Skip to main content

Federated Identities

Jakamo supports two types of federated identities: SAML 2.0 and OpenID Connect. This allows you to use your existing identity provider to authenticate your users in Jakamo. OIDC is the preferred method for new integrations, but SAML 2.0 is still supported in cases where OIDC is not possible.

There is special support for Microsoft Azure AD / Entra ID, which is the most common identity providers used by Jakamo customers. For customers not using Azure AD / Entra ID, you can still use your own identity provider, but the configuration steps include more manual work. Please contanct Jakamo support if you use an OIDC provider other than Azure AD / Entra ID.

Microsoft Azure AD / Entra ID

To integrate your Azure AD / Entra ID with Jakamo using OpenID Connect (OIDC), you need to create an enterprise application in your Azure AD / Entra ID tenant. This application will facilitate the secure authentication of users via OIDC. Please note that Jakamo does not support direct integration with Azure AD / Entra ID using SAML 2.0, and SAML 2.0 is being phased out completely in favor of OIDC.

Introduction

When integrating with Jakamo using OIDC, it is essential to create an enterprise application in your Azure AD / Entra ID tenant. This enterprise application will manage authentication and user access securely. When you create the enterprise application, Azure AD automatically generates an associated application registration, which defines how the application integrates with Azure AD's identity services.

Key concepts

Enterprise Application:

  • An enterprise application in Azure AD is an instance of an application that your organization uses. When you create an enterprise application, it manages user access and permissions within your directory. This application instance enables you to assign users and groups to the application. The enterprise application is crucial for defining and managing how users interact with the application within your organizational directory.

Application Registration

  • When you create an enterprise application, an application registration is automatically generated. This registration represents the application's identity configuration within Azure AD. It includes crucial settings such as authentication methods, redirect URIs, and required API permissions. Additionally, roles are created within the application registration and then assigned to users and groups via the enterprise application. The application registration defines how your application integrates with Azure AD's identity services, ensuring it uses OIDC for secure authentication.

By creating the enterprise application first, you simplify the process as Azure AD handles the creation of the application registration. This ensures both components are properly linked and configured for OIDC.

Steps to configure OIDC with Jakamo

Automated setup

You can use the JakamoSSOAuthApplication.ps1(#jakamossoauthapplicationps1) script to create the application registration and patch the application manifest. You can download it here: JakamoSSOAuthApplication.ps1. If you use the script to create the application registration, once the application is created, navigate to Entra ID, select Enterprise applications from the left menu, and select the application you just created. Then select Users and groups from the left menu, and click + Add user to select the users you want to be able to log in to Jakamo.

Manual setup

  1. Log in to the Azure portal
  2. From the left menu, select Entra ID
  3. From the left menu, select Enterpise applications
  4. Click + New application
  5. Select Create your own application
  6. Enter a name for the application, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create
  7. Navigate back to Entra ID
  8. From the left menu, select App Registrations
  9. Select the application you just created
  10. Select Authentication
  11. Click Add a platform
  12. Select Single-Page Application
  13. For Redirect URI, enter https://demo.thejakamo.com/login/oidc_callback (for demo) or https://www.thejakamo.com/login/oidc_callback and https://thejakamo.com/login/oidc_callback (for production) and click Configure
  14. In the Implicit grant section, select ID tokens
  15. Make sure Accounts in this organizational directory only is selected
  16. Click Save
  17. Navigate to API permissions in the left side menu
  18. Click Add a permission
  19. Select Microsoft Graph
  20. Select Delegated permissions
  21. Select the following permissions:
    • email
    • offline_access
    • openid
    • profile
  22. Click Add permissions
  23. Optionally click Grant admin consent for <your tenant name>
  24. If you want to support assigning Jakamo roles from your Entra ID, navigate to App roles in the left side menu
  25. Click Create app role
  26. Enter the following values:
    • Display name: MEMBER
    • Allowed member types: Users/Groups
    • Value: MEMBER
    • Description: Jakamo Member role
  27. Click Apply
  28. Repeat for the COMPANY_ADMIN role with the following values:
    • Display name: COMPANY_ADMIN
    • Allowed member types: Users/Groups
    • Value: COMPANY_ADMIN
    • Description: Jakamo Company Admin role
  29. Click Apply
  30. Repeat for any custom roles you may have. Note that these roles must exist in Jakamo and the Value must match the name of the role in Jakamo.
  31. Entra ID does not send the user's email address, given name or family name by default which is required for Jakamo. To fix this, navigate to Token configuration in the left side menu, and click + Add optional claim, select ID-token, and select email, given_name and family_name and click Add
  32. Navigate back to Overview and note down the Application (client) ID and Directory (tenant) ID values and send them to Jakamo support
  33. Click Endpoints and note down the OpenID Connect metadata document. This is your Metadata URL. Note that Jakamo uses OIDC, not SAML, so make sure you use the OIDC metadata document. Provide this Metadata URL to Jakamo support
  34. Navigate back to Entra ID, and select Enterprise applications from the left menu
  35. Select the application you just created
  36. Select Users and groups from the left menu
  37. Click + Add user
  38. Select the users you want to be able to log in to Jakamo
  39. Please ensure you have provided the Client ID, Tenant ID and the Metadata URL to Jakamo support

Jakamo user roles

Find detailed descriptions for company admin and member roles in Jakamo from Company users instructions.

Other Identity Providers

🚧 Under construction 🚧