Hi All,
Last year, I have deal with the Federation of Jive with AD FS. Not really difficult, but there are things you need to know.
Let assume that you already have an AD FS Server deployed.
Since jive 5.0.1 update, it is necessary to force end to end HTTPs encryption. The Jive documentation is available: Jive 5.0 but here are the principal steps :
- Get the public key (X509 certificate) of your public domain certificate and save the file as jive.crt
- Get the private key of your public domain certificate and save the file as jive.pfx
- Extract the private key of the .pfx file
- Import Jive Certificate into the SSL Keystore
- Enable SSL in /etc/jive/conf/jive-httpd
- Configure the connection scheme in /usr/local/jive/applications/sbs/conf/server.xml file
- Restart the Jive services
- Configure SSL in the /usr/local/jive/etc/httpd/sites/default.conf and restart the HTTPd service
After that, you can access your Jive Community Portal through HTTPs
Next Step, configure Jive to allow SAML authentication.
Open the People\Advanced configuration page, and provide the Federation Metadata URL of your ADFS Server.
If you want to provision user information automatically in Jive, you can add some claims type. For example :
Here is what it would look like
Next Step, the configuration on the AD FS Server side.
- Add a new Relyinig Party Trust, and provide the Jive Federation Metadata URL. This url should be something like that : https://yourdomain/saml/metadata
- Create Claims Rule to pass claims to Jive. The important claims to pass to Jive is the Name ID. Here is the custom rule I have write to send domain-user to Jive as the NameIdentifier.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${domain}-${user}"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = http://schemas.xmlsoap.org/claims/CommonName);
- Here is the custom rule I have write to send all the expected claims value. Just a quick search in Active Directory.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department"), query = ";mail,sn,givenName,userPrincipalName, title, streetaddress, homephone, mobile, telephonenumber, co, department;{0}", param = c.Value);
And that’s it.
Troubleshooting
You can enable detailed log during authentication in Jive. This is in the Advanced Tab of SAML Authentication. If there is an issue during SAML authentication , you will see an error message like the following.
An error occured while attempting authentication through single sign on
The error could be related to a misconfiguration from the Jive end or from the user authority. Debug information is available below:
- Checking child metadata provider for entity descriptor with entity ID: https://community.yourdomain.net
[…]
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>NAJSc1UvIaVG3nm1LJSLmCEEJbw=</ds:DigestValue>
</ds:Reference>
[…]
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="http://schemas.xmlsoap.org/claims/CommonName">EMEA-TMP-malikah.kelly</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="a485g08eaicifhd325c7c2bdf64j43g" NotOnOrAfter="2011-12-13T14:05:42.672Z" Recipient="https://community.yourdomain.net/saml/sso"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2011-12-13T13:58:42.667Z" NotOnOrAfter="2011-12-13T14:58:42.667Z">
<AudienceRestriction>
<Audience>https://community.yourdomain.net</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" a:OriginalIssuer=http://emea.yourdomain.net/adfs/services/trust>
[…]
- Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
- Signature validated with key from supplied credential
- Signature validation using candidate credential was successful
- Successfully verified signature using KeyInfo-derived credential
- Attempting to establish trust of KeyInfo-derived credential
- Successfully validated untrusted credential against trusted key
- Successfully established trust of KeyInfo-derived credential
- Authentication statement is too old to be used
- There was an error during SAML authentication
org.springframework.security.authentication.CredentialsExpiredException: Users authentication data is too old
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:402)
at […]
at java.lang.Thread.run(Thread.java:662)
Common issue I have deal with :
- Users authentication data is too old : Check that time is well sync between Jive and AD FS. If you are experiencing this issue a lot of time, try to update the NotBeforeSkew
- Some claims value expected are empty : check that in your Active Directory, all required attributes are not empty
Published by Olivier DETILLEUX