General SAML integration settings
Here you can find the general settings reference of the SAML SSO configuration.
On the Single Sign-On page you can find the most commonly used SSO configuration properties.tab of the
- Enable this setting to enable SAML SSO for your community.
- Debug Mode
- Enable this setting to provide detailed logging for troubleshooting authentication problems. You need to enable this setting during setup and validation, but turn it off in production.
- Username Identity, Merge Local Users
Enable the Username Identity setting if you have existing users in Jive and you are newly implementing SAML. You don't need to enable it if all your accounts will be created through SSO auto-provisioning.
Jive uses a permanent, unique identifier (External ID) to connect existing users with their SSO login. If users have never logged in by using SSO, they will not have an associated external ID. When Username identity is enabled, Jive maps any existing federated users to an existing user account using their username or email address during their first SSO login.
To automatically federate existing users on login, you should also enable Merge Local Users. If you use Username Identity without enabling Merge Local Users, make sure your existing users are marked as federated users. Otherwise, non-federated users will not be synchronized.
- Provision new user account on login
- Enable this setting to ensure that when a new user logs in, the user account is automatically created within Jive. This setting is enabled by default and should not be disabled unless you add users to the Jive community before enabling SSO.
- Enable disabled user account on login
- Enable this setting to reenable disabled user Jive accounts when they log in.
- Sync user profile on login
- Enable this setting to update users based on the remote user profile each time they log in.
- Sign Assertions
- This option is enabled by default. It requires that to pass validation, the
AuthnResponse must have a valid signature on the Assertions within
the Response. If the Response itself is signed, it also requires the signature to be
valid. At the same time, it does not require that the Response be signed.
Clearing the check box enforces that the Response must be signed, and any signature on the Assertions is ignored. Most IdPs sign the Assertions section in the AuthnResponse. If you use SFDC, however, you should clear this check box, because SFDC only signs the entire Response.
- SSO Service Binding
- Define whether Jive
should send the request to the IdP with an HTTP GET Redirect or a POST. The default
service binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST which
is used commonly. To use this binding, you must ensure that a Location binding with this
value is in the IdP metadata. POST is typically preferred to Redirect because some
browser versions and some firewalls have restrictions on the length of the HTTP path.
Note: If you're configuring ADFS, note that using POST can cause problems for users on Safari.
- Logout URL
By default, /sso/logged-out.jspa is a page that doesn't require authentication. If guest access is disabled, users need to land on a non-authentication-requiring page. Otherwise, they'd be automatically logged in again.
If guest access is enabled, you can set this value to /index.jspa to redirect the user back to the instance homepage, but as a guest user instead of as the account they were logging out of. Another option is to set it to the IdP logout URL so that the user is logged out of both Jive and the IdP. We do not support the SAML Single Logout (SLO) protocol.
Changing this setting requires you to restart the Jive server.Note: If you specify a relative URL as the logout URL, such as /sso/logged-out.jspa, it needs to be a unique substring among all URLs within Jive, because any URL that matches this string will not trigger the SSO process. For example, setting the string to / is a bad choice, because this value would match all URLs in Jive and entirely prevent SSO from working.
- Maximum Authentication Age
- Identifies the maximum session time (in seconds) that's set for the IdP. The default setting is 28800 seconds, or 8 hours. However, to avoid login failures, you need to set this to match the maximum session set on the IdP.
- Response Skew
- Specifies the maximum permitted time between the timestamps in the SAML Response and the clock on the Jive instance. The default value is 120 seconds. If there is a significant amount of clock drift between the IdP and Jive, you can increase this value. The same value is also used for the skew in the NotBefore check in the response. If you see an error indicating a problem with the NotBefore check and you aren't able to fix the clock difference problem, you can try increasing this value. However, increasing the response skew value can increase your security risk.