The following settings on the General tab are used in a typical SSO configuration.
Enable to provide detailed logging for troubleshooting authentication problems. You need to enable this setting during setup and validation, but turn it off in production.
Username Identity, Merge Local Users
Enable the Username Identity setting if you have existing users in Jive and you are newly implementing SAML. (You don't need to
enable it if all your accounts will be created through SSO auto-provisioning.)
uses a permanent, unique identifier (External ID) to connect existing users with their
SSO login. If users have never logged in using SSO, they will not have an associated
external ID. When Username identity is enabled, Jive will map any existing
federated users to an existing user account using their username or email address during their
first SSO login.
To automatically federate existing users on login, you should also enable Merge Local Users. If you use Username Identity without also enabling Merge Local Users, make sure your existing users are marked as federated users. Otherwise, unfederated users will not be synchronized.
Provision new user account on login
Enable this setting to ensure that when a new user logs in, the user account is
automatically created within Jive. This setting is
enabled by default and should not be disabled unless you seeded the Jive community with users
before enabling SSO.
Enable disabled user account on login
Enable this setting to reenable a disabled user's Jive account when s/he logs in.
Sync user profile on login
Enable this setting to update users based on the remote user profile each time they log
This option is enabled by default. It requires that to pass validation, the
AuthnResponse must have a valid signature on the Assertions within
the Response, If the Response itself is signed, it also requires that the signature be
valid. (It does not require that the Response be signed.) Clearing the check box
enforces that the Response must be signed, and any signature on the Assertions is
ignored. Most IdPs sign the Assertions section in the AuthnResponse. If you use SFDC,
however, you should clear this check box, because SFDC only signs the entire Response.
SSO Service Binding
Defines whether Jive
should send the request to the IdP with an HTTP GET Redirect or a POST. The default
service binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, which is the most
commonly used binding. In order to use this binding, you must ensure that a Location
binding with this value is in the IdP metadata. POST is typically preferred to Redirect,
because older versions of Internet Explorer and some firewalls have restrictions on the
length of the HTTP path.
Note: If you're configuring ADFS, keep in mind that
using POST can cause problems for users on Safari.
By default, /sso/logged-out.jspa is a page that doesn't require authentication.
If guest access is disabled, users need to land on a non-authentication-requiring
page. (Otherwise they'd be automatically logged in again.) If guest access is enabled, you can set this value to /index.jspa to redirect the user back to the instance homepage, but as a guest user instead of as the account they were logging out of. Another option is to set it to the
IdP logout URL, so that the user is logged out of both Jive and the IdP. We do
not support the SAML SingleLogout (SLO) protocol.
Changing this setting requires you to restart the Jive server.
Note: If you specify a relative URL as the logout URL, such as /sso/logged-out.jspa, it needs to be a unique substring among all URLs within Jive, because any URL that matches this string will not trigger the SSO process. For example, setting the string to / is a bad choice, because this value would match all URLs in Jive and entirely prevent SSO from working.
Maximum Authentication Age
Identifies the maximum session time (in seconds) that's set for the IdP. The default
setting is 28800 seconds, or 8 hours. However, to avoid login failures, you need to set
this to match the maximum session set on the IdP. (Some IdPs are set to expire sessions
Specifies the maximum permitted time between the timestamps in the SAML Response and the
clock on the Jive instance. The default value is 120 seconds. If there is a significant
amount of clock drift between the IdP and Jive, you can increase this value. The same value is also used for the skew in the NotBefore check in
the response. If you see an error indicating a problem with the NotBefore check and you aren't able to fix the clock difference problem, you can try increasing this value. However, increasing the response skew value can increase your security risk.