SSO - Auth0 SAML - How to Update the Required Claim

James Ressler
James Ressler
  • Updated

Author: James Ressler

Date: October 16, 2023

Audience: Everyone



Auth0 SAML cannot work because the User Principle Name (UPN) in the Identity Provider (IDP) is not an email address or one that matches the email used in the users' Jama account.

How to Diagnose:

Ensure that the UPN (for Azure Enterprise ID) or the NameID (for Okta) are set up as email addresses. If you need help, follow the solution below.


Change the required claim in the IDP from UPN to email.

Azure Entra ID (previously known as Azure Active Directory)

First, navigate to your Jama Connect enterprise application and select "Single sign-on" from the left sidebar. Edit "Attributes & Claims."

Screenshot 2023-09-22 at 2.59.48 PM.png


Next, under "Required claim," select the claim by clicking anywhere on that row.

Screenshot 2023-09-22 at 3.00.27 PM.png

This will bring up the "Manage claim" screen where we can edit the source attribute. Make sure that the "Name identifier format" field is set to "Email address" and that the "Source attribute" field is set to "user.mail" and then select "Save."

Screenshot 2023-10-16 at 2.34.52 PM.png


First, navigate to your enterprise application in Okta and select the "Sign On" tab.

Screenshot 2023-10-16 at 3.55.58 PM.png

Under "Credential Details," make sure the "Application username format" is set to "Custom" with the expression ""

Screenshot 2023-10-27 at 1.49.25 PM.png

After updating those fields, test the changes by looking up a user assigned to the app.

Screenshot 2023-10-27 at 1.51.06 PM.png

Additional Documentation and Resources:

Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request



Article is closed for comments.