Converting from AD/LDAP synchronization to ADFS/SAML

Version 6


    This document assumes that you are currently using Jive's native LDAP (Active Directory) synchronization features (user profile and/or group synchronization) and intend to migrate some or all of this functionality to SAML (ADFS). You may currently be simultaneously using SAML for authentication and LDAP for user federation and authorization, or you may be looking to change ALL functionality from LDAP to SAML at once. In either case this document should be helpful.



    This document is provided for informational purposes only. No guarantees are made regarding the accuracy of the content and the consumer accepts all responsibility for changes made to their Jive instance in association with these instructions.


    While this process has been vetted out through successful implementation in customer environments, this document should NOT be considered adequate replacement for consulting with an experienced engineering team to manage this type of change. We recommend working with Jive's Professional Services teams or one of Jive's highly qualified partner organizations to manage such complex transitional projects.




    There are several benefits to synchronizing profile attributes and group memberships with SAML integration:

    • Group synchronization is synchronous and performs better than LDAP synchronization.
    • SAML eliminates the dependency on a dedicated VPN tunnel to integrate a Hosted Jive instance with an on-premise Active Directory server.
    • ADFS integration hides the complexity of integrating with a multi-domain AD forest from the Jive instance.
    • Connecting to just SAML instead of SAML + LDAP simplifies the administration efforts required to maintain and configure the Jive instance.



    There are also a few limitations you should be aware of:

    • SAML group synchronization is not filtered on the Jive side, so if you have some groups that you do NOT want to synchronize to Jive you will need to account for these with filtering on the ADFS side (most likely with a Custom Claim Rule).
    • Profile attributes are only synchronized from the SAML IDP when a user logs in; there is no "bulk" synchronization of users.
    • SAML integration does not synchronize org chart relationships to Jive.
    • A pure SAML sync does not have the ability to de-provision (disable) users disabled in the IDP; this will need to be manually configured by a Jive admin.


    Managing the transition

    Since your users should be using the same credentials to authenticate to Active Directory regardless of whether the authentication is being handled by LDAP or SAML, the transition should be seamless to end users. However, to ensure this happens you will need to change a few things in the admin console.


    Here are the high level steps for migrating from a mixed LDAP & SAML integration to a pure SAML integration:


    1. Identify current profile field mappings between Jive and AD/LDAP.

    2. Configure ADFS Claim Rules to map LDAP attributes to Claims.

    3. Establish mapping between SAML attributes and Jive Profile Fields.

    4. Testing!


    Now to explore each stage in more detail. It should go without saying that this should be validated in a UAT environment before being tested in Prod, but we'll say it anyway!


    1. Identify current profile field mappings between Jive and AD/LDAP.

    You can determine which profile fields are currently mapped to Active Directory attributes by visiting People > Settings > Profile Settings and looking for any fields with an entry in the "Mapping" column. Click the link to view the attribute value:


                   Screen shot 2012-11-29 at 2.31.46 PM.png


    Record all the LDAP attribute values for profile fields.


    2. Configure ADFS Claim Rules to map LDAP attributes to Claims.

    Next you'll need to connect with your ADFS administrators to establish the mappings of LDAP attributes to SAML Attributes. More information on this process can be found here:

    The Claim Rules dialog will look something like this:

    Screen shot 2012-11-29 at 2.36.34 PM.png

    You'll want to create a mapping for each of the LDAP attributes you identified in step 1 above.

    To establish the group sync, you may need to set up the Custom Claim Rules as described here: AD FS 2.0: Domain Local Groups in a claim - TechNet Articles - United States (English) - TechNet Wiki.


    3. Establish mapping between SAML attributes and Jive Profile Fields.

    After setting up the Claims in Step 2 we now should be able to see them transferred in the SAML metadata that is made available to the Jive instance via ADFS. To view the metadata, go to People > Settings > Single Sign On > SAML. The new attributes should appear similar to the default attributes:


          <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="E-Mail Address" Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
          <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Given Name" Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
          <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Name" Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>


    Copy the value of the "Name" variable and paste it into the field that corresponds to its equivalent Jive Profile field. Note that ADFS attributes are always mapped against the URI, not the "friendly name":

              Screen shot 2012-11-29 at 1.30.42 PM.png


    For groups you'll do basically the same thing, but note that the mapping field is only available after clicking the Group Mapping Enabled checkbox:


                   Screen shot 2012-11-29 at 2.51.08 PM.png


    4. Testing!

    After committing these changes you should now be ready to test. In order to test we'll have to remove the current LDAP sync settings. To disable LDAP profile sync:


    1. Go to People > Settings > User Data Synchronization Settings.

    2. Uncheck the Scheduled sync task enabled and Synchronize user profiles on logon? boxes and save the settings.


    Now test the profile synchronization by changing a profile field for a federated user and performing a SAML authentication to Jive with that user. Verify that the profile field is updated appropriately in Jive.


    For Group synchronization, you'll need to disable LDAP group sync. To do this, delete the system property GroupManager.className from System > Management > System Properties and restart the Jive instance. Now verify that group membership is properly updated from the ADFS attributes when users authenticate to Jive.


    For testing and troubleshooting purposes I highly recommend enabling SAML debug logging during this process so we can catch any errors that may occur.