11 Replies Latest reply on Mar 8, 2013 9:10 AM by ignacio

    Single Sign-On to Jive



      I want to do single sign-on to Jive server (say abc.jivesbs.com, hosted by Jive itself) directly through my application, hosted at my end, so that users of my application (having account in Jive as well) can directly login to the jive server and land to the required page without the need of re-login on Jive.


      Can somebody, please chime in to suggest me the simple steps and what all I would require to achieve this?


      I would appreciate any suggestion, information or help on this.



        • Re: Single Sign-On to Jive

          What do you want to implement? Do you have a local Saml server?

            • Re: Single Sign-On to Jive

              Case is that I have a simple web application where my users are already authenticated. Now, I want my users to get benefits of JIVE, for which I want them to login directly on my JIVE community through SAML SSO.

              I went through the admin console that allows to configure SAML. It requires some metadata to be provided. Can you please put some light on this first?

            • Re: Single Sign-On to Jive

              Manish - Does your SSO identity provider already exist or are you looking to add the capability to your external application (not Jive)? If not then the simplest implementation looks like:


              1. Your external application drops an "identity" cookie upon user login
              2. The cookie needs to be set at a domain that your Jive server can read
              3. You'd then need to write a Jive plugin that looks for the identity cookie and automatically authenticates the user if it's present


              That's it at the high-level. Let me know if you'd like to discuss w/ a Jive Professional Services Engineer.

                • Re: Single Sign-On to Jive

                  Thank you Stewart for the response.


                  JIVE is hosted somewhere to their own servers/ domain. What I am trying to do is to configure SAML SSO, using the admin console. I have downloaded the SP metadata XML from the admin console and have posted one IDP metadata XML in the given area on the console.


                  Now I am trying to create an IDP using openSAML APIs so that I can hit the JIVE SSO page to get my users logged in. I would really appreciate if I can get some example code and IDP metadata XML for the same.


                  Thank you.

                    • Re: Single Sign-On to Jive

                      Manish - Just so I'm clear, you're attempting to implement your own identity provider?

                          • Re: Single Sign-On to Jive

                            OK, thanks for confirming. I'd recommend against rolling your own and instead advocate that you install one of the common open-source providers like OpenAM or Shibboleth. If your budget will allow it you could also go the commercial route w/ a product such as Ping or Siteminder.

                              • Re: Re: Single Sign-On to Jive

                                Thank you Stewart for the suggestion. I am looking into Shibboleth if it can work for me.


                                I also tried to hit the JIVE SSO page through my application and facing below exception. Please suggest if you have some insight about this exception.


                                org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key

                                - Failed to verify signature using either KeyInfo-derived or directly trusted credentials

                                - Validation of received assertion failed, assertion will be skipped


                                Attached is the complete log.



                                  • Re: Re: Single Sign-On to Jive

                                    Manish - Did you run your test w/ Jive integrated w/ Shib? Can you send the HTTP GET or POST that resulted in the error?

                                      • Re: Re: Re: Single Sign-On to Jive

                                        Hello Stewart,


                                        The above issue is resolved. It was because of the unexpected "InResponseTo" attribute in the samlp:Response.


                                        I did the test run without integrating with Shibboleth. Instead, I generated an assertion response using openSAML and sent through  simple HTTP POST binding (Lightweight Web Browser SSO).


                                        My current issue is validating the signature against the credential's key. Attaching the complete log for error that includes response xml as well.


                                        When I investigated the keystore, downloaded from the advanced tab of Single Sign-on seetting page on admin console, the keystore seems to have some issue or I could not find the keystore name-


                                        $ keytool -list -v -keystore keystore

                                        keytool error: java.io.IOException: Invalid keystore format

                                        java.io.IOException: Invalid keystore format

                                                at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633)

                                                at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)

                                                at java.security.KeyStore.load(KeyStore.java:1185)

                                                at sun.security.tools.KeyTool.doCommands(KeyTool.java:620)

                                                at sun.security.tools.KeyTool.run(KeyTool.java:172)

                                                at sun.security.tools.KeyTool.main(KeyTool.java:166)


                                        $ keytool -list -v -file keystore
                                        Enter keystore password:

                                        Keystore type: JKS
                                        Keystore provider: SUN

                                        Your keystore contains 1 entry

                                        Alias name: mtsappletkey
                                        Creation date: Jan 23, 2013
                                        Entry type: PrivateKeyEntry
                                        Certificate chain length: 1
                                        Owner: <Owner Info>

                                        Issuer: <Issuer Info>

                                        Serial number: 50ffbdc1
                                        Valid from: Wed Jan 23 16:08:57 IST 2013 until: Tue Apr 23 16:08:57 IST 2013
                                        Certificate fingerprints:
                                                 MD5:  <MD5 fingerprints>

                                                 SHA1: <SHA1 fingerprint>

                                                 Signature algorithm name: SHA1withRSA
                                                 Version: 3


                                        • Re: Single Sign-On to Jive

                                          Dear Stewart,


                                          thanks a lot for your insights into SSO with Jive. I'm having a similar issue as Manish: I have a Salesforce application that people are using predominantly and I would like to offer them an immediate redirect to the JiveOn cloud instance we have - without having to force the users to re-enter their credentials.


                                          Is this possible using the same steps as discussed above?


                                          Thanks so much and best regards,