Note: This article discusses functionality that is included in Ideas Advanced. Please contact us if you would like a live demo or would like to try using it in your account.

Configure single sign-on for your Aha! ideas portal with Microsoft Active Directory Federation Services (ADFS)

You can use Microsoft Active Directory Federation Services (ADFS) as an identity provider for ideas portal users in Aha! based on SAML 2.0. You will need to be an administrator in Aha! Roadmaps and in ADFS to configure SSO.

Note: If you have multiple ideas portals and want to use a single ADFS single sign-on configuration between all of them, you may be interested in the Ideas Advanced plan.

Click any of the following links to skip ahead:

In ADFS

  1. In Server Manager, click Tools → AD FS Management.

  2. Click Add Relying Party Trust under Actions. This will open the Add Relying Party Trust Wizard.

  3. In the Welcome step, click Claims aware, then Start.

  4. In the Select Data Source step, choose Import data about the relying party, then enter your Aha! account URL in the Federation metadata address field. The URL should be in the following format: https://<accountname>.aha.io/auth/saml/metadata.
    Note: The metadata URL will only work once SAML authentication is enabled in your Aha! account.

  5. In the Specify Display Name step, name your relying party (e.g. "Aha!").

  6. The Configure Certificate step is optional. Click Next.

  7. The Configure URL step is optional. Click Next.

  8. In the Configure Identifiers step, enter your Aha! account URL in the following format: https://<accountname>.aha.io.

  9. In the Choose Access Control Policy step, choose to Permit everyone.

  10. Review your settings on the Ready to Add Trust step, then click Next.

  11. On the Finish step, press Close. This will open the Edit Claim Rules modal.

  12. On the Issuance Transform Rules tab, click Add Rule....

  13. Select the Send LDAP Attributes as Claims template.

  14. Click Next. Name your rule, select Active Directory as the attribute store, and then add the following mappings:

    LDAP Attribute

    Outgoing Claim Type

    E-Mail-Addresses

    E-Mail Address

    Given-Name

    Given Name

    Surname

    Surname

  15. Click OK.

  16. On the Issuance Transform Rules tab, click Add Rule... again.

  17. Select the Transform an Incoming Claim template, then click Next.

  18. Name the rule and make the following selections:
    • Incoming claim type: E-Mail Address• Outgoing claim type: Name ID• Outgoing name ID format: Email• Pass through all claim values

  19. Click OK.

Top

In Aha!

  1. Navigate to Settings ⚙️→ Account → Ideas portals or Ideas → Overview. You will need to be an administrator with customizations permissions to configure an ideas portal.

    1. From your account settings, click the name of the ideas portal you wish to edit.

    2. From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.

  2. Once you have your portal settings open, navigate to the Users tab, and the SSO section.

  3. Choose SAML as your identity provider Type. Click Save.

  4. The SAML 2.0 configuration will display.

  5. For the Metadata URL, enter the URL to the metadata xml listed in AD FS 2.0 console, e.g. https://adfs.<company>.com/FederationMetadata/2007-06/FederationMetadata.xml.

  6. Enter the remaining fields following the SAML 2.0 configuration instructions.

  7. Click Enable SSO to complete the configuration.

Top

Share your SSO configuration between portals (Advanced plan)

If you have added Ideas Advanced functionality to your Aha! account, the process to create and assign an identity provider looks a little different.

  1. Follow the same steps in ADFS listed above.

  2. Navigate to Settings ⚙️→ Account → Ideas portals or Ideas → Overview. You will need to be an administrator with customizations permissions to configure an ideas portal.

    1. From your account settings, click the name of the ideas portal you wish to edit.

    2. From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.

  3. Once you have your portal settings open, navigate to the Users tab, then the SSO section.

  4. Select Add new provider from the Identify Provider dropdown.

    1. Name: Name your identity provider.
      Note: We recommend that you name your provider something easily recognizable to the different portals that might want to use it, like Employees, or Customers.

    2. Type: Choose SAML as your identity provider type.

    3. Click Save and continue in Aha!

    4. Enter the remaining fields following the SAML 2.0 configuration instructions.

  5. Click Enable SSO to enable your identity provider.

To share your identity provider configuration between multiple ideas portals:

  1. Open each portal's settings.

  2. Once you have your portal settings open, navigate to the Users tab, then the SSO section.

  3. Select the identity provider you just created from the Identity provider dropdown.

  4. Congratulations! You just shared your configuration with another portal.

  5. Repeat these steps for each portal you wish to use the shared Identity provider configuration.

You can manage your identity provider configuration — and the portals that use it — from the Identity providers tab in Settings ⚙️→ Account → Ideas portals.

Top

Troubleshooting

If you run into trouble, we have gathered common SSO configuration issues into one article, along with common resolutions.

The best place to start in most of these situations is the integration log messages for your SSO configuration. Those messages will help diagnose and solve the problem.

Top

If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds within two hours.

Aha! Roadmaps
    Strategic roadmaps
    Account management
      Integrations
      Aha! Ideas
      Announcements
      © 2021 Aha! Labs Inc.All rights reserved