Advanced SAML Integration Settings

The settings on the Advanced tab are used to refine and troubleshoot a SAML integration.

The following settings on the Advanced tab control some less commonly used SSO configuration.

Request Signed: This setting determines whether the saml request is signed or not. Enabling this setting can increase security, but it's incompatible with some IdPs. This setting is disabled by default.
Base metadata URL: This value sets the desired URL for the entityID and endpoint URLs. This URL should be an https. If you aren't using a URL with https, you need to get help from Support to continue setting up SSO.
Enable Username Confirmation for New Users, Enable Email Confirmation for New Users, Enable Name Confirmation for New Users: These settings define the behavior for new users when they first log in. When they're selected, users will be asked to confirm that they want to use the relevant value (username, email, or name) that is provided by the Identity Provider. They can also change these values if they wish. By default, these settings are all disabled, since in most cases the intended result is for users to be forced to use the username, email, and name defined for them in the corporate directory. The Enable Name Confirmation setting has an additional application when users typically log in with either a single-word username or an email address, but may need the option to provide a first/last name combination. If you select this check box, users can also modify those profile fields after initial login.
Note: These fields also apply to any users who may be logging into your community using External ID.
External Identity is Case-Sensitive: Use this setting to determine whether the value used for the external identity should be case-sensitive. You should disable this setting in a case where the external identity value changes under different circumstances, for example when it's sometimes all lowercase and sometimes all uppercase.
Force Authentication: Forces any user with an existing IdP session to log in again.
Passive Authentication: When guest access is enabled, issues a SAML AuthnRequest upon first access with "isPassive=true", which should cause the IdP to simply redirect back to Jive if the user doesn't have an active session with the IdP.
NameID Format: For most IdPs, using the default setting is correct.
NameID Allow Create: By default, this check box is cleared. You should leave it cleared unless you receive an error about NameID creation while setting up your SAML integration.
Sign Metadata: Specifies that metadata should be signed. You should clear this check box UNLESS your IdP requires that the metadata be signed. If you use ADFS, you must clear this check box.
IDP Want Response Signed: Use this setting to add a configuration to the SP metadata that tells the IdP that the SAML response should be signed, instead of only the assertions within the response. You should not enable this setting unless Support recommends it.
Requested AuthnContext: Along with Requested AuthnContext Comparison, this optional setting is used to add additional information to requests in certain specific cases. It's disabled by default.
Requested AuthnContext Comparison: Along with Requested AuthnContext, this optional setting is used to add additional information to requests in certain specific cases. It's disabled by default.
RSA Signature Algorithm URI: Defines the algorithm used in the digital signatures used within the SAML messages. Most IdPs use the default value of http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. You may need to change this value if your IdP uses a different algorithm.
Require Valid Metadata: Use this setting to determine whether the IdP metadata you provide to Jive should be validated with respect to any validUntil timestamps. Some IdPs generate metadata with arbitrary validUntil timestamps on their metadata, which can cause validation to fail and keep Jive from running. This option is disabled by default.
Include Scoping: This check box is unselected by default. If you use ADFS, it must remain unselected. Some IdPs may require a scoping definition.
Proxy Count: This setting specifies the maximum number of proxies any request can go through in the request to the IdP. The default value is 2. If your IdP needs more than 2 proxy redirects, adjust this value upward.
Key Store: This feature is used to configure Jive with a specific certificate that will be used for encryption and signing in place of the self-signed certificate Jive generates. You should only use this feature after consulting with Support.