Before you begin configuring a SAML SSO implementation for your Jive community, you should know the requirements and best practices.
This article helps you get ready for implementing SAML SSO as an authentication method.
SAML is a protocol for exchanging authentication credentials between two parties, a service provider (SP) and an identity provider (IdP). A successful SAML implementation requires:
- An identity provider that complies with the SAML 2.0 standard. You should make sure you have required knowledge of how to configure your identity provider before proceeding.
For more information, see SAML Identity Providers.
- Familiarity with the SAML 2.0 specification.
Before you begin the process of configuring Jive as a SAML 2.0 service provider to your IdP, you need to understand that the details of how SAML works. Alternatively, you should enlist the assistance of a SAML professional. For more information about SAML, see Oasis SAML Technical Overview.pdf.
You need Full Access administrator rights to configure SAML SSO. Support or another Full Access administrator in your organization can grant you this access.
It is theoretically possible to implement SSO without SSL, but this raises some difficult security challenges. You should implement SSL and set your
If you are going to use LDAP in conjunction with SAML, it is recommended to use SAML for authentication only. Use LDAP for user provisioning and profile synchronization.
LDAP setup can be a lengthy process, including VPN setup and testing. Please allow time for the setup process if you are implementing LDAP as part of your SSO implementation.
Migrating Existing Users
If you have existing users on your community and have not yet implemented SAML, it is best to enable Username Identity to look up existing users by username. In most cases, you should also enable Merge Local Users to ensure that existing users are automatically federated. This recommendation assumes that either the email address or the username matches between existing accounts and the SAML response. If neither of those fields matches, you can:
- Update the existing email addresses in Jive before using Username Identity to sync them.
- Update the usernames in Jive before using the username identity to sync them.
- Add the external IDs in Jive and federate the users by using another method.
You can use the REST API or, if you need more assistance, a partner or Professional Services can handle this by creating a database script.
If you have non-federated local users that you do not want to merge, you should not select Merge Local Users. Instead, mark only the accounts you want to merge as federated before enabling Username Identity.
Before you begin the configuration process, you must have the following information available:
- The IdP metadata (URL location or file content). Specifying a URL usually makes updates easier.
- The IdP entity ID
- The IdP KeyInfo element
- The IdP Location that defines your endpoints
If you can not verify that this information is included, contact your IdP administrator.
To integrate Jive with SAML, you need the complete metadata file, not just the information described above.
- The friendly attribute names sent with each SAML assertion.
Planning for Jive User Provisioning and Profile Synchronization
When you implement SAML, you need to decide on a strategy for which members of your organization must be included in the Jive Community, and with what rights. For example, you need to decide whether all your organization users should be able to create accounts in the community and whether you assign them to user groups for authorization. If you are primarily responsible for the technical implementation of this feature, you should discuss these decisions with your Community Administrator.