First-Time Only Authentication with SAML

With this method, a user authenticates initially through SAML SSO. Then Jive Mobile converts the session to a longer-lived OAuth session.

Note: This option is not available for versions earlier than Jive 7.0.1.

This method is achieved by setting the Access Token and Refresh Token timeouts for the Add-on to an interval greater than the timeout settings of SAML SSO, thereby circumventing the timeout settings of both auth.lifetime (the Jive authentication session) and the SAML SSO session. Keep in mind that if you use the default values for the Access Token timeout (48 hours) and the Refresh Token timeout (15 years), the user will not need to log in again on mobile unless the device’s authentication is revoked or the values are changed.

This method has the following advantages:

The user can revoke a device authenticated through SAML SSO, a feature that is not available by using regular SAML SSO login alone.
Users who authenticated through the mobile clients and the regular web UI can have different timeout settings, while using the same authentication login flow and the same IdP.

To configure this method:

Make sure SAML SSO is enabled.
Make sure the Jive for iOS or Jive for Android app add-on is installed and enabled. If you are using an on-premise version earlier than 7.0.1, or your instance isn't connected to the Internet, you may need to contact Jive Support to install this add-on.
Next to the app listing, click the gear icon and select Settings. Then click Advanced.
Set the Access Token and Refresh Token timeout settings to interval greater than the timeout settings of SAML SSO.
Enable Allow this add-on to obtain an access token using an authenticated session. (Enabling this setting returns a 200 status code when /api/addons/extensionUUID/session-grant-allowed is passed. Otherwise, this call returns a 403 error.)