This page details the nuts and bolts of Jive SSO. If you are having issues with Jive SSO, this page should be able to give you a better idea of what's going on behind the scenes and help you diagnose any common problems.
For Crowd-Jive integration, the incoming request must:
- be authenticated with Crowd (have a Crowd SSO token in session or as a cookie)
- be authenticated with Jive (have a CrowdAuthToken stored in HttpSession for Jive)
To authenticate with Crowd: simply log in to Crowd via any Crowd-SSO enabled application. This includes Jive's login page.
To authenticate with Jive: you need to be authenticated with Crowd as a user "allowed to be authenticated" by Jive. This means, the user must belong to a group or directory which Jive is authorized to authenticate. This user also needs to NOT be on any user/IP ban lists within the Jive application. The Crowd integration will honor the ban list. See note below.
Enumeration of Use Cases
User views Jive Forums and:
- request is not authenticated with Crowd -> appears as guest user in Jive.
- request is authenticated with Crowd, but user is not in directory/group allowed to authenticate with Jive -> appears as guest user in Jive.
- request is authenticated with Crowd, user allowed to authenticate with Jive, user not on any ban list -> appears as logged-in user in Jive.
- authenticated Jive user clicks logout from Jive -> user is logged out of Jive and Crowd.
- authenticated Jive user logs out of Crowd using another SSO app -> user eventually times out of Jive.
- request is authenticated with Crowd, user banned from logging into Crowd -> user appears as guest in Jive.
- admin authenticated with Crowd and attempts to access Jive admin console -> admin appears logged in to Jive admin console.
- authenticated Jive admin attempts to log out from Jive's admin console -> admin is still logged in (support issue filed with Jive Forums).
- authenticated Jive admin attempts to log out from Jive Forums -> admin is logged out of Jive and Crowd.
- request is authenticated with Crowd but user is banned from Jive Forums -> user is still authenticated with Crowd, but not allowed to log in to Jive Forums
- It is known that the "remember me" functionality of Jive will cease to function. This has been intentionally disabled. Jive's "remember me" functionality will need to be replaced by a more general "remember me" from within Crowd. Once this is implemented in Crowd, the Jive integration libraries can utilize Crowd's "remember me", so that "remember me" is centralized.
- It is recommended that admins do not use ban lists. Rather, you should manage access control based on Crowd's groups. So it's best to disable Ban Users from within Ban Settings inside the Jive admin console. There is nothing wrong with using ban lists, as they will be honored by the Crowd-Jive integration libraries. So they will make it hard for a banned user to switch to a non-banned user. The only way a banned Jive user, authenticated with Crowd for Jive, will be able to switch to a different user that Jive will pick up, is when the Jive's Crowd authentication cache clears, so that Jive recognizes a new user is signing in. This is because there is no way to log out a banned user from Jive, as they will always appear to be "guest". So basically, if you have users with multiple identities, if one is banned and attempts to log in, the user will have to wait until the client cache is cleared before he/she can log in with a different identity. Note: it's easy for non-banned users to switch identities as the client authentication cache is cleared when they click "logout" from within Jive.
- Using the Application Browser
- Integrating Crowd with Atlassian Bamboo
- Integrating Crowd with Atlassian Confluence
- Integrating Crowd with Atlassian CrowdID
- Integrating Crowd with Atlassian Crucible
- Integrating Crowd with Atlassian FishEye
- Integrating Crowd with Atlassian Jira
- Integrating Crowd with Atlassian Bitbucket
- Integrating Crowd with Acegi Security
- Integrating Crowd with Jive Forums
- Integrating Crowd with Spring Security
- Integrating Crowd with a Custom Application
- Configuring the Google Apps Connector
- Mapping a Directory to an Application
- Effective memberships with multiple directories
- Specifying an Application's Address or Hostname
- Testing a User's Login to an Application
- Enforcing Lower-Case Usernames and Groups for an Application
- Managing an Application's Session
- Deleting or Deactivating an Application
- Overview of SSO
- Configuring Options for an Application
- Enabling OpenID client app
- Disabling the OpenID client app
- Allowing applications to create user tokens
- Configuring how users log in