Skip to main content

First-time only authentication with SAML

With this method, a user authenticates initially through SAML SSO. Then Jive Mobile converts the session to a longer-lived OAuth session.

Note: This option is not available for versions earlier than Jive 7.0.1.

This method is achieved by setting the Access Token and Refresh Token timeouts for the add-on to an interval greater than the timeout settings of SAML SSO, thereby circumventing the timeout settings of both auth.lifetime (the Jive authentication session) and the SAML SSO session. Keep in mind that if you use the default values for the Access Token timeout (48 hours) and the Refresh Token timeout (15 years), the user will not need to log in again on mobile unless the device’s authentication is revoked or the values are changed.

Implementing SAML SSO for Jive Mobile:

When your Jive instance is configured with SAML SSO, Jive’s Mobile apps will follow the same authentication flow as the regular web UI. Mobile detects whether SAML SSO is enabled by making a call to yourcommunity/api/version. Here’s an example of the response you might receive:

{
  "jiveVersion": "7.0.0.0",
  "jiveCoreVersions": [
    {
      "version": 2,
      "revision": 3,
      "uri": "/api/core/v2",
      "documentation": "https://developers.jivesoftware.com/api/v3/rest"
    },
    {
      "version": 3,
      "revision": 4,
      "uri": "/api/core/v3",
      "documentation": "https://developers.jivesoftware.com/api/v3/rest"
    }
  ],
  "instanceURL": "https://yourcommunity.com",
  "ssoEnabled": ["saml"]
}

This method has the following advantages:

  • The user can revoke a device authenticated through SAML SSO, a feature that is not available by using regular SAML SSO login alone.
  • Users who authenticated through the mobile clients and the regular web UI can have different timeout settings while using the same authentication login flow and the same IdP.

To configure this method:

  1. Make sure SAML SSO is enabled.

  2. Make sure the Jive Mobile for iOS or Jive Mobile for Android add-on is installed and enabled. If you are using an on-premise version earlier than 7.0.1, or your instance isn't connected to the Internet, you may need to contact Jive Support to install this add-on.

  3. Check the value of the auth.lifetime system property in the Jive admin console and ensure this value is the same as the SAML SSO timeout.

  4. Next to the app listing, click the gear icon and select Settings. Then click Advanced.

  5. Set the Access Token and Refresh Token timeout settings to an interval greater than the timeout settings of SAML SSO.

  6. Enable Allow this add-on to obtain an access token using an authenticated session. (Enabling this setting returns a 200 status code when /api/addons/extensionUUID/session-grant-allowed is passed. Otherwise, this call returns a 403 error.)

Related

Authentication with Jive Mobile