Start a conversation

Differences Between SAML SSO and LDAP User and Group Syncing

Overview

Jive will sync accounts managed by both SAML SSO and LDAP, although the details of how these synchronizing processes work are different between the two implementations. This document aims to define the high-level differences between the two implementations.

Information

Details SAML LDAP
Automatic Sync
  • SAML SSO does not have a nightly sync
  • LDAP can be scheduled to run daily. This can be configured through the system property spring.userDataSynchronizationTask.cronExpression
Automatically Disabling accounts
  • SAML SSO cannot disable accounts
  • LDAP can disable:
    • By attribute and value
    • All users not found in the user search filter directory during sync
Automatically Enabling accounts
  • SAML SSO can re-enable accounts
  • Jive Custom 6 or older: Does not re-enable disabled Jive accounts
  • Jive Custom 7 to 7.0.2: Will re-enable disabled Jive accounts on login only
  • Jive Custom 7.0.3 and newer: Will re-enable accounts on login and nightly sync
Auto-provisioning accounts
  • Automatic user-provisioning from SAML/SSO can be enabled.
  • LDAP can auto-provision on a nightly basis without user interaction
Syncing user profiles
  • SAML SSO can sync user profiles but only when users log in
  • LDAP can sync profiles on a nightly basis without user interaction
Permission Group sync
  • Both SAML SSO and LDAP allow for group syncing at the login
  • An LDAP configuration is required for synchronizing groups in bulk outside of authentication.
    • This is not enabled by default
    • This is not encouraged because it's often not necessary and can require significant resources
    • Enable by setting the cron expression and optionally the skew (the window of time in milliseconds since a time defined by the cron expression in which the sync task will start) with Jive properties and then restart:
      • spring.ldapGroupManagerImpl.syncTaskCronExpression = "0 0 0 * * ?"
      • spring.ldapGroupManagerImpl.syncTaskSkew = "300000"
Manager Relationships
  • SAML SSO doesn't sync relationships
  • LDAP can sync manager relationships via the Manager Field
Profile images
  • SAML SSO doesn't sync profile images
  • LDAP can sync profile photos via the Photo Field (must be jpg or png)
Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Priyanka Bhotika

  2. Posted

Comments