General SAML Integration Settings

The following settings on the General tab are used in a typical SSO configuration.

Debug Mode

Enable to provide detailed logging for troubleshooting authentication problems. You need to enable this setting during setup and validation, but turn it off in production.

Username Identity, Merge Local Users

Enable the Username Identity setting if you have existing users in Jive and you are newly implementing SAML. (You don't need to enable it if all your accounts will be created through SSO auto-provisioning.)

Jive uses a permanent, unique identifier (External ID) to connect existing users with their SSO login. If users have never logged in using SSO, they will not have an associated external ID. When Username identity is enabled, Jive will map any existing federated users to an existing user account using their username or email address during their first SSO login.

To automatically federate existing users on login, you should also enable Merge Local Users. If you use Username Identity without also enabling Merge Local Users, make sure your existing users are marked as federated users. Otherwise, unfederated users will not be synchronized.

Provision new user account on login

Enable this setting to ensure that when a new user logs in, the user account is automatically created within Jive. This setting is enabled by default and should not be disabled unless you seeded the Jive community with users before enabling SSO.

Enable disabled user account on login

Enable this setting to reenable a disabled user's Jive account when s/he logs in.

Sync user profile on login

Enable this setting to update users based on the remote user profile each time they log in.

Sign Assertions

This option is enabled by default. It requires that to pass validation, the AuthnResponse must have a valid signature on the Assertions within the Response, If the Response itself is signed, it also requires that the signature be valid. (It does not require that the Response be signed.) Clearing the check box enforces that the Response must be signed, and any signature on the Assertions is ignored. Most IdPs sign the Assertions section in the AuthnResponse. If you use SFDC, however, you should clear this check box, because SFDC only signs the entire Response.

SSO Service Binding

Defines whether Jive should send the request to the IdP with an HTTP GET Redirect or a POST. The default service binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, which is the most commonly used binding. In order to use this binding, you must ensure that a Location binding with this value is in the IdP metadata. POST is typically preferred to Redirect, because older versions of Internet Explorer and some firewalls have restrictions on the length of the HTTP path.

Note: If you're configuring ADFS, keep in mind that using POST can cause problems for users on Safari.

Logout URL

By default, /sso/logged-out.jspa is a page that doesn't require authentication. If guest access is disabled, users need to land on a non-authentication-requiring page. (Otherwise they'd be automatically logged in again.) If guest access is enabled, you can set this value to /index.jspa to redirect the user back to the instance homepage, but as a guest user instead of as the account they were logging out of. Another option is to set it to the IdP logout URL, so that the user is logged out of both Jive and the IdP. We do not support the SAML SingleLogout (SLO) protocol.

Changing this setting requires you to restart the Jive server.

Note: If you specify a relative URL as the logout URL, such as /sso/logged-out.jspa, it needs to be a unique substring among all URLs within Jive, because any URL that matches this string will not trigger the SSO process. For example, setting the string to / is a bad choice, because this value would match all URLs in Jive and entirely prevent SSO from working.

Maximum Authentication Age

Identifies the maximum session time (in seconds) that's set for the IdP. The default setting is 28800 seconds, or 8 hours. However, to avoid login failures, you need to set this to match the maximum session set on the IdP. (Some IdPs are set to expire sessions less often.)

Response Skew

Specifies the maximum permitted time between the timestamps in the SAML Response and the clock on the Jive instance. The default value is 120 seconds. If there is a significant amount of clock drift between the IdP and Jive, you can increase this value. The same value is also used for the skew in the NotBefore check in the response. If you see an error indicating a problem with the NotBefore check and you aren't able to fix the clock difference problem, you can try increasing this value. However, increasing the response skew value can increase your security risk.