Author: James Ressler
Date: April 8, 2024
Audience: Everyone
Issue
Azure Entra ID requires a Secret Token (or Long-lived Bearer Token) in order to utilize System for Cross-domain Identity Management (SCIM) provisioning with Jama Connect. This token is set to expire every six (6) months and needs to be manually updated by an Azure Administrator to ensure the continued functionality of SCIM provisioning.
If the token is not updated before expiration, provisioning will fail. If SCIM provisioning suddenly stops working, the first and most likely solution to try is to regenerate the Long-lived Bearer Token.
Solution
The process to generate a new Long-lived Bearer Token is the same as the steps outlined in Jama Connect® SCIM configuration with Okta and Microsoft Azure AD during the initial setup of SCIM provisioning. A tailored version of the instructions is laid out below.
Retrieving a new Long-lived Bearer Token
Make the following request to retrieve a new Long-lived Bearer Token, authenticating as a Jama Organization Admin per your organization's authentication model (see API - Authentication - Generating an OAuth Bearer Token for Making API Calls if SSO is enabled on your instance).
GET /rest/token?revokeExistingToken=true
If you receive a status code 400 and the following response:
{
"meta": {
"status": "Bad Request",
"timestamp": "2024-04-08T17:29:02.737+0000",
"message": "Error retrieving API key, signing keys do not exist."
}
}
Then this indicates that your API key pair was never generated. You can generate your API key pair by making the following request.
POST /rest/token/apiKeygen
And finally, you can retrieve your Long-lived Bearer Token with the request:
GET /rest/token
If, while generating your API key pair, you receive a status code 400 and the following response:
{
"meta": {
"status": "Bad Request",
"timestamp": "2024-04-08T17:29:02.737+0000",
"message": "Expired signing key"
}
}
This indicates your existing API key pair is expired. You can confirm expiration with the following request:
GET rest/token/signingKeyExpiration
If the date is past, then you will need to delete the existing key pair.
DELETE /rest/token/deleteKey
After removing the expired key pair, the API key pair can be generated in the usual way.
POST /rest/token/apiKeygen
And finally, you can retrieve your Long-lived Bearer Token with the request:
GET /rest/token
One last note: if you receive a status code 409 and the following response:
{
"meta": {
"status": "Conflict",
"timestamp": "2024-04-08T17:29:02.737+0000",
"message": "User already has token defined, must explicitly revoke existing token."
}
}
Then you must make the token request with the additional parameter:
GET /rest/token?revokeExistingToken=true
Updating Your Secret Token in Azure Entra ID
After generating the new Long-lived Bearer Token, you will need to add it to your Azure Entra ID Enterprise App for Jama Connect under the "provisioning" blade, as shown in the screenshots below.
Related Articles
- Jama Connect® SCIM configuration with Okta and Microsoft Azure AD
- API - Authentication - Generating an OAuth Bearer Token for Making API Calls
Related to
Comments
0 comments
Please sign in to leave a comment.