Author: James Ressler

Date: October 16, 2023

Audience: Everyone

Problem

Auth0 SAML cannot work because the User Principle Name (UPN) in the Identity Provider (IdP) is not an email address or an email that matches the email used in the users' Jama account.

How to Diagnose

Check that the UPN (for Azure Entra ID) or the NameID (for Okta) are configured as email addresses. If not, then apply the solution below. 

Solution

Change the required claim in the IDP from UPN to email.

Azure Entra ID (previously known as Azure Active Directory)

First, navigate to your Jama Connect enterprise application and select "Single sign-on" from the left sidebar. Edit "Attributes & Claims."

Next, under "Required claim," select the claim by clicking anywhere on that row.

This will bring up the "Manage claim" screen where we can edit the source attribute. Make sure that the "Name identifier format" field is set to "Email address" and that the "Source attribute" field is set to "user.mail" then select "Save."

Okta

First, navigate to your enterprise application in Okta and select the "Sign On" tab.

Under "Credential Details," make sure the "Application username format" is set to "Custom" with the expression "user.email"

After updating those fields, test out the changes by looking up a user assigned to the app.

Related Articles, Work orders, Zendesk tickets, Defects, etc. 

• Cloud: Preparing for SAML Enablement - Auth0 Steps

• Azure Entra ID: Customize SAML token claims

• Okta: About attribute mappings