Troubleshoot single sign-on issues

In most cases, once you save your single sign-on (SSO) configuration in your Aha! account, you are ready to go — no further configuration needed.

In case you do run into trouble, we have gathered some of the most common SSO issues here, along with recommended solutions.

The best place to start in most of these situations is the integration log messages for your SSO configuration. Those messages will help diagnose and solve the problem.

Please click any of the following links to skip ahead:

Permissions

Action

User permissions

Further reading

Troubleshoot account-level SSO problems

All products

  • Administrator with customization permissions

We recommend that you keep one Aha! account administrator configured with a username and password in case your SSO system is updated and all SSO users are locked out of your Aha! account. If you are locked out, please have an account-level administrator in your account reach out to our Customer Success team and ask us to convert their user from SSO to use username/password so they can log in and fix the issue.

Top

Users registered for multiple Aha! accounts cannot be configured as SSO users

Symptom

You enable single sign-on for your Aha! account, but some of your Aha! users are not able to convert from the username and password login experience to the SSO login experience.

Explanation

Once you enable SSO for your Aha! account, that overwrites the users' standard username and password. But for any users registered with the same username in multiple Aha! accounts, this cannot happen, and the conversion fails.

Resolution

Most often, users in this situation are still registered for an Aha! trial account that has expired. Occasionally, users in your Aha! account may also be registered for a secondary Aha! account.

If this happens, please reach out to our Customer Success team. We can help remove the user from their secondary account, which will allow them to correctly convert over to single sign-on.

Top

An error occurred attempting to log you in: identity provider not configured

Symptom

This is a common error message to receive. The full error message is usually something like this:

An error occurred attempting to log you in: (SAML login unsuccessful. This usually means the Identity Provider is not configured or the SAML user does not have permission for the application. Authentication Failed).

Explanation

You will see this error message in one of two situations:

  • Your identity provider is not configured correctly to enable SSO in your Aha! account.

  • Your identity provider is configured correctly, but there is a problem with your specific user profile.

Resolution

Ensure that you have been set up with your SSO provider for Aha! account access.

Top

An error occurred attempting to log you in: current time is earlier than NotBefore condition

Symptom

This is a common error message to receive. The full error message is usually something like this:

An error occurred attempting to log you in: (Current time is earlier than NotBefore condition ({date/time stamp})). Please try again then contact your account administrator or support@aha.io. (Error code 49624539-eaa5-4d14-98b5-7f55e864c9f9)

Explanation

If you see this error message, it means that the server running the single sign-on software does not have the correct time set on it. Part of the security in SSO is ensuring the requests are coming through at the same time. Your Aha! account will always honor the time from the identity provider to the second, so to fix this problem, you need to add a skew in your identity provider.

Resolution

The date/time stamp gives your Aha! account a relative variance. In the example here the variance is three seconds and so we would recommend adding a 5- or 10-second skew.

Example date/time stamp:

2019-06-24 11:52:13 UTC < 2019-06-24 11:52:16 UTC

The Aha! Develop server clocks are synchronized using NTP, so they should be fairly consistent. It should be possible in your identity provider to skew the NotBefore parameter.

We cannot introduce a skew on the receiving end because the NotBefore condition comes from your provider's SAML envelope. By the definition of the spec, we have to honor that time to the second.

Top

SAML response certificate does not match fingerprint

Symptom

You have configured SSO with your Aha! account using the Metadata URL or Metadata file options, but are unable to log in to your Aha! account through your identity provider. You receive an error message that looks something like this:

SAML response certificate does not match fingerprint

Explanation

A certificate fingerprint error indicates that the certificate provided to your Aha! account at the time of configuration is different than the certificate provided to your Aha! account when a user signs in. This can happen because the certificate was rotated on your SSO provider but not subsequently updated in your Aha! account.

Resolution

  • Metadata URL: If you configured SSO with your Aha! account using the Metadata URL, visit the SSO configuration in your settings, enter your Metadata URL, and click Update. Even if the Metadata URL itself has not changed, Aha! Develop will re-fetch the certificate and capture/update the fingerprint, which should resolve the error.

  • Metadata file: If you configured SSO with your Aha! account using the Metadata file, you will need to provide an updated Metadata file.

Top

Users named "Unknown Unknown"

Symptom

You have users in your Aha! account with the name "Unknown Unknown."

Explanation

When this happens, it means that your identity provider is not sending the first and last name attributes for the user in a format that your Aha! account recognizes.

Resolution

Please review the SAML 2.0 user attributes documentation and ensure you are using one of the listed attribute names.

Top

Changing email domains

Symptom

You are changing email domains and concerned about how that will affect users in your SSO configuration.

Explanation

When setting up SSO, we recommend using a unique identifier from your identity provider (IDP) as the NameID in your SAML response. This way changing email domains will not affect your users.

You cannot use EmailAddress as a unique identifier. If you do, your single sign-on configuration will error.

Resolution

If you followed our recommendation then no additional action is needed when changing a user's email address in your IDP — the change will automatically be reflected in your Aha! account the next time the user signs in. This is true whether you are changing a single email, e.g. marital status change, or many emails at once.

If you did not follow our recommendation, then you should contact our Customer Success team immediately, or else your users will be provisioned as brand-new users next time they log in with the new email.

Top

Error screen from identity provider

Symptom

You are trying to access your Aha! account via your SSO configuration, but you see an error screen from your identity provider.

Explanation

The error is very likely due to a problem with your identity provider, not your Aha! account.

Resolution

Follow up with your internal team to research and resolve the issue.

Top

If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.