Configuring SSO with SAML

Here you can find SAML configuration for your community. You can set up single sign-on with a SAML identity provider, or enable, disable, or tweak a configured SAML SSO configuration.

Fastpath:
  • Admin Console > People > Single Sign-On, then the SAML tab
  • Advanced Admin Console > People > Settings > Single Sign-On, then the SAML tab

For more information, see Understanding SSO with SAML.

CAUTION:
Before you configure SSO, make sure you have a migration strategy for any existing Jive users. Implementing SSO without migrating your users to your new authentication provider will orphan existing user accounts, so users can't access their community content. For more information, see Getting ready to implement SAML SSO.

Setting up the IdP connection

To begin setting up the connection between Jive and your identity provider:

  1. Go to the configuration page:
    • Admin Console > People > Single Sign-On, then the SAML tab
    • Advanced Admin Console > People > Settings > Single Sign-On, then the SAML tab
  2. On the IDP Metadata tab, paste in the XML containing the connection metadata.
  3. Click Save All SAML Settings to load the XML.
  4. On the User Attribute Mapping tab, map the user attributes in the Jive profile to your IdP's attributes.

    Note that importing or saving your metadata populates the General tab with a list of attributes from your IdP, so you can use it as a reference when you specify the attributes you want to map. For more information, see User attribute mapping.

  5. If you want to assign users to groups by passing a special group attribute from your IdP to Jive, select Group Mapping Enabled.
  6. Click Save Settings.
  7. Click Download Jive SP Metadata at the top right of the SAML tab to download the Service Provider metadata you need to complete your IdP-side configuration.

User attribute mapping

User attribute mapping is used to identify fields in the Jive profile that you plan to populate from the IdP profile by synchronizing them on login.

  • To map a field, specify the exact IdP attribute used to identify it in the text box, and then select the Federated check box.

Any fields you don't map are user-configurable in the Jive profile settings. Any field that you specify, but do not mark as federated, is populated with the specified value but still configurable.

By default, Jive uses the NameID property as the unique key identifier for a user. You can select Override Subject NameID for Username and specify a different attribute if you want to use a different key identifier.

Group mapping

You can assign users to user groups for authorization automatically by passing a special group attribute from the IdP to Jive.

  • To enable user group mapping and provide the attribute, select Group Mapping Enabled on the Advanced tab.

The group mapping attribute is used to get user group names from each assertion. If the corresponding user groups with these names do not exist, they are created when you synchronize, and users are added to these groups. Note that SAML SSO does not support mixed group management. You can either manage your permissions groups using the IdP, or by using user groups created in Jive.