Differences between SAML SSO and LDAP user and group syncing

Version 5




    Jive will sync accounts managed by both SAML SSO and LDAP, although the details of how these synchronizing processes work is different between the two implementations. This document aims to define the high level differences between the two implemenations.



    Verified for versions Jive Custom 6, 7, 8




    Automatic Sync


    • SAML SSO does not have a nightly sync
    • LDAP can be scheduled to run daily. This can be configured through the system property spring.userDataSynchronizationTask.cronExpression


    Automatically Disabling accounts


    • SAML SSO cannot disable accounts
    • LDAP can disable
      • by attribute name and value
      • all users not found in the user search filter directory during sync


    Automatically Enabling accounts


    • SAML SSO can re-enable accounts
    • LDAP: Jive Custom 6 or older: Does not re-enable disabled Jive accounts
    • LDAP: Jive Custom 7 to 7.0.2: Will re-enable disabled Jive accounts on login only
    • LDAP: Jive Custom 7.0.3 and newer: Will re-enable accounts on login and nightly sync


    Auto-provisioning accounts


    • SAML SSO can only auto-provision when new users first attempt login
    • LDAP can auto-provision on a nightly basis without user interaction


    Syncing user profiles


    • SAML SSO can sync user profiles but only when users log in
    • LDAP can sync profiles on a nightly basis without user interaction


    Permission Group sync


    • Both SAML SSO and LDAP allow for group syncing at login
    • An LDAP configuration is required for synchronizing groups in bulk outside of authentication.
      • This is not enabled by default
      • This is not encouraged because it's often not necessary and can require significant resources
      • Enable by setting the cron expression and optionally the skew (the window of time in milliseconds since a time defined by the cron expression in which the sync task will start) with Jive properties and then restart:
        • spring.ldapGroupManagerImpl.syncTaskCronExpression = "0 0 0 * * ?"
        • spring.ldapGroupManagerImpl.syncTaskSkew = "300000"


    Manager Relationships


    • SAML SSO doesn't sync relationships
    • LDAP can sync manager relationships via the Manager Field


    Profile images


    • SAML SSO doesn't sync profile images
    • LDAP can sync profile photos via the Photo Field (must be jpg or png)