SSO: SAML and OIDC Setup Guide

Overview

Once SAML is configured, users entering their company email addresses (let's use the example @apple.com ) are automatically redirected to your IdP for authentication. Password options disappear entirely.

After SAML Is Live: What You'll See

User Login Experience

Before SAML:

User sees multiple login options

User might try to enter password

After SAML:

User enters email: user@apple.com

System automatically redirects to your IdP (Google Workspace, Microsoft Entra, etc.) based on the email domain connected to your organization

User logs in through your corporate SSO

User lands in Jam—completely seamless

User has the Jam Trainer App visible in their Apps Example in Google Workspace:

Access Control

✅ No more manual user invites (IdP controls access)

✅ Roles sync from your IdP (if enabled)

✅ Offboard users by removing from IdP—access revoked immediately

✅ Centralized control—users managed in one place

IT Benefits

✅ Single sign-on reduces password resets

✅ No separate Jam credentials to manage

✅ Audit trail in your IdP (login activity tracked)

✅ (Optional) SCIM: automatic user provisioning/deprovisioning

⚠️ Attention

💡

If a user belongs to an org with Enterprise SSO enabled, they will no longer be able to log in with other login methods. This means you will need a secondary address for a separate Recruiting Org.

Migration from User + Password or Social Login to Enterprise SSO

Q: If Enterprise SSO turned on, what happens to the existing user accounts?

A: Existing user accounts will default to Enterprise SSO Login after the first login, the mapping happens automatically if a matching email is found. The transition is seamless and no migration is necessary.

Guide For Enterprise IT Departments

Setup Process

You will receive: A one-time setup link from Jam

Duration: 10-15 minutes

Outcome: Users with @apple.com emails are automatically redirected to SSO

Generic SAML Setup Flow

Prerequisite: You need to have the owner Role in the Jam Application.

Go to your org Settings to check if SAML status is active/inactive

Request Enablement of SAML from support@wejam.ai

We will then provision a unique Link with a Setup Wizard and send it to you.

Click the provided Jam setup link (5-step wizard)

It looks similar to this: https://auth.wejam.ai/setup_saml/165984a5c53f9b119c47f74a6953455613e479698b1cb13fa3276700f73d692ecddb4ab4bd73244f53fc1e1891a388c8

Select your identity provider (Google Workspace, Microsoft Entra, etc.)

Create corresponding app in your IdP

Exchange credentials:

Copy Jam's Entity ID, ACS URL, Start URL → your IdP

Copy your IdP's metadata → Jam wizard

Map user attributes, e.g.:

Email → email

First Name → first_name

Test using provided test URL

Example: Google Workspace

The wizard will look similar to this:

Go to Google Admin → Apps & Services → Web/Mobile Apps

Add custom SAML app

Enter Jam's Entity ID, ACS URL, Start URL from wizard

Download Google's metadata

Upload metadata to Jam wizard

Configure attribute mapping in Google

Test: Click test link, enter @apple.com email, verify auto-redirect

Result: Jam appears in Workspace app grid; @apple.com users auto-redirect to SSO

Example: Microsoft Entra (Azure)

The wizard will look similar to this:

Go to Azure Portal → Enterprise Applications

Create new app → Non-gallery application

Go to Single sign-on → SAML

In Basic SAML Configuration, enter Jam's values:

Identifier: Jam's Entity ID

Reply URL: Jam's ACS URL

Sign on URL: Jam's Start URL

Download Federation Metadata XML from Entra

Upload metadata to Jam wizard

Configure User Attributes & Claims:

Map email to email claim

Map givenname to first name claim

Map any other attributes and Claims that are relevant

Optional: Assign users/groups to the app

Test: Click test link, enter @apple.com email, verify auto-redirect

Result: @apple.com users see SAML login only; no password option

Guiding Users to your Enterprise SAML SSO (Optional)

While our login pages have multiple ways to redirect your users to their IdP, sometimes you want to skip the hosted pages and redirect them directly to their Enterprise SSO provider. To do this, you can direct your users to https://auth.link.wejam.ai/api/fe/v3/login/saml/ and then include one of the following query parameters:

domain - Redirects the user to the SAML login page for an organization with a matching domain

email - Parses the domain from the email address and redirects the user to the SAML login page for an organization with a matching domain

org_name (case sensitive) - Redirects the user to the SAML login page for the provided organization

Example: auth.wejam.ai/api/fe/v3/login/saml?domain=wejam.ai

Restricting Login Methods - Guiding Users to your SSO Provider (Optional)

If you want to ensure users always use SSO, share one of these links:

Force specific provider (if you have multiple SSO methods):

Google: auth.wejam.ai/?opt_hint=gl

Microsoft/Entra: auth.wejam.ai/?opt_hint=ms

SSO only: auth.wejam.ai/?opt_hint=sso

When to use:

During SAML setup (temporary workaround)

To prevent users from using old login methods

Works for both SAML and non-SAML organizations with Google/Microsoft SSO

Common Issues and Solutions

Issue	Solution
Users still see password option	SAML setup incomplete—check domain configuration
"Invalid SAML response"	Copy exact values from wizard (not approximate)
"User not found"	Verify email mapping in your IdP
Lost setup link	Contact support@wejam.ai to regenerate
Microsoft/Entra users can't login after SAML setup	User was previously logged in via Jam's Microsoft SSO app. Browser is trying old method. Solution: User must visit `auth.wejam.ai/login_sso` (or `?opt_hint=ms`) to use new SAML flow. Clear cookies/use incognito window if issue persists.