OneLogin enables IT identity policy enforcement, and instantly disables app access for employees who leave or change roles in real time by removing them from Active Directory. Take control over application access, quickly on- and off-board team members, and provide end users with easy access to all their apps on every device. Extend your on-premises security model to the cloud in minutes.
Single sign-on allows users of your Aha! account to log in using your existing SAML enabled identity provider. This means users don’t have to keep track of yet another email and password. More importantly, it grants admins the ability to add and revoke user access centrally using your existing identity management tool.
SAML (Security Assertion Markup Language) is a standard protocol that provides identity providers a secure way to let a service provider, such as Aha!, know who a user is. It does this by sending Aha! a cryptographically signed XML document asserting the user is who they say along with some basic user information.
To get started go to the Account settings → Profile page and click “Enable SSO”. This will display the SSO settings where you can give your SSO provider a name (required) and add the details for you identity provider.
Aha! supports the SAML 2.0 standard which provides a couple ways to streamline configuration. Although each identity provider will have different interfaces and nuances most provide configuration metadata as a URL or downloadable file.
In Aha! SSO users are kept completely separate from Email/Password based users to provide the best security possible. However, existing Email/Password users can be migrated to SSO users as long as they meet the following conditions:
If a user meets those conditions you can simply find the user’s account in Account Settings → Users and select the user to migrate. Qualifying users will have an option available to change their Identity Provider from password to the name of your SSO provider. Once changed, the account will be able to login via SSO.
To manage user settings go to Account Settings → Users where you will see a list of all users associated with the account. Users who login using OneLogin will be tagged with “OneLogin” (or whatever you named the integration) and are separate accounts from those who log in with an email address and password. Clicking on a user will allow you to edit their information and set products and roles as you would for a standard user.