What do you want to implement? Do you have a local Saml server?
Case is that I have a simple web application where my users are already authenticated. Now, I want my users to get benefits of JIVE, for which I want them to login directly on my JIVE community through SAML SSO.
I went through the admin console that allows to configure SAML. It requires some metadata to be provided. Can you please put some light on this first?
Manish - Does your SSO identity provider already exist or are you looking to add the capability to your external application (not Jive)? If not then the simplest implementation looks like:
- Your external application drops an "identity" cookie upon user login
- The cookie needs to be set at a domain that your Jive server can read
- You'd then need to write a Jive plugin that looks for the identity cookie and automatically authenticates the user if it's present
That's it at the high-level. Let me know if you'd like to discuss w/ a Jive Professional Services Engineer.
Thank you Stewart for the response.
JIVE is hosted somewhere to their own servers/ domain. What I am trying to do is to configure SAML SSO, using the admin console. I have downloaded the SP metadata XML from the admin console and have posted one IDP metadata XML in the given area on the console.
Now I am trying to create an IDP using openSAML APIs so that I can hit the JIVE SSO page to get my users logged in. I would really appreciate if I can get some example code and IDP metadata XML for the same.
Manish - Just so I'm clear, you're attempting to implement your own identity provider?
Thank you Stewart for the suggestion. I am looking into Shibboleth if it can work for me.
I also tried to hit the JIVE SSO page through my application and facing below exception. Please suggest if you have some insight about this exception.
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
- Failed to verify signature using either KeyInfo-derived or directly trusted credentials
- Validation of received assertion failed, assertion will be skipped
Attached is the complete log.
Manish - Did you run your test w/ Jive integrated w/ Shib? Can you send the HTTP GET or POST that resulted in the error?
The above issue is resolved. It was because of the unexpected "InResponseTo" attribute in the samlp:Response.
I did the test run without integrating with Shibboleth. Instead, I generated an assertion response using openSAML and sent through simple HTTP POST binding (Lightweight Web Browser SSO).
My current issue is validating the signature against the credential's key. Attaching the complete log for error that includes response xml as well.
When I investigated the keystore, downloaded from the advanced tab of Single Sign-on seetting page on admin console, the keystore seems to have some issue or I could not find the keystore name-
$ keytool -list -v -keystore keystore
keytool error: java.io.IOException: Invalid keystore format
java.io.IOException: Invalid keystore format
$ keytool -list -v -file keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: mtsappletkey
Creation date: Jan 23, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: <Owner Info>
Issuer: <Issuer Info>
Serial number: 50ffbdc1
Valid from: Wed Jan 23 16:08:57 IST 2013 until: Tue Apr 23 16:08:57 IST 2013
MD5: <MD5 fingerprints>
SHA1: <SHA1 fingerprint>
Signature algorithm name: SHA1withRSA
thanks a lot for your insights into SSO with Jive. I'm having a similar issue as Manish: I have a Salesforce application that people are using predominantly and I would like to offer them an immediate redirect to the JiveOn cloud instance we have - without having to force the users to re-enter their credentials.
Is this possible using the same steps as discussed above?
Thanks so much and best regards,