FAQ for using SAML with Jama Connect

By Jason Short posted 08-06-2015 16:08


Is the SAML integration built-in to Jama Connect like LDAP?

No, Jama’s SAML service is cloud based and acts as an intermediary between Jama Connect and your identity provider IdP. Your server must have internet access. This is available now for Jama Cloud and for self-hosted (on-premises) Jama Connect 8.31.

Will this affect my integrations?

Yes, REST API access will require OAuth which is currently unavailable on-premises. For those Jama cloud customers that have access to OAuththe changes to your integrations are small. http://dev.jamasoftware.com/rest#auth

If you are on-premises and using Jama's REST API already or plan to in the future, please mention that in the ticket. We will help explore options that may allow you to use REST. Without OAuth your ability to integrate will be limited.

What happens to users that are authenticated with SAML but not in Jama Connect?

Users will have the ability to self-register, automating authentication. Self-registered users will be granted a 30-day trial license. An Organization Admin will need to assign the appropriate license and permissions.

Can I use Connect electronic signatures for reviews and baselines?

No, Users will not have the option to request signatures on reviews as authentication does not occur within Jama. Review completion and final approval are still recorded as normal.

Can I invite or manage users outside of my organization?

Depends, Once you have SAML enabled, you can only invite reviewers that are managed within your identity provider. You cannot invite reviewers that do not have accounts within your IdP.

What is the attribute that Jama matches?

Jama matches on the users' email address. By default, Jama syncs only users' email, however, it can be configured to sync users' first and last name also.

What IdPs does Jama explicitly support?

We have tested and validated our offering with Ping, Okta, and, ADFS. It is possible to get set up with others, but will require some discovery, and possibly a fee.

Does Jama support the single logout profile?

No, It is something we would like to have, but there is currently no timeline for it.

Does Jama support IdP initiated authentication?

No, This isn't a very common use case, and we don't have any current plans to support it.

What bindings does Jama support?

Artifact and POST.

Does Jama support metadata exchange?


Can multiple Jama Connect instances share SAML metadata?

NO. A customer that wishes to connect multiple Jama instances to the SAML service will need to create unique metadata or applications via their identity provider for each instance. This is true for any combination of production, sandboxes or on-premises instances. The entity ID is a unique value contained in the metadata that the services uses to determine where to redirect the user instance.

It is common to test and integration ahead of using with a production instance. In this scenario the sandbox instance needs to be disabled ahead of connecting with the production Jama instance.

What data is shared with the Jama SAML service?

Only the data required to match an authenticated user (email) and the mapped named fields.

We are OK with the constraints, how do we get started?

Create a support ticket. In order to set up Single Sign-On (SSO) for your Jamacloud instance, your company must have a SAML 2.0 compliant Identity Provider (IdP). Jama does not have a recommendation for any particular provider. Additionally, there must be a designated technical contact, often an IT administrator, who can provide the URL to your Identity Provider's metadata file (preferred) or the metadata XML file itself. This person is a key figure to the configuration and must be identified prior to engaging Jama Software.

For more information about authentication options in Jama see this article: Authentication Option For On-Premises And Cloud Users (LDAP, AD, Crowd, SSO, SAML)