Preparing for SAML Enablement - Auth0 Steps for Cloud-Hosted Users

Published Date: October 3, 2023
Validated: Yes
Audience: Everyone
Products and Versions Covered:

• Jama Connect® Cloud
• SAML Enablement (Auth0)

Summary

This article outlines the steps required to enable SAML-based single sign-on (SSO) using Auth0 for Jama Connect® Cloud. It also highlights key requirements, configuration details, and prerequisites for a successful implementation.

By following this guide, administrators will understand how to prepare their Identity Provider (IdP), coordinate with Jama Support, and complete the configuration process.

When using the Auth0 SAML implementation, note the following:

• IdPs must comply with SAML 2.0 standards.
• Only HTTP Redirect Artifact binding is supported.
• All email addresses must be unique. Duplicate emails will prevent login and require administrator intervention.
• Users can self-register through the IdP and receive a 30-day trial license. An Organization Admin must assign appropriate licenses and permissions.
• A trial instance can be configured to test SAML before enabling it in production.
• Multi-Mode Authentication allows both internal and external users to access the instance.
• Jama Connect matches users by email using the NameID attribute. This must be mapped to the email field in your IdP.

Resolution

1. Submit a Support Request

• You must be a Named Support Contact to submit a Request. 
• Navigate to Jama Software Support.
• Select the Jama Connect® Cloud Customer Support Request Form.
• Provide the following details:
  • Email of the IdP administrator
  • Subject: Enable SSO for our cloud instance
  • Description including:
    • IdP type (e.g., Okta, Azure AD)
    • Hosted instance URLs (Production, Sandbox, or both)
    • Preferred engagement method (live session or ticket-based)
• Set priority to Normal and submit the request.

2. Configure Applications in Your IdP

Two applications must be created to support authentication and electronic signatures.

App #1: Jama Connect

• ACS / Single Sign-On URL:
  https://<Auth0 Domain>/login/callback?connection=<tenantId>
• Entity ID / Audience:
  urn:auth0:<Auth0 Domain Prefix>:<tenantId>

App #2: Jama Connect E-Signature

• ACS / Single Sign-On URL:
  https://<Auth0 Domain>/login/callback?connection=<tenantId>-esig
• Entity ID / Audience:
  urn:auth0:<Auth0 Domain Prefix>:<tenantId>-esig

Note: Jama Support will provide finalized values based on your Auth0 tenant configuration.

3. Provide Required Information to Jama Support

• Attribute mappings for:
  • First Name (commonly givenname)
  • Last Name (commonly surname)
• IdP metadata URL (preferred) or XML file
• Authentication preference:
  • SAML-only or Multi-Mode Authentication
• Whether IdP-initiated SSO should be enabled

4. Complete Configuration and Validation

• Confirm all required users exist in the IdP.
• Coordinate with Jama Support to enable SAML on your instance.
• Validate login functionality after enablement.
• Jama Admin and IdP Admin participation is required during validation and troubleshooting.

Cause

SAML configuration requires proper alignment between Jama Connect®, Auth0, and the Identity Provider. Misconfiguration of attributes, endpoints, or metadata can prevent successful authentication.

Prevention

• Ensure IdP attribute mappings (especially NameID → email) are correctly configured.
• Validate metadata and endpoint URLs before enabling SAML.
• Test configuration in a non-production environment when possible.
• Confirm all required users and permissions are established prior to cutover.

Additional Information

• OAuth credentials are required for Jama Connect REST API usage
• Jama Integration Hub requires a dedicated service account
• If your IdP is behind a firewall, Auth0 must be able to access it for metadata refresh, or you must provide XML metadata manually
• IdP-initiated SSO introduces security considerations and should be evaluated before enabling