Skip to main content

Configuring SSO with external login

Here you find instruction on enabling SSO with Facebook Connect and Google OpenID Connect.

Fastpath

Admin Console > People > Settings > Single Sign-On > External Login

You can enable either external login or externally accessible groups.

Important

Before you configure SSO, make sure you have a migration strategy for your existing Jive users. Implementing SSO without migrating your users to your new authentication provider will orphan existing user accounts, so users can't access their community content. For more information, see Understanding SSO with external login.

When you implement single sign-on (SSO) by using an external login, users can choose to log in by using Facebook Connect or Google OpenID Connect. External logins are a good choice for public communities because authentication can be passed to a third-party provider. The community user enters credentials on the provider site. The authentication token is then passed back and verified on the Jive side. Community users can log in with a number of different providers and have all their details pre-populated.

To implement SSO for Jive with external logins, you set the Single Sign-On > External Login page to Enabled. If you disable an external login type after enabling it, Jive users will need to authenticate against Jive directly instead of using an external login.

To troubleshoot authentication problems, you can enable Debug Mode on the Single Sign-On > External Login page. You should disable this setting in production.

Facebook Configuration

Before you can enable Facebook login, you need to create an app on the Facebook developer site. Then you should provide your app credentials (the Application ID and secret) in the Jive application to complete SSO authentication with Facebook.

To enable Facebook authentication:

  1. Set up an app on the Facebook developer site. When you're creating your Facebook app, you need to provide your Jive URL for both the App Domains field and the Website with Facebook Login field.
  2. Make a note of both the application id and the application secret: you need them to configure SSO.
  3. In the Admin Console, on the People > Settings > SSO > General tab, select the Enable Username Confirmation for New Users check box.
  4. On the People > Settings > Single Sign-On > External Login tab, under Facebook, provide the client ID and secret.

Google OpenID Connect Configuration

Google OpenID Connect requires an ID and secret from a Google Developers Console project. You can follow the instructions on obtaining the ID and secret on the Google Identity Platform at https://developers.google.com/identity/protocols/OpenIDConnect.

Google OpenID Connect replaces OpenID 2.0, which is no longer supported by Google. You should only need to specify a realm in case of a migration.

To enable SSO with Google on the Jive side:

  1. In the Admin Console, on the People > Settings > SSO > General tab, select the Enable Username Confirmation for New Users check box.
  2. On the Single Sign-On > External Login tab, under Google OpenID Connect, provide the client ID and secret.

Migrating existing users

If you already have existing users on your community and have not yet implemented SAML, the best practice for migrating users is to enable Username Identity to look up existing users by username. In most cases, you should also enable Merge Local Users to ensure that existing users are automatically federated. This recommendation assumes that either the email address or the username matches between existing accounts and the SAML response. If neither of those fields matches, you can:

  • Update the existing email addresses in Jive before using Username Identity to sync them.
  • Update the usernames in Jive before using the username identity to sync them.
  • Add the external IDs in Jive and federate the users by using another method. You can use the REST API or, if you need more assistance, a partner or Professional Services can handle this by creating a database script.

If you have non-federated local users that you do not want to merge, you should not select Merge Local Users. Instead, mark only the accounts you want to merge as federated before enabling Username Identity.

Related

Setting up Single Sign-On