11 Replies Latest reply: Nov 2, 2012 3:36 AM by mrowbory RSS

    SSO - SAML and Jive users

    mrowbory

      I raised a case for this, but maybe the wider community can help.

       

      I've setup a SAML SSO with ADFS and Jive, but we have a number of manually create users that only exist in Jive and not in our AD.

       

      The site now redirects to ADFS to manage the login, but obviously it doesn't recognise these users.

       

      How do I configure the system to allow my Jive only users to still log in.  Is there some sort of passback/through  from ADFS if the login is not recognised?  Or the other way around, can Jive present the login page and pass on to ADFS if the user is not recognised.

       

      Thanks,

       

      Martin

        • Re: SSO - SAML and Jive users
          Kieran Kelly

          Hi Martin, I've not done this myself but I heard in a recent webcast that you have to either create the Jive-only users in AD with identical IDs or perform a SQL change to Jive DB so that the Jive-only IDs are made to match those in AD.

          • Re: SSO - SAML and Jive users
            John Larson

            Martin, a client we are working with has the same base issue - they want unfederated users to be able to log in locally, while federated users authenticate through SAML SSO. We've been exploring a number of options, including some interesting manipulation of the security filter chain.

             

            Can you tell me if you are predominantly using IDP initiated SAML, SP initiated, or both?

              • Re: SSO - SAML and Jive users
                mrowbory

                Hi John,

                 

                We’re having to implement an IDP as part of the project, so I’m not an expert.

                 

                I had thought that we would be directing users to our Jive site, so I guess that means it would be SP initiated.

                 

                I have been looking into customising the ADFS login page.  I’ve found (with a simple html test) you can still log non-federated users into Jive by posting to the cs_login page.

                 

                If we could modify the IDP login page to have an option for federated or non, then the form could post accordingly.

                 

                I’ll have play around.

                 

                Ideally we’d also like them to be logged in seamlessly if they are logged into Windows, but it seems that might be a whole other kettle of fish.

                 

                Martin

                  • Re: SSO - SAML and Jive users
                    John Larson

                    Martin, do you allow anonymous access to your Jive instance? if so, logging in from Jive (either by clicking the login link, or by attempting to access a protected space or content item) is considered SP initiated SAML SSO.

                    IDP initiated is when you go through ADFS before ever reaching Jive.

                      • Re: SSO - SAML and Jive users
                        mrowbory

                        No there is no guest access. Currently people will come to the site via a Jive link. Which as they are not logged in, will forward them to the IDP so I guess that means it's SP initiated.

                          • Re: SSO - SAML and Jive users
                            John Larson

                            The best solution we've found to this situation is to provide an alternate login action, that is outside the SSO authentication filter chain. Non-federated users could then be provided this alternate login URL, or your login form at ADFS could provide the option for a non-ADFS user to go to that login screen.

                             

                            The alternate login action is essentially the same technique used for the admin console login, which replaces the main application authentication filter chain with one of it's own.

                              • Re: SSO - SAML and Jive users
                                stewart.wachs

                                Just to back up what John is saying, support for side-by-side SSO and non-SSO authentication isn't supported natively by Jive. That said, John - Not sure how well your solution would handle deep links for URL's that users access from email notifications and/or browser bookmarks. Are you taking that flow into consideration? If so, how would you handle? Another approach would be to create an interstitial login page that gives users the option to authenticate via SSO (ADFS) or locally. Usually authentication method corresponds to user role (e.g. employee vs customer/partner), so you can craft your interstitial page w/ the appropriate calls to action.