Ignite Global Support Home Start a conversation Sign in
Start a conversation
  1. Jive Support
  2. Jive - Users and Authentication
  3. Articles

Troubleshooting SAML SSO Issues

Overview

After performing the User Attribute Mapping in Jive, you might encounter some issues related to ADFS, SAML SSO, and the attributes. This article lists some of these common issues and quick fixes.

Information

No.

Issue

Fix
1 Jive metadata does not import into ADFS (Active Directory Federation Services). Uncheck Sign Metadata in Jive, restart, and reimport.
2 Jive is unable to retrieve ADFS metadata by URL.
  • ADFS metadata is usually behind the firewall, so the Jive instance cannot retrieve it.

  • The workaround is to download the ADFS metadata and cut and paste it into the textbox (which is what most people do anyway).
3 ADFS displays errors upon SAML request from Jive.
  • The time difference between ADFS host and proxy restricts the communication between the ADFS host and proxy. This causes errors during SAML requests from Jive.

  • Configure ADFS host and proxy correctly.
4 Jive endpoints are not being imported into ADFS.
  • Jive SAML base URL is HTTP instead of HTTPS.

  • Ensure the URL is HTTP instead of the secure protocol.
5 ADFS sends Responder status code to Jive.
  1. Check the ADFS logs and the encryption algorithm since they may be incorrect.

  2. Change the ADFS setting from the default of SHA256 to SHA1.
6 User attribute related errors.
  • Attribute > Profile Mappings must be done with the attribute Name instead of Friendly Name.

  • The Name is the long, URL-like names.
7 The login fails if the user has been logged into ADFS for more than 2 hours before logging into Jive. Change Max Authentication Age in Jive from the default of 7200 (2 hours) to 28800 (8 hours, ADFS default).
8 Upon the first login, you receive prompts for username and email. Change sso.confirm.username and sso.confirm.email to false.
9

Upon logging in to Jive, the following error displays:

NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.

 Include Outgoing Claim Rule for Name ID (usually the AD objectGUID value).
10

Response issue time is either too old or displays with a future date.

Execute this command via SSH:

/usr/sbin/ntpdate pool.ntp.org

 

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments