General SAML integration settings
Here you can find the general settings reference of the SAML SSO configuration.
Admin Console: People > Settings > Single Sign-On > SAML
On the SAML > General tab of the Single Sign-On page, you can find the most commonly used SSO configuration properties.
Enabled : Enable this setting to enable SAML SSO for your community.
Debug Mode : Enable this setting to provide detailed logging for troubleshooting authentication problems. You need to enable this setting during setup and validation, but turn it off in production.
Username Identity, Merge Local Users : Enable the Username Identity setting if you have existing users in Jive and you are newly implementing SAML. You don't need to enable it if all your accounts are created through SSO auto-provisioning.
Jive uses a permanent, unique identifier (External ID) to connect existing users with their SSO login. If users have never logged in by using SSO, they will not have an associated external ID. When Username identity is enabled, Jive maps any existing federated users to an existing user account using their username or email address during their first SSO login.
To automatically federate existing users on login, you should also enable Merge Local Users. If you use Username Identity without enabling Merge Local Users, make sure your existing users are marked as federated users. Otherwise, non-federated users will not be synchronized.
Provision new user account on login : Enable this setting to ensure that when a new user logs in, the user account is automatically created within Jive. This setting is enabled by default and should not be disabled unless you add users to the Jive community before enabling SSO.
Enable disabled user account on login : Enable this setting to reenable disabled user Jive accounts when they log in.
Sync user profile on login : Enable this setting to update users based on the remote user profile each time they log in.
Sign Assertions
: This option is enabled by default. It requires that to pass validation, the AuthnResponse must have a valid signature on the Assertions within the Response. If the Response itself is signed, it also requires the signature to be valid. At the same time, it does not require that the Response be signed.
Clearing the check box enforces that the Response must be signed, and any signature on the Assertions is ignored. Most IdPs sign the Assertions section in the AuthnResponse. If you use SFDC, however, you should clear this check box, because SFDC only signs the entire Response.
SSO Service Binding
: Define whether Jive should send the request to the IdP with an HTTP GET Redirect or a POST. The default service binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST which is used commonly. To use this binding, you must ensure that a Location binding with this value is in the IdP metadata. POST is typically preferred to Redirect because some browser versions and some firewalls have restrictions on the length of the HTTP path.
Note: If you're configuring ADFS, note that using POST can cause problems for users on Safari.
Logout URL
: By default, /sso/logged-out.jspa is a page that doesn't require authentication. If guest access is disabled, users need to land on a non-authentication-requiring page. Otherwise, they'd be automatically logged in again.
If guest access is enabled, you can set this value to /index.jspa to redirect the user back to the instance homepage, but as a guest user instead of as the account they were logging out of. Another option is to set it to the IdP logout URL so that the user is logged out of both Jive and the IdP. We do not support the SAML Single Logout (SLO) protocol.
Changing this setting requires you to restart the Jive server.
Note: If you specify a relative URL as the logout URL, such as /sso/logged-out.jspa, it needs to be a unique substring among all URLs within Jive, because any URL that matches this string will not trigger the SSO process. For example, setting the string to / is a bad choice, because this value would match all URLs in Jive and entirely prevent SSO from working.
Maximum Authentication Age : Identifies the maximum session time (in seconds) that's set for the IdP. The default setting is 28800 seconds, or 8 hours. However, to avoid login failures, you need to set this to match the maximum session set on the IdP.
Response Skew
: Specifies the maximum permitted time between the timestamps in the SAML Response and the clock on the Jive instance. The default value is 120 seconds. If there is a significant amount of clock drift between the IdP and Jive, you can increase this value. The same value is also used for the skew in the NotBefore check in the response. If you see an error indicating a problem with the NotBefore check and you aren't able to fix the clock difference problem, you can try increasing this value. However, increasing the response skew value can increase your security risk.
Advanced SAML Integration Settings
The settings on the Advanced tab are used to refine and troubleshoot a SAML integration.
Admin Console: People > Settings > Single Sign-On > SAML
On the SAML > Advanced tab of the Single Sign-On page you can find the less commonly used SSO configuration properties.
Request Signed : This setting determines whether the SAML request is signed or not. Enabling this setting can increase security, but it's incompatible with some IdPs. This setting is disabled by default.
Base metadata URL
: This value sets the desired URL for the entityID and endpoint URLs. This URL should be an https. If you aren't using a URL with https, you need to get help from Support to continue setting up SSO.
Force Authentication : This setting forces any user with an existing IdP session to log in again.
Passive Authentication
: When guest access is enabled, this issues a SAML AuthnRequest upon first access with isPassive=true, which should cause the IdP to redirect back to Jive if the user doesn't have an active session with the IdP.
NameID Format : For most IdPs, using the default setting is correct.
NameID Allow Create : By default, this check box is cleared. You should leave it cleared unless you receive an error about NameID creation while setting up your SAML integration.
Sign Metadata : Specifies that metadata should be signed. You should clear this check box unless your IdP requires that the metadata is signed. If you use ADFS, you must clear this check box.
IDP Want Response Signed : Adds a configuration to the SP metadata that tells the IdP that the SAML response should be signed, instead of only the assertions within the response. You should not enable this setting unless Support recommends it.
Requested AuthnContext : Along with Requested AuthnContext Comparison, this optional setting is used to add additional information to requests in certain specific cases. It's disabled by default.
Requested AuthnContext Comparison : Along with Requested AuthnContext, this optional setting is used to add additional information to requests in certain specific cases. It's disabled by default.
RSA Signature Algorithm URI : Defines the algorithm that is used in the digital signatures within the SAML messages. Most IdPs use the default value of the namespace, as specified at http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. You may need to change this value if your IdP uses a different algorithm.
Group Mapping Enabled : Enable this property if you plan to use one of the SAML Response Assertion Attributes to synchronize the user into Permission Groups. For more information, see SAML SSO group mapping.
Require Valid Metadata
: Use this setting to determine whether the IdP metadata which you provide to Jive should be validated with respect to any validUntil timestamps. Some IdPs generate metadata with arbitrary validUntil timestamps on their metadata, which can cause validation to fail and keep Jive from running.
Include Scoping : Some IdPs may require a scoping definition. This option is disabled by default. If you use ADFS, it must remain disabled.
Proxy Count : This setting specifies the maximum number of proxies any request can go through in the request to the IdP. The default value is 2. If your IdP needs more than two proxy redirects, adjust this value accordingly.
Validate InResponseTo
: Defines if InResponseTo is validated from incoming SAML responses. By default, the setting is enabled.