Date: October 3rd, 2023
Audience: Everyone
Environmental details: Preparing for SAML Enablement - Auth0 Steps for Cloud-Hosted Users
Summary
This document outlines the steps for implementing Auth0 for SSO authentication for the Jama Connect® Cloud.
When utilizing the Auth0 SAML implementation, it is important to note the following details:
- We support identity providers (IDPs) who comply with SAML 2.0 standards.
- Our system only supports HTTP Redirect Artifact binding.
- All email addresses used in production must be unique. If duplicates exist, the user attempting to log in will receive a message directing them to contact their administrator.
- Users within the IDP can self-register, which automates the authentication process. Self-registered users are granted a 30-day trial license. An Organization Admin must then assign the appropriate license and permissions.
- We can set up a trial instance if you prefer to test SAML with your IDP before going live on production.
- We can set up a trial instance if you wish to test SAML with your IDP before going live on production.
- Internal and external users can access your instance to enable Multi-Mode Authentication.
- Jama Connect matches users' email addresses with the Name ID attribute. When setting up connection rules for Jama, you must map the field for the Name ID attribute in your IdP to Jama Connect's email field.
Next steps
Follow the below steps to configure ACS and Entity ID settings on the IDP side.
-
Submit a Support Ticket:
- Go to Jama Software Support.
- Select "Jama Connect® Cloud Customer Support Request Form" as the Request Type.
- Enter the email address of the person with IDP access and authentication details.
- Subject: Enable SSO for our cloud instance.
- In the Description field:
- Let support know you're prepared to team up with them to update your Jama SAML authentication to Auth0.
- Please mention which type of IDP you're using (such as Okta or Azure) and provide the URL for your hosted instance(s) (Prod, Sandbox, or Both).
- You can choose your preferred mode of engagement: either a live working session via screen share or primarily through the support ticket via email.
- Remember to set Priority to Normal and fill in all necessary fields.
- Finally, scroll to the bottom of the page and click "Submit."
-
Configure Two Apps on the IDP Side:
To avoid force authenticating every time you log in to Jama Connect®, we require two apps to be created in your IDP to retain electronic signature functionality.
-
- You will need to input the following into your IDP:
-
App #1 (Jama Connect)
- ACS / single sign on URL: https://<Auth0 Domain>/login/callback?connection=<tenantId>
- Entity ID / Audience restriction: urn:auth0:<First part of Auth0 Domain>:<tenantId>
-
App #2 (Jama Connect E-Sig)
- ACS / single sign on URL: https://<Auth0 Domain>/login/callback?connection=<tenantId>-esig
- Entity ID / Audience restriction: urn:auth0:<First part of Auth0 Domain>:<tenantId>-esig
-
App #1 (Jama Connect)
- You will need to input the following into your IDP:
-
Note: The support team will modify the URLs to align with the Auth0 domain and tenant ID linked to your instance details, and they will provide you with the updated information through the submitted request.
What we need from you
- It would help if you gave us the attribute names for each to synchronize users' first and last names. Typically, most IdPs that use Active Directory will use "givenname" for the first name and "surname" for the last name.
- We will also need the metadata of your IDP. Please provide the URL format - it is dynamic and will not require updating your Signing Certificate.
- Please let us know if you would like to enable SAML only or Multi-Mode Authentication.
- And whether you would like to enable IDP-initiated SSO.
*There are security risks associated with IdP-Initiated SSO. See more information here: Configure SAML Identity Provider-Initiated Single Sign-On
Things to note
- If you intend to use Jama's API, you need to create OAuth credentials to use the API.
- If you intend to use the Jama Integration Hub, this will require a service account only to be used for the JIH.
- If your Identity Provider (IDP) is behind a firewall, Auth0's server requires access to your IDP to perform metadata refresh unless you provide the XML data directly.
- After enabling SAML, ensure that the necessary users exist in your IDP to access Jama Connect®.
After you complete the configuration, please let us know so we can schedule enabling Auth0 SAML on your instance.
-
You must confirm whether the cutover is successful and troubleshoot if needed.
-
Jama Admin and IDP Admin are REQUIRED
-
Additional Resources
Explore the following articles:
-
Jama Gallery App for Azure AD:
- Jama Gallery App specifically for Azure Active Directory. This application facilitates seamless integration and collaboration between Jama and Azure AD, enhancing the user experience.
-
SCIM Provisioning for Okta/Azure AD:
- Leverage SCIM provisioning for Okta and Azure AD. This feature streamlines user provisioning and management, ensuring efficient synchronization between Okta, Azure AD, and Jama.
Related to
Comments
0 comments
Please sign in to leave a comment.