute will be used to get security group names from each assertion. If the corresponding groups with these names don't exist, they will be created when you synchronize, and users will be added to these groups.

Advanced Settings

The following settings on the Advanced tab control some less commonly used SSO configuration.
Debug Mode
Enable to provide detailed logging for troubleshooting authentication problems. You should disable this setting in production.
Sync user profile on login
Enable to update users based on the remote user profile each time they log in. This setting is enabled by default and should not be disabled unless you seeded the Jive community with users before enabling SSO.
Credential Store Enabled
Enable to persist storage of login information during a session. You should enable this setting if you want to implement single signoff.
Single Sign Off Enabled
Enable to allow a unified signoff, so users log off all service providers when they log out of Jive.
Logout URL
Specifies the URL of the page where users arrive after logging off.
Response Skew
Specifies the maximum permitted time between Jive's request and the IdP response.
Up to: Single Sign-On

Powered by Jive Software
© 1999-2012 Jive Software. All rights reserved. Follow us on Twitter @jivedocs