Troubleshoot single sign-on issues

Aha! Develop

In most cases, once you save your single sign-on (SSO) configuration in Aha! Develop, you are ready to go — no further configuration needed.

In case you do run into trouble, we have gathered some of the most common SSO issues here, along with recommended solutions.

The best place to start in most of these situations is the integration log messages for your SSO configuration. Those messages will help diagnose and solve the problem.

Please click any of the following links to skip ahead:

Required user permissions

For most account-level SSO problems, you will need to be an Aha! Develop administrator with account-level permissions to change your configuration.

We recommend that you keep one Aha! Develop account administrator configured with a username and password in case your SSO system is updated and all SSO users are locked out of your Aha! Develop account. If you are locked out, please have an account-level administrator in your account reach out to our Product Success team and ask us to convert their user from SSO to use username/password so they can log in and fix the issue.

Top

Users registered for multiple Aha! Develop accounts cannot be configured as SSO users

Symptom

You enable single sign-on for your Aha! Develop account, but some of your Aha! Develop users are not able to convert from the username and password login experience to the SSO login experience.

Explanation

Once you enable SSO for your Aha! Develop account, that overwrites the users' standard username and password. But for any users registered with the same username in multiple Aha! Develop accounts, this cannot happen, and the conversion fails.

Resolution

Most often, users in this situation are still registered for an Aha! Develop trial account that has expired. Occasionally, users in your Aha! Develop account may also be registered for a secondary Aha! Develop account.

If this happens, please reach out to our Product Success team. We can help remove the user from their secondary account, which will allow them to correctly convert over to single sign-on.

Top

An error occurred attempting to log you in: identity provider not configured

Symptom

This is a common error message to receive. The full error message is usually something like this:

An error occurred attempting to log you in: (SAML login unsuccessful. This usually means the Identity Provider is not configured or the SAML user does not have permission for the application. Authentication Failed).

Explanation

You will see this error message in one of two situations:

  • Your identity provider is not configured correctly to enable SSO in Aha! Develop.

  • Your identity provider is configured correctly, but there is a problem with your specific user profile.

Resolution

Ensure that you have been set up with your SSO provider for Aha! Develop access.

Top

An error occurred attempting to log you in: current time is earlier than NotBefore condition

Symptom

This is a common error message to receive. The full error message is usually something like this:

An error occurred attempting to log you in: (Current time is earlier than NotBefore condition ({date/time stamp})). Please try again then contact your account administrator or support@aha.io. (Error code 49624539-eaa5-4d14-98b5-7f55e864c9f9)

Explanation

If you see this error message, it means that the server running the single sign-on software does not have the correct time set on it. Part of the security in SSO is ensuring the requests are coming through at the same time. Aha! Develop will always honor the time from the identity provider to the second, so to fix this problem, you need to add a skew in your identity provider.

Resolution

The date/time stamp gives Aha! Develop a relative variance. In the example here the variance is three seconds and so we would recommend adding a 5- or 10-second skew.

Example date/time stamp:

2019-06-24 11:52:13 UTC < 2019-06-24 11:52:16 UTC

The Aha! Develop server clocks are synchronized using NTP, so they should be fairly consistent. It should be possible in your identity provider to skew the NotBefore parameter.

We cannot introduce a skew on the receiving end because the NotBefore condition comes from your provider's SAML envelope. By the definition of the spec, we have to honor that time to the second.

Top

SAML response certificate does not match fingerprint

Symptom

You have configured SSO with Aha! Develop using the Metadata URL or Metadata file options, but are unable to log in to Aha! Develop through your identity provider. You receive an error message that looks something like this:

SAML response certificate does not match fingerprint

Explanation

A certificate fingerprint error indicates that the certificate provided to Aha! Develop at the time of configuration is different than the certificate provided to Aha! Develop when a user signs in. This can happen because the certificate was rotated on your SSO provider but not subsequently updated in Aha! Develop.

Resolution

  • Metadata URL: If you configured SSO with Aha! Develop using the Metadata URL, visit the SSO configuration in your settings, enter your Metadata URL, and click Update. Even if the Metadata URL itself has not changed, Aha! Develop will re-fetch the certificate and capture/update the fingerprint, which should resolve the error.

  • Metadata file: If you configured SSO with Aha! Develop using the Metadata file, you will need to provide an updated Metadata file.

Top

Users named "Unknown Unknown"

Symptom

You have users in your Aha! Develop account with the name "Unknown Unknown."

Explanation

When this happens, it means that your identity provider is not sending the first and last name attributes for the user in a format that Aha! Develop recognizes.

Resolution

Please review the SAML 2.0 user attributes documentation and ensure you are using one of the listed attribute names.

Top

Changing email domains

Symptom

You are changing email domains and concerned about how that will affect users in your SSO configuration.

Explanation

When setting up SSO, we recommend using a unique identifier from your identity provider (IDP) as the NameID in your SAML response. This way changing email domains will not affect your users.

Resolution

If you followed our recommendation then no additional action is needed when changing a user's email address in your IDP — the change will automatically be reflected in Aha! Develop the next time the user signs in. This is true whether you're changing a single email, e.g. marital status change, or many emails at once.

If you did not follow our recommendation, then you should contact our Product Success team immediately, or else your users will be provisioned as brand-new users next time they log in with the new email.

Top

Error screen from identity provider

Symptom

You are trying to access Aha! Develop via your SSO configuration, but you see an error screen from your identity provider.

Explanation

The error is very likely due to a problem with your identity provider, not Aha! Develop.

Resolution

Follow up with your internal team to research and resolve the issue.

Top

If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.