3 Replies Latest reply on Jul 6, 2011 11:55 AM by vinjones

    Credentials Out to the Cloud & SAML


      So from everything I have read and have been told, do I understand correctly that my credentials to my Jive instance will go from my phone, to the Jive cloud, to my Jive server?  If so, government entities (such as ours) will have a really hard time using this.


      And does it work with SAML?



        • Re: Credentials Out to the Cloud & SAML

          Hi Kevin,

          Your understanding is correct.  The Mobile client authentication to Jive Mobile is virtually identical to  how a desktop web browser would authenticate to Jive.  The  authentication flow is like this:

          1. User enters username and password in mobile login page
          2. Mobile Client sends the credentials to the Mobile Gateway, which forwards the credentials to the Core API authentication service
          3. In  the response to the authentication request, the Core API will issue  either just a session cookie (if the Remember Me checkbox was not  checked), or both a session cookie and a Spring Security-based "remember  me" cookie if the Remember Me box was checked.  This is the same thing  that would happen on the normal web UI for a Jive instance at login  time.  The Mobile Gateway forwards these directly back to the mobile  client.  Since the mobile client receives the cookies in the response  from the Jive Mobile domain, the mobile client will always send these  cookies to the Mobile Gateway when making further requests.
            • Spring Security remember me cookies are a hashed combination of the username, password, and an expiration time.
            • The Remember Me  option by default produces a cookie that is valid for 14 days. This  value can currently not be modified via a Jive System Property. Instead,  any change will require changing the value of the tokenValiditySeconds  bean property of the rememberMeServices bean in the spring security  configuration (XML). Again, this change will apply to both mobile and  desktop Jive.
            • During any subsequent requests proxied  from the client through the Mobile Gateway, the gateway will forward the  cookies from the client to the Jive instance.
              • If the session  cookie is accepted by the Jive instance as valid, then the Jive instance  will also accept the accompanying request.  Again, this is the same as  how Jive desktop authenticates requests from a web browser, i.e,. based  on session cookie if available.
              • If the session cookie is  invalid/expired or does not exist, and the user has a "remember me"  cookie, then the Jive instance will attempt to re-authenticate the user  based on the "remember me" cookie, which lives longer than a single  session.  If the re-authentication succeeds, a new, valid session cookie  is issued and we proceed as before.
              • If  there is neither a valid session cookie nor a valid remember me cookie  in the request, the request will be rejected by the Jive Core API, which  will result in a login prompt in the mobile client.  Return to step 1.


            As  outlined above, there are no special privileges involved in the  process, and no "superuser" or privileged connections are made or  required at any time.  Users of Jive Mobile get the same access to Jive  data on mobile that they do on the full Jive website, although of course  not all Jive data/features are available in mobile.


            Regarding SAML, we are currently evaluating the ability for Jive Mobile to support SAML2 for Jive 5 instances.  SAML2 is an out of the box option in Jive 5 so our intention is to extend that support to mobile.  If you have specific information on your SSO implemention, please do provide that to me so we can factor it into our product development.


            - Brian

            • Re: Credentials Out to the Cloud & SAML

              Hi Kevin,

              I am evalutating alternative approaches for mobile user  authentication which will work regardless of the methodology utilized in  the Jive instance itself.  Are you available next week to discuss it  over the phone?  Perhaps on Wednesday at 9, 11, or 1:00 Pacific?


              Thank you,