Authentication is the secure matching of the entered login information with the information available in the identity system. If the credentials entered match, then login is granted. The identity system can be Jive itself or an external system to which Jive connects. This article will walk you through the supported authentication methods in Jive. Keep in mind that Jive cannot be the identity service for other applications.
Authentication allows users ease of access with not having to recall multiple username and password combinations for access which lowers the barrier for entry and makes it easier for people to log in and use the community.
Internal and External Sites' Authentication
Internal (Jive-n) sites are, by default, walled off and require a username and password to log in. This keeps internal information private and allows people to post and collaborate in confidence that company information is secure. External users (like contractors) have a limited view in the Jive-n community and can only see the content in the groups of which they are members.
External (Jive-x) sites are open to the public by default, allowing anonymous traffic from people that are not logged into the site. Customers with Jive-x communities will care about search engine optimization (SEO), because they want traffic coming to their site even if it is anonymous. If a visitor would like to interact with the community or post to it then they will be required to create an account and login.
Jive's Authentication Methods
Jive Native Authentication
With this type of authentication, Jive manages user identity. Usernames and passwords are stored within the Jive application database. This allows users to create their own accounts or allows for administrators of the community to create accounts as needed. This requires manual administration management for new and departing users.
SAML is the most popular authentication type for Jive-n and is often paired with LDAP to add some additional functionalities like user sync and user deactivation. LDAP can sync the whole user database nightly to be sure that all people who have left the company are deactivated in Jive. This is not an option with SAML, as there is no nightly sync. Information is only updated when a user logs into the community.
Connection to Microsoft Active Directory, OpenLDAP, OpenDS, Sun ONE (aka Oracle Directory Server). Additional customers have connected to Apple OpenDirectory and Novell eDirectory as well but these are not on the officially tested list. LDAP takes your username and password and passes it to the customers LDAP server for verification. LDAP can do auth, user sync, deactivation, permission groups, profile fields and organization chart syncing.
Active Directory Federation Services (ADFS)
ADFS is Microsoft’s special version of SAML. Slightly more complicated to set up but with the same SAML features. More information on ADFS can be found here: Active Directory Federation Services.
OAuth is similar to SAML in the sense that the login is handled by a third party (generally a popular cloud service provider) and a secure token is passed back to Jive to login the user. OAuth2 provides secure delegated access, meaning that an application, called a client, can take actions or access resources on a resource server on behalf of a user, without the user sharing their credentials with the application.
Kerberos (On Premise ONLY)
Similar to SAML, the request is forwarded to a customer server for authentication before returning with a token granting the access (Ticket server in Kerberos). Kerberos is complex and does not work well in Cloud and Hosted environments. It requires customer On Premise expertise and infrastructure. It only provides authentication and must be combined with LDAP in order to get user creation/deactivation and profile sync.
Purchase of these services is not absolutely required if the customer has the internal expertise to setup the authentication connection. If unable to do so, Support is not able to walk them through it and the services will have to be purchased through Professional Services (PS). Kerberos requires mandatory services with PS team.