Microsoft Entra ID
You can use Microsoft Entra ID as an identity provider for your Aha! account based on SAML 2.0. You will need to be an administrator with account permissions in your Aha! account and an administrator in Entra ID to configure SSO.
Click any of the following links to skip ahead:
In Entra ID
Log in to Entra ID. If you have not already done so, select the Entra ID service from the left sidebar.
Click Enterprise applications.
Select All applications from the Application type dropdown.
If you do not see Aha! as one of your available applications, you may need to add it. Click New application.
Scroll or search for the Aha! application, then select it.
Click Create.
In the getting started form, Name your application, then move on to the SAML SSO configuration quick start guide.
Otherwise, on the Aha! application integration page, find the Manage section and select Single sign-on.
On the Select a Single sign-on method page, select SAML.
On the Set up Single Sign-On with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.
On the Basic SAML Configuration section, perform the following steps:
In the Sign on URL text box, type a URL using the following pattern:
https://<customdomain>.aha.io/session/new
In the Identifier (Entity ID) text box, type a URL using the following pattern:
https://<customdomain>.aha.io
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.
On the Set up Aha! section, copy the appropriate URL(s) based on your requirement.
Under Attributes & Claims, the default value for the Unique User Identifier will not work. Instead of user.userprincipalname
, please use user.employeeID
or user.objectID
. The attributes available will depend on your Entra ID account configuration.
In your Aha! account
Log into your Aha! account and go to Settings ⚙️ Account Security and single sign-on Single sign-on.
Select SAML 2.0 as your Identity provider.
Name your configuration.
The SAML 2.0 configuration will display. Change Settings using to Metadata File.
Upload the Federation Metadata XML that your downloaded from Azure AD.
Enter the remaining fields following the SAML 2.0 configuration instructions.
Configure custom attributes
This is an optional step but a useful one. You can provision your Aha! users with user and hierarchy permissions. This makes it easier for new users to engage with your Aha! account, and saves you time managing users individually.
To do this:
Go to the enterprise application in Entra ID.
Select Single Sign-On where SAML should be configured.
Edit attributes and claims. Add one or two new claims.
ProductPrefix
The ProductPrefix role grants a user access to specific Aha! workspaces, workspace lines, or teams.
You can find a list of workspace prefixes by navigating to:
Aha! Roadmaps, Aha! Ideas, Aha! Whiteboards, and Aha! Knowledge: Settings ⚙️ Account Workspaces
Aha! Develop: Settings ⚙️ Account Teams
You will need to be an administrator with customization permissions to access these pages.
The workspace or team you select with ProductPrefix is added to the user only at the time that they are first provisioned, and will not update if you change this attribute later. This attribute is very handy for giving new users a default workspace or team when they first join your account. For advanced hierarchy permissions, navigate to:
Settings ⚙️ Account Users
You will need to be an administrator with billing permissions to do this.
If you set the ProductPrefix attribute, you also need to set the ProductRole attribute.
To do this in Entra ID:
Name the claim ProductPrefix.
Expand the Claim conditions section.
Select User Type as Any.
Select the Entra ID Group to which you want to assign access to this ProductPrefix.
Set the Source as Attribute.
Under Value, enter the appropriate Aha! workspace, workspace line, or team Prefix.
Although this appears to be a dropdown to select a value from, you will need to manually enter a prefix here. ProductPrefix is the short code prefix of the hierarchy element, not the element's full name. The prefix is used to code records in that workspace, line, or team. For example, a workspace named Mobile might have a ProductPrefix MBL.
ProductRole
The ProductRole attribute works in conjunction with the ProductPrefix attribute and allows you to specify which level of access a user should have.
ProductPrefix is only used when a user is initially provisioned. Values match with Aha! user permission roles and must be one of the following:
product_owner
contributor
reviewer
viewer
none
To do this in Entra ID:
Name the claim ProductRole.
Expand the Claim conditions section.
Select User Type as Any.
Select the Entra ID Group to which you want to assign access to this ProductRole.
Set the Source as Attribute.
Set the Value to the appropriate user permission role.
Troubleshooting
We have created an article to help you troubleshoot common SSO configuration issues, complete with explanations and resolutions.
The best place to start in most of these situations is the Recent SSO events for your SSO configuration, at the bottom of the configuration page. Those messages will help diagnose and solve the problem.
If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.