Frequently I need to use ADFS to create a SSO solution for hosted Exchange scenarios. On occasion, I need to use ADFS to federate with other systems outside of the Exchange world. This is one of those situations. In this example, the client needed to use AD FS 2.0 to create a SAML compliant authentication mechanism to be used with.

The configuration turned out not to be too difficult, but I did have some issues identifying all of the components that were needed to get this working. Hopefully this document will help. ADFS Configuration First and foremost, on your Windows 2008R2 server, download and install AD FS 2.0 and then install update rollup 1. These can be downloaded here: After installing ADFS 2.0 and UR1, you can run through the configuration Wizard to get ADFS setup to validate credentials against Active Directory. To configure it to work with Jive, begin by setting up a Relying Party (RP) Trust. In my experience I found it was easiest to configure using the Jive metadata. This should be Be sure to use HTTPS for communication between Jive and ADFS.

Updates for AD FS and WAP in Windows Server 2012 R2. Below is the list of hotfixes and update rollups that have been released for Active Directory Federation Services (AD FS) in Windows Server 2012 R2. After completing ADFS/IFD setup where ADFS is installed on a Windows Server 2012 R2 machine, you receive the below error: To resolve this issue you must enable Forms Authentication: 1. Connect to the ADFS server. Open the ADFS management console and click Authentication Policies.

ADFS will ignore non-SSL communications. When adding the RP trust, you can specify which claims (user properties) you send back to Jive. These will vary based upon your implementation, but they can contain anything you can query through LDAP. The most important item to configure when setting up SAML/SSO with Jive is the Name ID. You need to configure ADFS to transform the username into a Name ID element that is sent to Jive. Your rule should look like this: Customize AD FS Username transformation to work with Jive SAML Name ID Without the Name ID, Jive will not accept the SAML SSO request and the error messages are not always the most friendly. After setting up your outgoing claims and ensuring that you are transforming the username into a Name ID, I recommend you configure two additional items on your ADFS installation to assist in troubleshooting.

First, I disable encrypoting the claims sent to Jive so that I can see them on the debug screen if there is an issue using SSO. This can be completed by issuing the PowerShell cmdlet Set-ADFSRelyingPartyTrust -EncryptClaims $False. (You will want to turn this feature back on when troubleshooting is done) Second, I recommend setting the NotBeforeSkew property in ADFS as well.

Set-ADFSRelyingPartyTrust -NotBeforeSkew 5 Jive does in fact have an option to allow the server to be out of time sync, but regardless of the value I set it did not work. We were unable to authenticate over a 300th of second variance. When I set the skew in ADFS, the issues went away. Jive Configuration Inside of the Jive Admin Console, go to People, Management, then choose Single Sign On, the last choice on the Management menu. Here you can configure Jive to use ADFS. Your ADFS metadata URL will be It is important to note when configuring the User Attribute Mapping that I have had issues trying to map the friendly name into Jive.