Version 5

     

    Summary

     

    Jive will sync accounts managed by both SAML SSO and LDAP, although the details of how these synchronizing processes work is different between the two implementations. This document aims to define the high level differences between the two implemenations.

     

    Versions

    Verified for versions Jive Custom 6, 7, 8

     

    Details

     

    Automatic Sync

     

    • SAML SSO does not have a nightly sync
    • LDAP can be scheduled to run daily. This can be configured through the system property spring.userDataSynchronizationTask.cronExpression

     

    Automatically Disabling accounts

     

    • SAML SSO cannot disable accounts
    • LDAP can disable
      • by attribute name and value
      • all users not found in the user search filter directory during sync

     

    Automatically Enabling accounts

     

    • SAML SSO can re-enable accounts
    • LDAP: Jive Custom 6 or older: Does not re-enable disabled Jive accounts
    • LDAP: Jive Custom 7 to 7.0.2: Will re-enable disabled Jive accounts on login only
    • LDAP: Jive Custom 7.0.3 and newer: Will re-enable accounts on login and nightly sync

     

    Auto-provisioning accounts

     

    • SAML SSO can only auto-provision when new users first attempt login
    • LDAP can auto-provision on a nightly basis without user interaction

     

    Syncing user profiles

     

    • SAML SSO can sync user profiles but only when users log in
    • LDAP can sync profiles on a nightly basis without user interaction

     

    Permission Group sync

     

    • Both SAML SSO and LDAP allow for group syncing at login
    • An LDAP configuration is required for synchronizing groups in bulk outside of authentication.
      • This is not enabled by default
      • This is not encouraged because it's often not necessary and can require significant resources
      • Enable by setting the cron expression and optionally the skew (the window of time in milliseconds since a time defined by the cron expression in which the sync task will start) with Jive properties and then restart:
        • spring.ldapGroupManagerImpl.syncTaskCronExpression = "0 0 0 * * ?"
        • spring.ldapGroupManagerImpl.syncTaskSkew = "300000"

     

    Manager Relationships

     

    • SAML SSO doesn't sync relationships
    • LDAP can sync manager relationships via the Manager Field

     

    Profile images

     

    • SAML SSO doesn't sync profile images
    • LDAP can sync profile photos via the Photo Field (must be jpg or png)