Microsoft Gallery Application - SSO for Jama Connect®

Amanda Jennewein
Amanda Jennewein
  • Updated
By Katie Huckett posted 07-13-2023

Overview

Authentication

Jama Connect® supports various authentication methods. However, we use Single Sign-On (SSO) via SAML 2.0 standard for the Microsoft Gallery Application.

SSO for Jama Connect®

SAML SSO is an open standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP). For this article, the IDP will be Microsoft Azure AD, and the service provider is Jama Connect®.

Electronic signatures are enabled by default but can be disabled by a system administrator.

To set up SAML, your company must meet these requirements:

  • Have a SAML 2.0-compliant Identity Provider (IdP).

  • Identify a technical person, often an IT administrator, who can provide the URL of the Identity Provider. Name this person before engaging with Jama Software and, for testing purposes, provide them access to Jama Connect®.

  • Cloud customers — You must contact support to schedule enablement.

Implementation Roles and Responsibilities

Jama Software Provides documentation

Assists in the setup and SSO configuration. Manages the setup of SSO configuration on the Jama Connect® side (cloud).

 

Troubleshoots if errors are on the Jama Connect® side
Identity Provider Provides documentation on how to setup SSO on the IdP side Q&A Troubleshoots if errors are on the IdP side
Customer Acquires or develops an SSO solution that supports the SAML v2.0 Standard Sets up and manages SSO configurations on the IdP side. Collaborates with Jama Support to manage SSO configurations on the Jama Connect® side. Determine the correct owner of the problem to assist with troubleshooting

SSO Configuration Steps

Jama Connect® Configuration

Important considerations

  • Cloud customersContact support to schedule enablement.

  • To connect multiple instances of Jama Connect to the SAML service, you must create unique metadata or applications for each instance through the identity provider. This is true for any combination of production, sandboxes, or self-hosted instances. The entity ID is a unique value that allows the service and identity provider to locate each other and send users to the correct Jama Connect instance.

  • We recommend testing an integration instance before using SAML on a production instance. For example, disable a sandbox instance from SAML before connecting to a production instance.

  • Starting with Jama Connect 8.48, SAML organizations can use electronic signatures, which are enabled by default. You can disable signatures if your identity provider (IdP) can't process the re-authentication.

  • You can enable a different authentication method at any time. If you do, SAML is disabled.

  • You can control new SAML users' auto-provision in both single SAML and multi-mode. If your users are set up in SAML but have not yet been added to your Jama user table, this option allows you to control whether users can auto-provision in Jama Connect.

    • When this option is selected, and properties are saved, your SAML users (SAML and multi-mode) can’t sign in to Jama Connect until you add them to the Jama user table. A message tells them to finish the authentication process with their administrator.

    • This option is selected by default after you upgrade to 8.62.

To configure SAML authentication

  Primary step Secondary steps, notes, and/or screenshots
1 Contact support to schedule enablement

Support will assist you in the process by providing instructions along with the following information:

  • Identifier (Entity ID)
  • Reply URL (Assertion Consumer Service URL)
2 Login to Microsoft Azure and from the home page, select Azure Active Directory
3 On the left navigation panel, select Enterprise Applications
4 Select New application in the section navigation
5 Place your cursor in the Search bar and type 'Jama Connect' to locate the SSO for Jama Connect® gallery application. Select the application.
6 A right-side panel will open. You may change the Name of the application at this time (optional). Select the Create button.
7 After the application is created, the Overview page will open. Select the Set up single sign on option in the center of the page.
8 In the Select a single sign-on method page, choose the SAMLoption
9 With the Set up Single Sign-On with SAML window open, select the Edit pencil icon for the Basic SAML Configuration section.
10 A right-side panel will open. You will copy and paste in the Identifier (Entity ID) over the existing default pattern, and select Add reply URL to paste in the Reply URL (Assertion Consumer Service URL) that Jama Support supplied you with in Step 1. Ensure that you paste in the correct values that match the example pattern provided. Once you have made your changes, select the Save button in the top-left. You may now close the side panel.
11 In the Attributes & Claims section, we have already provided default mappings. (important) Under the Unique User Identifier, we have a default mapping for user.userprincipalname. If your organization does not use an email address for this attribute, you will need to edit this section and change the attribute to user.mailto match on an email address. (optional) If you do not wish to include attributes for givenname and surname for mapping First and Last names, you may remove these as they are not required for SSO to work properly. Make sure to Save your changes if any were made.
12 In the SAML Certificates section, copy the App Federation Metadata Url and save it on your computer to send to Jama Support in the next steps. 
13 Return to your Jama Support ticket created in Step 1 above and provide them with the App Federation Metadata Url copied from Step 12.  Jama Connect® Support will arrange a time to enable Auth0 SAML on your instance. We do require someone on your side to confirm whether the cutover has been successful and to troubleshoot if needed. (Jama Admin and IdP Admin are REQUIRED)
14 Optional - In order to retain the Electronic Signature functionality, as well as avoid force authenticating every time you log in to Jama Connect®, we require two applications to be created in your IdP. Repeat Steps 5-13 ensuring your update the application Name so that it is clearly identified as the e-sig application (i.e. SSO for Jama Connect - E-Sig). For the configuration of the Entity ID and the ACS URL, ensure you paste in the appropriate values provided by Support with "esig" appended at the end.

Testing your SSO configuration

Create a test user in Azure AD

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.

  2. Select New user at the top of the screen.

  3. In the User properties, follow these steps:

    • In the Name field, enter B.Simon.

    • In the User name field, enter the username@companydomain.extension. For example, B.Simon@example.com.

    • Select the Show password check box, and then write down the value that's displayed in the Password box.

    • Click Create.

Assign the Azure AD test user to your Jama Connect® application

  1. In the Azure portal, select Enterprise Applications, and then select All applications.

  2. In the applications list, select SSO for Jama Connect®.

  3. In the app's overview page, find the Manage section and select Users and groups.

  4. Select Add user, then select Users and groups in the Add Assignment dialog.

  5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.

  6. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.

  7. In the Add Assignment dialog, click the Assign button.

Test user in Jama Connect

You can control the auto-provisioning of new SAML users in both single SAML and multi-mode. If your users are set up in SAML but not yet added to your Jama user table, this option allows you to control whether users can auto-provision in Jama Connect.

When this option is selected and properties are saved, your SAML users (SAML and multi-mode) can’t sign in to Jama Connect until you add them to the Jama user table. A message tells them to finish the authentication process with their administrator.

If this setting is enabled, you will need to add your test user to the Jama Connect user table first as follows:

  1. Login to Jama Connect with a user that has Organization Administrator permissions

  2. Select Admin in the main navigation

  3. Go to the Users section in the left navigation

  4. Select Add user in the top right corner

  5. Fill in the Username, First name, Last name, Email address (must match the email in your IdP), and License type

    1. (optional) You may add the user to any Groups at this time

  6. Save the user

If this setting is disabled, and the user does not already exist in the Jama Connect user table, a new one is created after authentication. However, this user will be given a Trial license that expires after 30 days. You will need to update them to the appropriate license type prior to expiration via the Jama Connect Admin User table.

Test the SSO connection

In this section, you test your Azure AD single sign-on configuration with the following options.

  • Click on Test this application in Azure portal. This will redirect to the Jama Connect Sign-on URL where you can initiate the login flow.

  • Go to the Jama Connect Sign-on URL directly and initiate the login flow from there.

Troubleshooting tips

  • All email addresses in production will need to be unique

    • If there are any duplicates the user logging in will receive a message to contact their administrator

  • Once you have SAML enabled, you can only invite reviewers that are part of your IdP. You cannot invite reviewers that do not have accounts within your IdP

  • Jama matches the users' email addresses via the Name ID attribute. When you are setting up the connection rules for Jama, you will need to map the field for the Name ID attribute in your IdP to Jama Connect's email field

  • If your IdP is behind a firewall, and you're providing us with a metadata URL, Auth0's server needs to be able to access your IdP in order to perform metadata refresh, unless you provide us with the XML data

Additional Resources

Microsoft Gallery Marketplace - SSO for Jama Connect®

Microsoft Tutorial Instructions

Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.