Understanding SSO with SAML

When you implement single sign-on (SSO) with SAML 2.0, information for each user is passed from the identity provider in the form of a digitally-signed XML document.

SAML is a protocol for exchanging authentication credentials between two parties, a service provider (SP) and an identity provider (IdP). In this case, Jive plays the role of SP. The SP sends a request for authentication to the IdP, which then tries to authenticate the user. Authentication typically uses a username and password. The IdP typically also contains user information such as login ID, name, email address, department, and phone. After authenticating the user, the IdP then sends a SAML XML response message back to the SP, which then logs the user in.

Depending on your requirements, you can use SAML solely for authentication users; for group authorization; or for populating the Jive profile by synchronizing from the IdP on login.

Jive authentication through SAML includes the following stages:
  1. A user visits Jive and requests a page that requires authentication.
  2. Jive redirects the user to the configured IdP. The request URL includes a base64-encoded version of the request XML.
  3. If authentication doesn't succeed, the user sees a login screen.
  4. The IdP sends an encoded XML-based response in a redirect to Jive. If the user was successfully authenticated, this response includes the information we need to create a Jive representation of the user.
  5. Jive parses the XML and validates the necessary signatures, decrypting if necessary. A valid response from the IdP at this point indicates the user has been successfully authenticated.
  6. Jive parses the XML response from the IdP and creates or updates the user, using any override attributes you specified in Jive. If users have been seeded beforehand and shouldn't be updated, profile sync can be disabled.
  7. The user is authenticated with Jive and redirected to the requested destination.