Date: October 3rd, 2023
Environmental details: Cloud-based customers seeking to enable (SSO) authentication, With Auth0 steps
This document outlines the steps for implementing Auth0 for SSO authentication for the Jama Connect® Cloud.
When utilizing the Auth0 SAML implementation, it is important to note the following details:
- We support Identity Providers (IDPs) that comply with SAML 2.0 standards
- Our system only supports HTTP Redirect Artifact binding
- All email addresses used in production must be unique. If duplicates are found, the user attempting to log in will receive a message directing them to contact their administrator.
- Users within the IDP have the ability to self-register, which automates the authentication process. However, self-registered users are only granted a 30-day trial license. An Organization Admin must then assign the appropriate license and permissions.
- If you prefer to test SAML with your IDP prior to going live on production, we can set up a trial instance for you
- If you wish to test SAML with your IDP prior to going live on production, we can set up a trial instance for you.
- Once SAML is enabled, you can only invite reviewers who have accounts within your IDP. External reviewers without accounts cannot be invited.
- If you would like to enable Multi-Mode Authentication, you can allow both internal and external users to access your instance.
- Jama Connect matches users' email addresses with the Name ID attribute. When setting up connection rules for Jama, you must map the field for the Name ID attribute in your IdP to Jama Connect's email field.
Follow the below steps to configure ACS and Entity ID settings on the IDP side.
Submit a Support Ticket:
- Go to Jama Software Support.
- Select "Jama Connect® Cloud Customer Support Request Form" as the Request Type.
- Enter the email address of the person with IDP access and authentication details.
- Subject: Enable SSO for our cloud instance.
- In the Description field:
- Let support know that you're prepared to team up with them to update your Jama SAML authentication to Auth0.
- Please mention which type of IDP you're using (such as Okta or Azure) and provide the URL for your hosted instance(s) (Prod, Sandbox, or Both).
- You can choose your preferred mode of engagement: either a live working session via screen share or primarily through the support ticket via email.
- Remember to set Priority to Normal and fill in all necessary fields.
- Finally, scroll to the bottom of the page and click "Submit."
Configure Two Apps on the IDP Side:
To avoid force authenticating every time you log in to Jama Connect®, we require two apps to be created in your IDP to retain electronic signature functionality.
- You will need to input the following into your IDP:
App #1 (Jama Connect)
- ACS / single sign on URL: https://<Auth0 Domain>/login/callback?connection=<tenantId>
- Entity ID / Audience restriction: urn:auth0:<First part of Auth0 Domain>:<tenantId>
App #2 (Jama Connect E-Sig)
- ACS / single sign on URL: https://<Auth0 Domain>/login/callback?connection=<tenantId>-esig
- Entity ID / Audience restriction: urn:auth0:<First part of Auth0 Domain>:<tenantId>-esig
- App #1 (Jama Connect)
- You will need to input the following into your IDP:
Note: The support team will modify the URLs to align with the Auth0 domain and tenant ID linked to your instance details, and they will provide you with the updated information through the submitted request.
What we need from you:
- In order to synchronize users' first and last names, you will need to give us the attribute names for each. Typically, most IdPs that use Active Directory will use "givenname" for the first name and "surname" for the last name.
- We will also need the metadata of your IDP. Please provide the URL format - it is dynamic and will not require updating your Signing Certificate.
- Please let us know if you would like to enable SAML only or Multi-Mode Authentication.
- And whether you would like to enable IDP-initiated SSO.
*There are security risks associated with IdP-Initiated SSO. See more information here: Configure SAML Identity Provider-Initiated Single Sign-On
Things to note:
- If you intend to use Jama's API, you need to create OAuth credentials for you to use the API.
- If you intend to use the Jama Integration Hub, this will require a service account only to be used for the JIH.
- If your Identity Provider (IDP) is behind a firewall, Auth0's server requires access to your IDP to perform metadata refresh unless you provide the XML data directly.
- After enabling SAML, ensure that the necessary users exist in your IDP to access Jama Connect®.
After completing the configuration, please inform us so we can schedule enabling Auth0 SAML on your instance.
We require someone on your side to confirm whether the cutover is successful and troubleshoot if needed.
Jama Admin and IDP Admin are REQUIRED
Explore the following articles:
Jama Gallery App for Azure AD:
- Discover the Jama Gallery App specifically for Azure Active Directory. This application facilitates seamless integration and collaboration between Jama and Azure AD, enhancing the user experience.
SCIM Provisioning for Okta/Azure AD:
- Leverage SCIM provisioning for Okta and Azure AD. This feature streamlines user provisioning and management, ensuring efficient synchronization between Okta or Azure AD and Jama.