Jive offers many settings to refine and troubleshoot a Secure Authentication Markup Language (SAML) based Single Sign-On (SSO) integration.
This article provides information about advanced SAML integration settings.
The settings on the Advanced tab are used to refine and troubleshoot a SAML integration. The settings are available under Admin Console > People > Settings > Single Sign-On > SAML.
On the SAML > Advanced tab of the Single Sign-On page, you can find the less commonly used SSO configuration properties, detailed in General SAML Integration Settings.
This setting determines whether the SAML request is signed or not. Enabling this setting can increase security, but it is incompatible with some Identity Providers (IdPs). This setting is disabled by default.
Base metadata URL
This value sets the desired URL for the
entityID and endpoint URLs. This URL should start with
https. If you are not using a URL with
https, you need to get help from Support to continue setting up SSO.
This setting forces any user with an existing IdP session to log in again.
When guest access is enabled, this issues a SAML AuthnRequest upon first access with
isPassive=true, which should cause the IdP to redirect back to Jive if the user does not have an active session with the IdP.
For most IdPs, using the default setting is correct.
NameID Allow Create
By default, this checkbox is cleared. You should leave it cleared unless you receive an error about NameID creation while setting up your SAML integration.
Specifies that metadata should be signed. You should clear this checkbox unless your IdP requires that the metadata is signed. If you use ADFS, you must clear this checkbox.
IDP Want Response Signed
Adds a configuration to the SP metadata that tells the IdP that the SAML response should be signed, instead of only the assertions within the response. You should not enable this setting unless Support recommends it.
Along with Requested AuthnContext Comparison, this optional setting is used to add additional information to requests in certain specific cases. It is disabled by default.
Requested AuthnContext Comparison
Along with Requested AuthnContext, this optional setting is used to add additional information to requests in certain specific cases. It is disabled by default.
RSA Signature Algorithm URI
Defines the algorithm that is used in the digital signatures within the SAML messages. Most IdPs use the default value of the namespace, as specified at Additional XML Security Uniform Resource Identifiers (URIs). You may need to change this value if your IdP uses a different algorithm.
Group Mapping Enabled
Enable this property if you plan to use one of the SAML Response Assertion Attributes to synchronize the user into Permission Groups. For more information, see SAML SSO Group Mapping.
Require Valid Metadata
Use this setting to determine whether the IdP metadata which you provide to Jive should be validated with respect to any
validUntil timestamps. Some IdPs generate metadata with arbitrary
validUntil timestamps on their metadata, which can cause validation to fail and keep Jive from running.
Some IdPs may require a scoping definition. This option is disabled by default. If you use ADFS, it must remain disabled.
This setting specifies the maximum number of proxies any request can go through in the request to the IdP. The default value is 2. If your IdP needs more than two proxy redirects, adjust this value accordingly.
InResponseTo is validated from incoming SAML responses. By default, the setting is enabled.