Certain configuration properties provided by Jive help configure Security Assertion Markup Language (SAML) support implementation in your community.
This article provides information about the general SAML integration properties/settings offered by Jive.
Here you can find the general settings reference of the SAML SSO configuration. These settings are accessible under Admin Console > People > Settings > Single Sign-On > SAML.
Enable this setting to enable SAML SSO for your community.
Enable this setting to provide detailed logging for troubleshooting authentication problems. You need to enable this setting during setup and validation, but turn it off in production.
Username Identity, Merge Local Users
Enable the Username Identity setting if you have existing users in Jive and you are newly implementing SAML. You do not need to enable it if all your accounts are created through SSO auto-provisioning.
Jive uses a permanent, unique identifier (
External ID) to connect existing users with their SSO login. If users have never logged in by using SSO, they will not have an associated
external ID. When Username identity is enabled, Jive maps any existing federated users to an existing user account (using the username or email address) during their first SSO login.
To automatically federate existing users on login, you should also enable Merge Local Users. If you use Username Identity without enabling Merge Local Users, make sure your existing users are marked as federated users. Otherwise, non-federated users will not be synchronized.
Provision new user account on login
Enable this setting to ensure that when a new user logs in, the user account is automatically created within Jive. This setting is enabled by default and should not be disabled unless you add users to the Jive community before enabling SSO.
Enable disabled user account on login
Enable this setting to reenable disabled user Jive accounts when they log in.
Sync user profile on login
Enable this setting to update users based on the remote user profile each time they log in.
This option is enabled by default. It requires that to pass validation, the
AuthnResponse must have a valid signature on the Assertions within the Response. If the Response itself is signed, it also requires the signature to be valid. At the same time, it does not require that the Response be signed.
Clearing the checkbox enforces that the Response must be signed, and any signature on the Assertions is ignored. Most IdPs sign the Assertions section in the AuthnResponse. If you use SFDC, however, you should clear this checkbox, because SFDC only signs the entire Response.
SSO Service Binding
Define whether Jive should send the request to the IdP with an HTTP GET Redirect or a POST. The default service binding is
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST which is used commonly. To use this binding, you must ensure that a Location binding with this value is in the IdP metadata. POST is typically preferred to Redirect because some browser versions and some firewalls have restrictions on the length of the HTTP path.
If you are configuring ADFS, note that using POST can cause problems for users on Safari.
/sso/logged-out.jspa is a page that does not require authentication. If guest access is disabled, users need to land on a non-authentication-requiring page. Otherwise, they would be automatically logged in again.
If guest access is enabled, you can set this value to
/index.jspa to redirect the user back to the instance homepage, as a guest user instead of the account they were logging out of. Another option is to set it to the IdP logout URL so that the user is logged out of both Jive and the IdP. We do not support the SAML Single Logout (SLO) protocol.
Changing this setting requires you to restart the Jive server.
If you specify a relative URL as the logout URL, such as
/sso/logged-out.jspa, it needs to be a unique substring among all URLs within Jive. Any URL that matches this string will not trigger the SSO process. For example, setting the string to
/ is a bad choice, because this value would match all URLs in Jive and entirely prevent SSO from working.
Maximum Authentication Age
Identifies the maximum session time (in seconds) that is set for the IdP. The default setting is 28800 seconds or 8 hours. However, to avoid login failures, you need to set this to match the maximum session set on the IdP.
Specifies the maximum permitted time between the timestamps in the SAML Response and the clock on the Jive instance. The default value is 120 seconds. If there is a significant amount of clock drift between the IdP and Jive, you can increase this value. The same value is also used for the skew in the
NotBefore check in the response. If you see an error indicating a problem with the
NotBefore check and you are not able to fix the clock difference problem, you can try increasing this value. However, increasing the response skew value can increase your security risk.