Overview
Jive will sync accounts managed by both SAML SSO and LDAP, although the details of how these synchronizing processes work are different between the two implementations. This document aims to define the high-level differences between the two implementations.
Information
Details |
SAML |
LDAP |
Automatic Sync |
- SAML SSO does not have a nightly sync
|
- LDAP can be scheduled to run daily. This can be configured through the system property
spring.userDataSynchronizationTask.cronExpression
|
Automatically Disabling accounts |
- SAML SSO cannot disable accounts
|
- LDAP can disable:
- By attribute and value
- All users not found in the user search filter directory during sync
|
Automatically Enabling accounts |
- SAML SSO can re-enable accounts
|
- Jive Custom 6 or older: Does not re-enable disabled Jive accounts
- Jive Custom 7 to 7.0.2: Will re-enable disabled Jive accounts on login only
- Jive Custom 7.0.3 and newer: Will re-enable accounts on login and nightly sync
|
Auto-provisioning accounts |
- Automatic user-provisioning from SAML/SSO can be enabled.
|
- LDAP can auto-provision on a nightly basis without user interaction
|
Syncing user profiles |
- SAML SSO can sync user profiles but only when users log in
|
- LDAP can sync profiles on a nightly basis without user interaction
|
Permission Group sync |
- Both SAML SSO and LDAP allow for group syncing at the login
|
- An LDAP configuration is required for synchronizing groups in bulk outside of authentication.
- This is not enabled by default
- This is not encouraged because it's often not necessary and can require significant resources
- Enable by setting the cron expression and optionally the skew (the window of time in milliseconds since a time defined by the cron expression in which the sync task will start) with Jive properties and then restart:
spring.ldapGroupManagerImpl.syncTaskCronExpression = "0 0 0 * * ?"
spring.ldapGroupManagerImpl.syncTaskSkew = "300000"
|
Manager Relationships |
- SAML SSO doesn't sync relationships
|
- LDAP can sync manager relationships via the Manager Field
|
Profile images |
- SAML SSO doesn't sync profile images
|
- LDAP can sync profile photos via the Photo Field (must be jpg or png)
|
Comments
0 comments
Please sign in to leave a comment.