Jive Authentication Services FAQ

Version 2

    What is authentication?

    • Authentication is the secure matching of the entered login information with the information available in the identity system.  If the credentials match, login is granted.
    • The identity system can be Jive itself, or an external system to which Jive connects.  (Though not the other way around, Jive cannot be the identity service for other applications)
    • If users don’t have to remember yet another username and password, it lowers the barrier to entry and makes it easier for people to login and use the community.
    • Authentication Docs

    What does this mean for a Jive community?

    Jive-n - Internal sites are by default walled off and require a username and password in order to login.  This keeps internal information private and allows people to post and collaborate in confidence that company information is safe.  External users (like contractors) have a limited view into the Jive-n community and can only see the content in the groups that they are a member of.

     

    Jive-x - External sites are open to the public by default, allowing anonymous traffic from people that are not logged in. Jive-x communities will care about SEO, because you want traffic coming to their site even if it is anonymous.  If someone would like to interact with the community or post to it, they have to create an account and login.

     

    Can Jive itself be an identity system?

    The default configuration for any community Jive-n or Jive-x will be to use the Jive standard internal user authentication functionality.  Configuration is needed to switch authentication to an external system.

    It is important to note that Jive can be an identity system for itself, but cannot serve as an identity provider for other systems.

     

    What authentication types does Jive support?

    SAML

    SAML is the most popular authentication type for Jive-n, and is often paired with LDAP to add some additional needed functionality like user sync and user deactivation.  While LDAP can sync the whole user database nightly to be sure that all people who have left the company are deactivated in Jive.  This is not an option with SAML as there is no nightly sync, so information is only updated when people login.

    SAML is also different from LDAP in that it forwards the users browser from Jive to the IdP for authentication, then back again with the valid login token.  This forwarding back and forth makes sure that Jive never actually receives a users password.  With LDAP, the user and password are entered into a Jive form and Jive passes this over a secure link to the customers LDAP server within their network for verification.

    SAML Docs

     

    LDAP

    Connect to Microsoft Active Directory, OpenLDAP, OpenDS, Sun ONE (aka Oracle Directory Server).  Additional customers have connected to Apple OpenDirectory and Novell eDirectory as well but these are not on the officially tested list.  LDAP takes your username and password and passes it to the customers LDAP server for verification.  LDAP can do auth, user sync, deactivation, permission groups, profile fields, and org chart syncing.

    Many customers will require LDAP connect over a VPN, though this is not absolutely required as Jive communicates with the Global Catalog server or LDAP server securely anyway

     

    ADFS

    To oversimplify it, ADFS is Microsofts special version of SAML.  Slightly more complicated to set up, same SAML features and goodness.

     

    oAuth

    oAuth (often referred to as "social sign-on") is like SAML in the sense that the login is handled by a third party (generally a popular cloud service provider) and a secure token is passed back to Jive to log the user in. Currently we support Facebook and Google.  This allows new community users to quickly and securely sign in using their existing social accounts without having to remember another.

    Kerberos (On Prem Only)

    Kerberos is only available for On Premises customers

    Similar to SAML in that the request is forwarded to a customer server for authentication before returning with a token granting access (“Ticket server” in Kerberos).  Kerberos is complex and does not work well in Cloud and Hosted environments so it is not planned for the future. It requires customer On Prem expertise and infrastructure.  It only provides authentication and must be combined with LDAP in order to get user creation/deactivation and profile sync.

     

    Are we required to purchase services to get these setup?

    • SAML, LDAP, ADFS, oAuth are all optional services.  Purchase of services is not absolutely required if you have the internal expertise to setup the authentication connection.  If you are unable to do this, the Support team is not able to walk them through it and the services will have to be purchased.
    • Kerberos requires mandatory services.
    • Jive-n Cloud customers get SSO setup included with the purchase of their community.

     

    Who do I contact if I want to talk to someone about these services or purchasing them?

    Contact your Jive rep or submit a private support case in your customer group here on the Jive Community.

     

    What else can these systems do for us?

    Some systems just do authentication.  Securely determining if the username and password have been correctly entered.  Other systems can also:

    • Create new user accounts for employees that were hired and added to a central HR system
    • Sync profile fields like name, title, department, location, etc.  Keep everything up to date as things change over time without any manual effort.
    • Deactivate user accounts as people leave the company
    • Add/Remove people from Jive Permission Groups based on group membership in the identity system
    • Multiple services can be used together like LDAP and SAML.

    auth-table.png

     

    SSO

    Beyond just checking to see if you have entered your username and password correctly, Single Sign-On (SSO) lets you sign into one session for the day and the rest of the SSO aware applications that you use should automatically sign in using the secure token available for your session.  LDAP and SSO are sometimes incorrectly assumed to be the same thing.  LDAP by itself does not have Single Sign-On without being paired with another service like SAML, ADFS, or Kerberos.

     

     

    Org Chart

    This is only relevant for Jive-n

    The Org Chart is what allows you to see how a person fits into the overall organization, who their teammates are, and who they report to up the chain.  This is something that can be synced through LDAP, or the User Sync Add-On, but cannot through other technologies like SAML SSO.

     

    Mixed Mode Authentication

    Some customers need two different ways to authenticate users, requiring more than one source of user information. Currently Jive allows you to have a mix of 1 SAML or LDAP server and a mix of native Jive users. This would allow a site to be configured to allow customers to create accounts and login as native Jive users, while the employees and contractors were logging in via SAML and the central user directory. Or, an internal community could have partners login to Jive as native users, while your employees authenticate through SAML.

     

    Important Note: This doesn’t mean 2 different SAML providers.  That is coming on the product roadmap, but is not available yet without customization or extra configuration in the customers infrastructure through Claims Provider Trust.

     

    User Sync

    User Sync is an automatic, scheduled way to update the information about Jive users from a central system like LDAP, or a User Sync Add-On that takes a CSV file to process nightly from the customer system.  User Syncing makes sure that everything is up to date including full names, locations, offices, profile fields (phone numbers, title, address), permission group assignments, creating new users as employees are hired, and deactivating user accounts for employees who leave the company.  Having a User Sync solution in place is important as SAML is only able to do this when someone logs in, allowing some user accounts to go out of date.

     

    Cloud Identity Services

    Services like Okta and Ping offer additional features:

    Okta Windows Agent: A small Windows application that runs on a customer server that securely relays all necessary information from their internal Active Directory system to keep the Okta cloud user directory up to date (including all deactivations, permission groups, and profile fields that are configured).  This eliminates the need for the customer to allow LDAP access through their firewall, and without a VPN.

     

    Complex Scenario support with a single SAML endpoint for Jive to connect to: Okta and Ping Identity services both can support multi-Identity Provider scenarios including combining user directory information from multiple technologies into a single cloud user directory for the organization.  This allows Jive to use multiple IdP’s, something that is not available out of the box. Is your company a hodgepodge of 6 different acquisitions over the years that never fully integrated but they all want access to Jive?  Talk to Okta or Ping.

     

    Custom SSO

    Custom SSO plugins are only available to Hosted and On Prem customers.

    What would make us need a custom SSO plugin?

    • Home Grown Authentication Systems
    • Anything non-SAML or LDAP compliant
    • oAuth (pre 2016.2 Cloud)
    • Multiple IdPs in a complex setup
    • Okta and Ping are not an option