Frequently I need to use ADFS to create a SSO solution for hosted Exchange scenarios. On occasion, I need to use ADFS to federate with other systems outside of the Exchange world. This is one of those situations. In this example, the client needed to use AD FS 2.0 to create a SAML compliant authentication mechanism to be used with Jive Software. The configuration turned out not to be too difficult, but I did have some issues identifying all of the components that were needed to get this working. Hopefully this document will help.
First and foremost, on your Windows 2008R2 server, download and install AD FS 2.0 and then install update rollup 1.
These can be downloaded here:
ADFS 2.0 Update Rollup 1
After installing ADFS 2.0 and UR1, you can run through the configuration Wizard to get ADFS setup to validate credentials against Active Directory.
To configure it to work with Jive, begin by setting up a Relying Party (RP) Trust. In my experience I found it was easiest to configure using the Jive metadata. This should be https://yourcompanysHostedJiveUrl/saml/metadata. Be sure to use HTTPS for communication between Jive and ADFS. ADFS will ignore non-SSL communications.
When adding the RP trust, you can specify which claims (user properties) you send back to Jive. These will vary based upon your implementation, but they can contain anything you can query through LDAP.
The most important item to configure when setting up SAML/SSO with Jive is the Name ID. You need to configure ADFS to transform the username into a Name ID element that is sent to Jive. Your rule should look like this:
|Customize AD FS Username transformation to work with Jive SAML Name ID
Without the Name ID, Jive will not accept the SAML SSO request and the error messages are not always the most friendly.
After setting up your outgoing claims and ensuring that you are transforming the username into a Name ID, I recommend you configure two additional items on your ADFS installation to assist in troubleshooting.
First, I disable encrypoting the claims sent to Jive so that I can see them on the debug screen if there is an issue using SSO. This can be completed by issuing the PowerShell cmdlet Set-ADFSRelyingPartyTrust -EncryptClaims $False. (You will want to turn this feature back on when troubleshooting is done)
Second, I recommend setting the NotBeforeSkew property in ADFS as well.
Set-ADFSRelyingPartyTrust -NotBeforeSkew 5
Jive does in fact have an option to allow the server to be out of time sync, but regardless of the value I set it did not work. We were unable to authenticate over a 300th of second variance. When I set the skew in ADFS, the issues went away.
Inside of the Jive Admin Console, go to People, Management, then choose Single Sign On, the last choice on the Management menu. Here you can configure Jive to use ADFS.
Your ADFS metadata URL will be https://MyADFSURL/federationmetadata/2007-06/federationmetadata.xml
It is important to note when configuring the User Attribute Mapping that I have had issues trying to map the friendly name into Jive. What has worked without flaw is simply entering the schema name that ADFS passes. Be sure to enable debugging on the advanced tab so that you can see the error message returned if SSO fails.
|Jive Software field mapping to AD FS
There is a link on Jive’s own page that provides some helpful information. Check out https://community.jivesoftware.com/docs/DOC-51294 for some additional troubleshooting tips that relate to Jive and SSO in general.