Getting ready to implement SAML SSO
Before you begin configuring a SAML SSO implementation, you should know the requirements and best practices.
A successful SAML implementation requires the following prerequisites.
- SAML is a protocol for exchanging authentication credentials between two parties, a service provider (SP) and an identity provider (IdP).
- An identity provider that complies with the SAML 2.0 standard. You should make sure you
have required knowledge of how to configure your identity provider before
proceeding.
For more information, see SAML identity providers.
- Familiarity with the SAML 2.0 specification. Before you begin the process of configuring Jive as a SAML 2.0 service provider to your IdP, you need to understand that the details of how SAML works. Alternatively, you should enlist the assistance of a SAML professional. For more information about SAML, see Oasis SAML Technical Overview (.pdf) at http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf.
SSL implementation
It is theoretically possible to implement SSO without SSL, but this raises some difficult security challenges. You should implement SSL and set your jiveURL to https, not http.
LDAP integration
If you're going to use LDAP in conjunction with SAML, we recommend using SAML for authentication only, while using LDAP for user provisioning, user deprovisioning, and profile synchronization.
LDAP setup can be a lengthy process including VPN setup and testing, so allow time for this setup process if you're implementing LDAP as part of your SSO implementation. For more information, see Setting up LDAP and Active Directory.
Migrating existing users
If you already have existing users on your community and have not yet implemented SAML, the best practice for migrating users is to enable Username Identity to look up existing users by username. In most cases, you should also enable Merge Local Users to ensure that existing users are automatically federated. This recommendation assumes that either the email address or the username matches between existing accounts and the SAML response. If neither of those fields matches, you can:
- Update the existing email addresses in Jive before using Username Identity to sync them.
- Update the usernames in Jive before using the username identity to sync them.
- Add the external IDs in Jive and federate the users by using another method.
You can use the REST API or, if you need more assistance, a partner or Professional Services can handle this by creating a database script.
If you have non-federated local users that you do not want to merge, you should not select Merge Local Users. Instead, mark only the accounts you want to merge as federated before enabling Username Identity.
Required information
Before you begin the configuration process, you must have the following information available:
- The IdP metadata (URL location or file content). Specifying a URL usually makes updates
easier.
- The IdP entity ID
- The IdP KeyInfo element
- The IdP Location that defines your endpoints
If you can't verify that this information is included, contact your IdP administrator.
Note: To integrate Jive with SAML, you need the complete metadata file, not just the information described above. - The friendly attribute names sent with each SAML assertion.
Planning for Jive user provisioning and profile synchronization
When you implement SAML, you need to decide on a strategy for which members of your organization must be included in the Jive Community, and with what rights. For example, you need to decide whether all your organization users should be able to create accounts in the Jive community and whether you assign them to user groups for authorization. If you're primarily responsible for the technical implementation of this feature, you should discuss these decisions with your Community Administrator.