Aha! Ideas | Troubleshoot single sign-on issues
In most cases, once you save your single sign-on (SSO) configuration in Aha! Ideas, you are ready to go ā no further configuration needed.
In case you do run into trouble, we have gathered some of the most common SSO issues here, along with recommended solutions.
The best place to start in most of these situations is the integration log messages for your SSO configuration. Those messages will help diagnose and solve the problem.
Please click any of the following links to skip ahead:
Users registered for multiple Aha! Ideas accounts cannot be configured as SSO users
An error occurred attempting to log you in: identity provider not configured
An error occurred attempting to log you in: current time is earlier than NotBefore condition
Required user permissions
For most account-level SSO problems, you will need to be an Aha! Ideas administrator with account-level permissions to change your configuration.
We recommend that you keep one Aha! Ideas account administrator configured with a username and password in case your SSO system is updated and all SSO users are locked out of your Aha! Ideas account. If you are locked out, please have an account-level administrator in your account reach out to our Customer Success team and ask us to convert their user from SSO to use username/password so they can log in and fix the issue.
For most ideas portal SSO problems, you will need to be an Aha! Ideas administrator with customizations permissions to change your ideas portal configuration.
Users registered for multiple Aha! Ideas accounts cannot be configured as SSO users
Symptom
You enable single sign-on for your Aha! Ideas account (not for an ideas portal), but some of your Aha! Ideas users are not able to convert from the username and password login experience to the SSO login experience.
Explanation
Once you enable SSO for your Aha! Ideas account, that overwrites the users' standard username and password. But for any users registered with the same username in multiple Aha! Ideas accounts, this cannot happen, and the conversion fails.
Resolution
Most often, users in this situation are still registered for an Aha! Ideas trial account that has expired. Occasionally, users in your Aha! Ideas account may also be registered for a secondary Aha! Ideas account.
If this happens, please reach out to our Customer Success team. We can help remove the user from their secondary account, which will allow them to correctly convert over to single sign-on.
An error occurred attempting to log you in: identity provider not configured
Symptom
This is a common error message to receive. The full error message is usually something like this:
An error occurred attempting to log you in: (SAML login unsuccessful. This usually means the Identity Provider is not configured or the SAML user does not have permission for the application. Authentication Failed).
Explanation
You will see this error message in one of two situations:
Your identity provider is not configured correctly to enable SSO in Aha! Ideas.
Your identity provider is configured correctly, but there is a problem with your specific user profile.
Resolution
Speak to a member of your IT team to ensure that you have been set up with your SSO provider for Aha! Ideas access.
An error occurred attempting to log you in: current time is earlier than NotBefore condition
Symptom
This is a common error message to receive. The full error message is usually something like this:
An error occurred attempting to log you in: (Current time is earlier than NotBefore condition ({date/time stamp})). Please try again then contact your account administrator or support@aha.io. (Error code 49624539-eaa5-4d14-98b5-7f55e864c9f9)
Explanation
If you see this error message, it means that the server running the single sign-on software does not have the correct time set on it. Part of the security in SSO is ensuring the requests are coming through at the same time. Aha! Ideas will always honor the time from the identity provider to the second, so to fix this problem, you need to add a skew in your identity provider.
Resolution
The date/time stamp gives Aha! Ideas a relative variance. In the example here the variance is three seconds and so we would recommend adding a 5- or 10-second skew.
Example date/time stamp:
2019-06-24 11:52:13 UTC < 2019-06-24 11:52:16 UTC
The Aha! Ideas server clocks are synchronized using NTP, so they should be fairly consistent. It should be possible in your identity provider to skew the NotBefore
parameter.
We cannot introduce a skew on the receiving end because the NotBefore
condition comes from your provider's SAML envelope. By the definition of the spec, we have to honor that time to the second.
SAML response certificate does not match fingerprint
Symptom
You have configured SSO with Aha! Ideas using the Metadata URL or Metadata file options, but are unable to log in to Aha! Ideas through your identity provider. You receive an error message that looks something like this:
SAML response certificate does not match fingerprint
Explanation
A certificate fingerprint error indicates that the certificate provided to Aha! Ideas at the time of configuration is different than the certificate provided to Aha! Ideas when a user signs in. This can happen because the certificate was rotated on your SSO provider but not subsequently updated in Aha! Ideas.
Resolution
Metadata URL: If you configured SSO with Aha! Ideas using the Metadata URL, visit the SSO configuration in your settings, enter your Metadata URL, and click Update. Even if the Metadata URL itself has not changed, Aha! Ideas will re-fetch the certificate and capture/update the fingerprint, which should resolve the error.
Metadata file: If you configured SSO with Aha! Ideas using the Metadata file, you will need to provide an updated Metadata file. Talk to your IT team if you are unsure how to acquire this.
Webaddress refused to connect on an embedded ideas portal
Symptom
In this situation, the single sign-on login page does not display on an embedded ideas portal. Instead, you see an error message that your identity provider refused to connect.
Explanation
Embedded ideas portals allow you to load an iframe and remove the default header and footer from the portal design. To maintain the security of your ideas portal, it is not possible to display the identity provider login within an iframe.
Resolution
If you want to use an SSO configuration with an embedded ideas portal, you need to select JSON Web Token (JWT) as your identity provider in your ideas portal SSO settings. When the page loads the page needs to pass the JWT token to the iframe to log the user in.
Users named "Unknown Unknown"
Symptom
You have users in your Aha! Ideas account with the name "Unknown Unknown."
Explanation
When this happens, it means that your identity provider is not sending the first and last name attributes for the user in a format that Aha! Ideas recognizes.
Resolution
Please review the SAML 2.0 user attributes documentation and ensure you are using one of the listed attribute names.
Changing email domains
Symptom
You are changing email domains and concerned about how that will affect users in your SSO configuration.
Explanation
When setting up SSO, we recommend using a unique identifier from your identity provider (IDP) as the NameID in your SAML response. This way changing email domains will not affect your users.
You cannot use EmailAddress as a unique identifier. If you do, your single sign-on configuration will error.
Resolution
If you followed our recommendation then no additional action is needed when changing a user's email address in your IDP āĀ the change will automatically be reflected in Aha! Ideas the next time the user signs in. This is true whether you're changing a single email, e.g. marital status change, or many emails at once.
If you did not follow our recommendation, then you should contact our Customer Success team immediately, or else your users will be provisioned as brand-new users next time they log in with the new email.
Error screen from identity provider
Symptom
You are trying to access Aha! Ideas via your SSO configuration, but you see an error screen from your identity provider.
Explanation
The error is very likely due to a problem with your identity provider, not Aha! Ideas.
Resolution
Follow up with your internal team to research and resolve the issue.
SSO users cannot log in to embedded portals
Symptom
After logging in, some of the visitors to your embedded portal are prompted to log in again.
Explanation
It is becoming more common for browsers to block cookies for content within iframes. Since embedded portals use iframes, this prevents the people who use these browsers from logging in successfully.
Resolution
Since browser security settings are important to keep in place, there are a few different configuration options you can use in your Aha! account to help users log in to your portal successfully:
Set up a CNAME portal with single sign-on (SSO).
Use password authentication in your embedded portal.
Use a non-embedded portal to avoid browsers blocking user logins.
If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.