This article discusses functionality that is included in the Aha! Knowledge Advanced plan. Please contact us if you would like a live demo or want to try using it in your account.
Aha! Roadmaps | Knowledge base SSO | Salesforce (Aha! Knowledge Advanced)
Salesforce has the ability to function as an identity provider for your knowledge base using SAML 2.0. This enables your colleagues who work in Salesforce to access the documentation they need — without having to remember another user name and password.
How it works
When a user navigates to the knowledge base, they will be presented with the option to authenticate to the knowledge base via SSO only. If they are already logged in to the SSO provider, they will automatically be logged in to your knowledge base without any additional actions.
Enable Salesforce as an identity provider
To do this, follow the instructions on Salesforce's knowledge base.
The configuration described in this support document establishes a SAML based authentication where your Salesforce community users are able to use their Salesforce community credentials to log into your Aha! knowledge base. Top
Enable SSO for any knowledge base
To enable SAML 2.0 SSO in your knowledge base:
Navigate to Settings ⚙️ Account Knowledge Knowledge bases. You will need to be an administrator with customizations permissions to configure a knowledge base.
Click the knowledge base you want to configure. This opens that knowledge base's settings.
On the Overview tab, find the Access settings. Next to the Authentication dropdown, select SSO.
In the SSO identity provider dropdown, select +Add new provider.
If you already have SSO set up for an ideas portal and would like to share that SSO configuration with your knowledge base, you can select the existing provider you have already set up during this step and skip adding a new one.
On the next screen, enter a Name to identify the SSO configuration. Next to Type, select SAML. Click Save.
Enter the remaining fields following the SAML 2.0 configuration requirements. Note: The SAML 2.0 configuration will differ based on the SAML provider that you've selected.
Click Enable SSO to complete the configuration.
Beneath Access for Aha! users, you will find two additional advanced settings. These are disabled by default for knowledge base SSO configurations, as they are intended for ideas portal SSO configurations.
Most Aha! accounts will not need these advanced settings — and you can break your SSO configuration if you do not use them correctly. If you are also using this configuration for both your knowledge base and your ideas portal and you need help configuring these options, you are welcome to reach out to our Customer Success team.
Enable CNAME for SSO URLs: This option is rarely needed and will break SSO if not carefully configured. Enabling this option causes SSO to use the CNAME as well. This is not necessary for knowledge bases or for most ideas portals, even when using a CNAME for the portal. It may be useful if your customers have strict corporate networking policies.
CNAME: This must match an existing CNAME used in an active ideas portal in your Aha! account. After adding the CNAME click Update URLs and Save or Update SSO. If you have previously configured SSO the URLs must be updated in your external system.
Configure Salesforce SSO in your Aha! account
With Salesforce set up as an identity provider, you can then go into Aha! Roadmaps and enable SSO for your ideas portal (or account).
To do this, you will need to open your knowledge base settings. Navigate to Settings ⚙️ Account Knowledge bases and select Single sign-on. You will need to be an administrator with customizations permissions to configure knowledge base.
Click Add new provider.
Choose SAML as your identity provider Type. Click Save.
The SAML 2.0 configuration will display.
Configure Salesforce as your identity provider.
Note: When configuring SSO with Salesforce, the single sign-on endpoint field in Aha! Roadmaps needs to be populated with the SP-Initiated Redirect Endpoint URL from the SAML Login Information settings in Salesforce. The default endpoint provided by Salesforce utilizes a HTTP POST as opposed to a HTTP GET that is expected when running SSO.
Troubleshooting
We have created an article to help you troubleshoot common SSO configuration issues, complete with explanations and resolutions.
The best place to start in most of these situations is the Recent SSO events for your SSO configuration, at the bottom of the configuration page. Those messages will help diagnose and solve the problem.
It is possible to invite an ideas portal user from your ideas portal settings who has not been configured with the identity provider your portal is using. The user will not be able to log in to the ideas portal until they can be authenticated by the identity provider.