Microsoft Entra ID

You can use Microsoft Entra ID as an identity provider for your Aha! account based on . You will need to be an in your Aha! account and an administrator in Entra ID to configure SSO.

Click any of the following links to skip ahead:

In Entra ID

Log in to Entra ID. If you have not already done so, select the Entra ID service from the left sidebar.
Click Enterprise applications.
Select All applications from the Application type dropdown.
If you do not see Aha! as one of your available applications, you may need to add it. Click New application.
1. Scroll or search for the Aha! application, then select it.
2. Click Create.
3. In the getting started form, Name your application, then move on to the SAML SSO configuration quick start guide.
Otherwise, on the Aha! application integration page, find the Manage section and select Single sign-on.
On the Select a Single sign-on method page, select SAML.
On the Set up Single Sign-On with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.
On the Basic SAML Configuration section, perform the following steps:
1. In the Sign on URL text box, type a URL using the following pattern: https://<customdomain>.aha.io/session/new
2. In the Identifier (Entity ID) text box, type a URL using the following pattern: https://<customdomain>.aha.io
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.
On the Set up Aha! section, copy the appropriate URL(s) based on your requirement.

Under Attributes & Claims, the default value for the Unique User Identifier will not work. Instead of user.userprincipalname, please use user.employeeID or user.objectID. The attributes available will depend on your Entra ID account configuration.

Top

In your Aha! account

Log into your Aha! account and go to Settings ⚙️ Account Security and single sign-on Single sign-on.
Select SAML 2.0 as your Identity provider.
Name your configuration.
The SAML 2.0 configuration will display. Change Settings using to Metadata File.
Upload the Federation Metadata XML that your downloaded from Azure AD.
Enter the remaining fields following the SAML 2.0 configuration instructions.

Top

Configure custom attributes

This is an optional step but a useful one. You can provision your Aha! users with user and hierarchy permissions. This makes it easier for new users to engage with your Aha! account, and saves you time managing users individually.

To do this:

Go to the enterprise application in Entra ID.
Select Single Sign-On where SAML should be configured.
Edit attributes and claims. Add one or two new claims.

ProductPrefix

The ProductPrefix role grants a user access to specific Aha! workspaces, workspace lines, or teams.

You can find a list of workspace prefixes by navigating to:

Aha! Roadmaps, Aha! Ideas, Aha! Whiteboards, and Aha! Knowledge: Settings ⚙️ Account Workspaces
Aha! Develop: Settings ⚙️ Account Teams

You will need to be an to access these pages.

The workspace or team you select with ProductPrefix is added to the user only at the time that they are first provisioned, and will not update if you change this attribute later. This attribute is very handy for giving new users a default workspace or team when they first join your account. For advanced hierarchy permissions, navigate to:

Settings ⚙️ Account Users

You will need to be an to do this.

If you set the ProductPrefix attribute, you also need to set the ProductRole attribute.

To do this in Entra ID:

Name the claim ProductPrefix.
Expand the Claim conditions section.
Select User Type as Any.
Select the Entra ID Group to which you want to assign access to this ProductPrefix.
Set the Source as Attribute.
Under Value, enter the appropriate Aha! workspace, workspace line, or team Prefix.
Although this appears to be a dropdown to select a value from, you will need to manually enter a prefix here. ProductPrefix is the short code prefix of the hierarchy element, not the element's full name. The prefix is used to code records in that workspace, line, or team. For example, a workspace named Mobile might have a ProductPrefix MBL.

ProductRole

The ProductRole attribute works in conjunction with the ProductPrefix attribute and allows you to specify which level of access a user should have.

ProductPrefix is only used when a user is initially provisioned. Values match with Aha! user permission roles and must be one of the following:

product_owner
contributor
reviewer
viewer
none

To do this in Entra ID:

Name the claim ProductRole.
Expand the Claim conditions section.
Select User Type as Any.
Select the Entra ID Group to which you want to assign access to this ProductRole.
Set the Source as Attribute.
Set the Value to the appropriate user permission role.

Top

Troubleshooting

We have created an article to help you , complete with explanations and resolutions.

The best place to start in most of these situations is the Recent SSO events for your SSO configuration, at the bottom of the configuration page. Those messages will help diagnose and solve the problem.

Top

If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.

Suite overview

Billing and users

Security and system requirements

Single sign-on (SSO)

SAML 2.0

Google Cloud Identity

Microsoft Entra ID

OneLogin

Bitium

Microsoft Active Directory Federation Services