In the first sections of JIVE-421, you have learned the types of authentication systems supported by Jive. This article will help you gain familiarize with the key concepts on how each authentication service works with Jive, their features and setup requirements.
Some of the discussed systems in Supported Authentication Systems provide the authentication by securely determining if the username and password have been correctly entered and if it matched what is registered in the database.
Meanwhile, other systems can also:
- Create new user accounts for employees that were hired and added to a central Human Resources (HR) system.
- Sync profile fields like name, title, department, location, etc. keeping everything up to date as details change over time without the manual effort.
- Deactivate user accounts as people leave the company.
- Add/Remove people from Jive Permission Groups based on groups membership in the identity system.
- Multiple services can be used together, like Security Assertion Markup Language (SAML) and Lightweight Directory Access Protocol (LDAP).
Each authentication feature in the table above will be explained in the next sections.
A Closer Look at Jive's Authentication Features
Single Sign-On (SSO)
Beyond checking to see if you have entered your username and password correctly, Single Sign-On (SSO) lets you sign into one session for the day and the rest of the SSO-aware applications that you use should automatically sign in using the secure token available for your session. LDAP and SSO are sometimes incorrectly assumed to be the same thing. LDAP, by itself, does not have Single Sign-On without being paired with another service like SAML, ADFS or Kerberos.
The Organizational (Org) Chart is what allows you to see how a person fits into the overall organization, who their teammates are and who they report to, the chain of command. This is something that can be synced through LDAP or the User Sync Add-on but cannot be synced with other technologies like SAML or SSO.
This is only relevant for Jive-n
Some customers need two different ways to authenticate users, requiring more than one source of user information. Currently, Jive allows you to have a mix of 1 (one) SAML or LDAP server and a mix of Jive native users. This would allow a site to be configured to allow customers to create accounts and login as native Jive users, while the employees and contractors would log in via SAML and the central user directory. An internal community could have partners log in to Jive as native users, while their employees authenticate through SAML.
An example of mixed-mode authentication will be when employees are sent to Okta while non-employees use Jive native authentication.
User Sync is an automatic, scheduled process to update the information about Jive users from a central system like LDAP, or a User Sync Add-On that takes a .csv file to process nightly from the customer system, as discussed in the next lessons of JIVE-421. User Syncing makes sure that everything is up to date including full names, locations, offices, profile fields (phone numbers, title, address), permission group assignments, creating new users as employees are hired and deactivating user accounts for employees who leave the company. Having a User Sync solution in place is important as SAML is only able to sync when someone logs in to the community, allowing some user accounts to go outdated.
Cloud Identity Services
Okta Windows Agent: A small Windows application that runs on the customer's server to securely relay all necessary information from their internal Active Directory system to keep the Okta cloud user directory up to date (including all deactivations, permission groups and profile fields that are configured). This eliminates the need for the customer to allow LDAP access through their firewall even without a virtual private network (VPN).
Complex Scenario support with a single SAML endpoint for Jive to connect to: Okta and Ping Identity services both can support Multi-Identity Provider (IdP) scenarios, including combining user directory information from multiple technologies into a single cloud user directory for the organization. This allows Jive to use multiple IdPs, something that is not available out of the box.
- Example: Customer with multiple acquisitions over the years that never fully integrated but require access to Jive would be a great candidate for Okta or Ping. Other lessons will describe how these two are set up, in JIVE-421.