Preparing for SAML Enablement on the Cloud

By Kimberly posted 03-18-2019 17:36

  

In order to set up SAML, your company must have a SAML 2.0 compliant Identity Provider (IdP) and a technical person, often an IT Administrator, who can provide your Identity Provider’s metadata URL. This person is a key figure to the configuration and must be identified prior to engaging Jama Software as they may need access to Jama Connect for testing purposes.

In addition to the above, there are a few caveats you should be aware of when using our SAML implementation. Please review everything below with your IT Administrator:

  • Jama supports SAML 2.0 compliant Identity Providers (IdPs.)
  • We currently only support SP-initiated (Service Provider initiated) Authentication.
  • We only support HTTP POST and HTTP Artifact binding.
  • The AuthnRequest needs to be signed. The signature that we use is contained within the X509 certificate tags of our SP metadata. This can be found at:
  • All email addresses in production will need to be unique. If there are any duplicates, the user logging in will receive a message to contact their administrator.
  • Jama uses SHA-256 to sign its assertions.
  • Users in the IdP will have the ability to self-register, automating authentication. Self-registered users will be granted a 30-day trial license. An Organization Administrator will need to assign the appropriate license and permissions.
  • Users will not have the option to request signatures on reviews as authentication does not occur within Jama. Review completion and final approval are still recorded as normal.
  • Once you have SAML enabled, SAML will be your *only* option to login to Jama. Make sure the users who need to access Jama exist in your IdP.  If you prefer to test SAML with your IdP prior to going live on production, we can set up a trial instance for you.
  • Once you have SAML enabled, you can only invite reviewers that are part of your IdP. You cannot invite reviewers that do not have accounts within your IdP.

 

What user attribute does Jama match on:

  • Jama matches on the users' email address via the Name ID attribute (note the space between "Name" and "ID"). When you are setting up the connection rules for Jama, you will need to map the field for email attribute in your IdP to Jama's Name ID field.

 

Please work with your IT Administrator or technical figure to gather the following:

  • In your IdP, map the field for email attribute to Jama's Name ID field, as stated above.
  • The type of IdP you are using e.g. Okta, Microsoft ADFS, etc.
  • The metadata of your IdP which can either be a URL (preferred) or in XML format.
  • Whether it is a production or development instance.
  • The URL of your cloud instance that you want to enable SAML on e.g. https://customer-name.jamacloud.com
  • Whether you intend to use Jama's API. If that is the case, we need to create OAuth credentials for you to use the API.
  • Whether you intend to use the Jama Integration Hub, as this will require a service account only to be used for the JIH.
  • Whether your IdP is behind a firewall or not, if you're providing us with a metadata URL. Jama's authentication server needs to be able to access your IdP in order to perform metadata refresh, unless you provide us with the XML data.
  • In order to sync users' first name and last name you need to provide us with the respective attribute names. Most IdPs backed by Active Directory will use "givenName" for first and "sn" for last.

  

Next steps:

  • You will need to import our corresponding SP metadata into your IdP available from here: 
  • Our Assertion Service Consumer URL/Recipient URL/Destination URL is:
  • Once you are done with the configuration on your side, submit a ticket to Support to arrange for a time to enable SAML on your instance with the following information:
    • Be sure to map the field for email attribute in your IdP to Jama's Name ID field
    • The type of IdP you are using e.g. Okta, Microsoft ADFS, etc.
    • The metadata of your IdP which can either be a URL (preferred) or in XML format.
    • The URL of your hosted instance that you want to enable SAML for and whether it is a production instance or not.
    • Whether you intend to use Jama's API. If that is the case, we need to create OAuth credentials for you to use the API.
    • Whether you intend to use the Jama Integration Hub, as this will require a service account only to be used for the JIH.
    • Whether your IdP is behind a firewall or not, if you're providing us with a metadata URL. Jama's authentication server needs to be able to access your IdP in order to perform metadata refresh, unless you provide us with the XML data.
    • In order to sync users' first name and last name you need to provide us with the respective attribute names. Most IdPs backed by Active Directory will use "givenName" for first and "sn" for last.
  • Please note, it would be best to provide advanced notice to ensure the right resources are available at the production cutover time. We also require a resource on your side to confirm whether the cutover has been successful.
0 comments
108 views