Getting Ready to Implement SAML SSO

Before you begin configuring a SAML SSO implementation, make sure you read about the requirements and best practices.

A successful SAML implementation requires the following prerequisites.

An identity provider that complies with the SAML 2.0 standard. For more information, see SAML Identity Providers. You should make sure you have expert knowledge of how to configure your identity provider before proceeding.
Familiarity with the SAML 2.0 specification. Before you begin the process of configuring Jive as a SAML 2.0 service provider to your IdP, you need to understand the details of how SAML works or else enlist the assistance of a SAML professional. The links that follow can supply some of this information.
- Oasis SAML Technical Overview (.pdf)
- Wikipedia entry on SAML 2.0

SSL Implementation

It is theoretically possible to implement SSO without SSL, but this raises some difficult security challenges. You should implement SSL, and you'll find it much easier to set up SSO if your jiveURL uses https, not http.

Disable Storage Provider File System Caching

Before you begin setting up SAML, go to System > Settings > Storage Providerand click Edit. Then select No under Cache Enabled. You won't be able to modify your IdP metadata unless caching is disabled.

LDAP Integration

If you're going to use LDAP in conjunction with SAML, we recommend using SAML for authentication only, while using LDAP for user provisioning, user deprovisioning, and profile synchronization. LDAP setup can be a lengthy process including VPN setup and testing, so allow time for this setup process if you're implementing LDAP as part of your SSO implementation.

Migrating Existing Jive Users

If you already have existing users on your community and have not yet implemented SAML, the best practice for migrating users is to enable Username Identity to look up existing users by username. In most cases, you should also enable Merge Local Users to ensure that existing users are automatically federated. This recommendation assumes that either the email address or the username matches between existing accounts and the SAML response. If neither of those fields matches, you can:

Update the existing email addresses in Jive before using Username Identity to sync them
Update the usernames in Jive before using Username Identity to sync them
Add the external IDs in Jive and federate the users via another method. (You can use the REST API or, if you need more assistance, a partner or Professional Services can handle this by creating a database script.)

CAUTION:

If you may have unfederated local users that you do not want to merge, you should not select Merge Local Users. Instead, mark only the accounts you want to merge as federated before enabling Username Identity.

Required Information

Before you begin the configuration process, you must have the following information available:

The IdP metadata (URL location or file content). Specifying a URL usually makes updates easier. Your metadata needs to include the following information:
- The IdP entity ID
- The IdP KeyInfo element
- The IdP Location that defines your endpoints
If you can't verify that this information is included, talk to your IdP administrator.
Note: To integrate Jive with SAML, you need the complete metadata file, not just the information described above.
The friendly attribute names sent with each SAML assertion.

Planning for Jive User Provisioning and Profile Synchronization

When you implement SAML, you need to decide on a strategy for which members of your organization will be included in the Jive Community, and with what rights. For example, you'll need to decide whether all your organization's users should be able to create accounts in the Jive community, and whether you will assign them to authorization groups. If you're primarily responsible for the technical implementation of this feature, make sure you discuss these decisions with your Community Administrator.