Explore  

Aha! Roadmaps | Troubleshoot single sign-on issues

In most cases, once you save your single sign-on (SSO) configuration in Aha! Roadmaps, you are ready to go — no further configuration needed.

In case you do run into trouble, we have gathered some of the most common SSO issues here, along with recommended solutions.

The best place to start in most of these situations is the integration log messages for your SSO configuration. Those messages will help diagnose and solve the problem.

Please click any of the following links to skip ahead:

Required user permissions

For most account-level SSO problems, you will need to be an Aha! Roadmaps administrator with account-level permissions to change your configuration.

We recommend that you keep one Aha! Roadmaps account administrator configured with a username and password in case your SSO system is updated and all SSO users are locked out of your Aha! Roadmaps account.

If you are locked out, please have an account-level administrator in your account reach out to our Customer Success team and ask us to convert their user from SSO to use username/password so they can log in and fix the issue.

For most ideas portal SSO problems, you will need to be an Aha! Roadmaps administrator with customizations permissions to change your ideas portal configuration.

Top

Users registered for multiple Aha! Roadmaps accounts cannot be configured as SSO users

Symptom

You enable single sign-on for your Aha! Roadmaps account (not for an ideas portal), but some of your Aha! Roadmaps users are not able to convert from the username and password login experience to the SSO login experience.

Explanation

Once you enable SSO for your Aha! Roadmaps account, that overwrites the users' standard username and password. But for any users registered with the same username in multiple Aha! Roadmaps accounts, this cannot happen, and the conversion fails.

Resolution

Most often, users in this situation are still registered for an Aha! Roadmaps trial account that has expired. Occasionally, users in your Aha! Roadmaps account may also be registered for a secondary Aha! Roadmaps account.

If this happens, please reach out to our Customer Success team. We can help remove the user from their secondary account, which will allow them to correctly convert over to single sign-on.

Top

An error occurred attempting to log you in: identity provider not configured

Symptom

This is a common error message to receive. The full error message is usually something like this:

An error occurred attempting to log you in: (SAML login unsuccessful. This usually means the Identity Provider is not configured or the SAML user does not have permission for the application. Authentication Failed).

Explanation

You will see this error message in one of two situations:

  • Your identity provider is not configured correctly to enable SSO in Aha! Roadmaps.

  • Your identity provider is configured correctly, but there is a problem with your specific user profile.

Resolution

Speak to a member of your IT team to ensure that you have been set up with your SSO provider for Aha! Roadmaps access.

Top

An error occurred attempting to log you in: current time is earlier than NotBefore condition

Symptom

This is a common error message to receive. The full error message is usually something like this:

An error occurred attempting to log you in: (Current time is earlier than NotBefore condition ({date/time stamp})). Please try again then contact your account administrator or support@aha.io. (Error code 49624539-eaa5-4d14-98b5-7f55e864c9f9)

Explanation

If you see this error message, it means that the server running the single sign-on software does not have the correct time set on it. Part of the security in SSO is ensuring the requests are coming through at the same time. Aha! Roadmaps will always honor the time from the identity provider to the second, so to fix this problem, you need to add a skew in your identity provider.

Resolution

The date/time stamp gives Aha! Roadmaps a relative variance. In the example here the variance is three seconds and so we would recommend adding a 5- or 10-second skew.

Example date/time stamp:

2019-06-24 11:52:13 UTC < 2019-06-24 11:52:16 UTC

The Aha! Roadmaps server clocks are synchronized using NTP, so they should be fairly consistent. It should be possible in your identity provider to skew the NotBefore parameter.

Note: We cannot introduce a skew on the receiving end because the NotBefore condition comes from your provider's SAML envelope. By the definition of the spec, we have to honor that time to the second.

Top

SAML response certificate does not match fingerprint

Symptom

You have configured SSO with Aha! Roadmaps using the Metadata URL or Metadata file options, but are unable to log in to Aha! Roadmaps through your identity provider. You receive an error message that looks something like this:

SAML response certificate does not match fingerprint

Explanation

A certificate fingerprint error indicates that the certificate provided to Aha! Roadmaps at the time of configuration is different than the certificate provided to Aha! Roadmaps when a user signs in. This can happen because the certificate was rotated on your SSO provider but not subsequently updated in Aha! Roadmaps.

Resolution

  • Metadata URL: If you configured SSO with Aha! Roadmaps using the Metadata URL, visit the SSO configuration in your settings, enter your Metadata URL, and click Update. Even if the Metadata URL itself has not changed, Aha! Roadmaps will re-fetch the certificate and capture/update the fingerprint, which should resolve the error.

  • Metadata file: If you configured SSO with Aha! Roadmaps using the Metadata file, you will need to provide an updated Metadata file. Talk to your IT team if you are unsure how to acquire this.

Top

Webaddress refused to connect on an embedded ideas portal

Symptom

In this situation, the single sign-on login page does not display on an embedded ideas portal. Instead, you see an error message that your identity provider refused to connect.

Explanation

Embedded ideas portals allow you to load an iframe and remove the default header and footer from the portal design. To maintain the security of your ideas portal, it is not possible to display the identity provider login within an iframe.

Resolution

If you want to use an SSO configuration with an embedded ideas portal, you need to select JSON Web Token (JWT) as your identity provider in your ideas portal SSO settings. When the page loads the page needs to pass the JWT token to the iframe to log the user in.

Top

Users named "Unknown Unknown"

Symptom

You have users in your Aha! Roadmaps account with the name "Unknown Unknown."

Explanation

When this happens, it means that your identity provider is not sending the first and last name attributes for the user in a format that Aha! Roadmaps recognizes.

Resolution

Please review the SAML 2.0 user attributes documentation and ensure you are using one of the listed attribute names.

Top

Changing email domains

Symptom

You are changing email domains and concerned about how that will affect users in your SSO configuration.

Explanation

When setting up SSO, we recommend using a unique identifier from your identity provider (IDP) as the NameID in your SAML response. This way changing email domains will not affect your users.

Resolution

If you followed our recommendation then no additional action is needed when changing a user's email address in your IDP — the change will automatically be reflected in Aha! Roadmaps the next time the user signs in. This is true whether you're changing a single email, e.g. marital status change, or many emails at once.

If you did not follow our recommendation, then you should contact our Customer Success team immediately, or else your users will be provisioned as brand-new users next time they log in with the new email.

Top

Error screen from identity provider

Symptom

You are trying to access Aha! Roadmaps via your SSO configuration, but you see an error screen from your identity provider.

Explanation

The error is very likely due to a problem with your identity provider, not Aha! Roadmaps.

Resolution

Follow up with your internal team to research and resolve the issue.

Top

SSO users cannot log in to embedded portals

Symptom

After logging in, some of the visitors to your embedded portal are prompted to log in again.

Explanation

It is becoming more common for browsers to block cookies for content within iframes. Since embedded portals use iframes, this prevents the people who use these browsers from logging in successfully.

Resolution

Since browser security settings are important to keep in place, there are a few different configuration options you can use in your Aha! account to help users log in to your portal successfully:

If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.

Suite overview
Aha! Roadmaps
    Roadmaps
    Integrations
    Aha! Ideas
    Aha! Whiteboards
    Aha! Develop
    Release notes