Release notes System status Get help Submit an idea
Log in
Free trial
Join a demo

Portal SSO | Entra ID

Aha! Ideas

This article is about configuring SSO for your ideas portal. Read these articles if you want to configure SSO for your Aha! Ideas account.

You can use Entra ID as an identity provider for ideas portal users in Aha! based on SAML 2.0. You will need to be an administrator in Aha! Ideas and in Azure AD to configure SSO.

Click any of the following links to skip ahead:

In Aha! Ideas

  1. Navigate to User menu -> Settings → Account → Ideas → Ideas portals or Ideas → Overview. You will need to be an administrator with customizations permissions to configure an ideas portal.

    1. From your account settings, click the name of the ideas portal you wish to edit.

    2. From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.

  2. Once you have your portal settings open, navigate to the Users tab, and the SSO section.

  3. Click Add new provider.

  4. Choose SAML as your identity provider Type. Click Save.

  5. The SAML 2.0 configuration will display. Leave this open for reference in the next set of steps.

Top

In Entra ID

  1. Log in to Entra ID. If you have not already done so, select the Entra ID service from the left sidebar.

  2. Click Enterprise applications.

  3. Select All applications from the Application type dropdown.

  4. If you do not see Aha! as one of your available applications, you may need to add it. Click New application.

    1. Scroll or search for Aha!, then select it.

    2. Click Create.

    3. In the getting started form, Name your application, then move on to the SAML SSO configuration quick start guide.

  5. On the Aha! application integration page, find the Manage section and select Single sign-on.

  6. On the Select a Single sign-on method page, select SAML.

  7. On the Set up Single Sign-On with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

  8. On the Basic SAML Configuration section, enter the following:

    1. Sign on URL: this is your Aha! Ideas portal login page URL. Locate this from the Aha! ideas portal SSO settings by navigating to Users → SSO. The URL will follow this pattern: https://<COMPANYNAME>.ideas.aha.io/portal_session/new

    2. Reply URL: copy this from your Aha! Ideas portal SSO settings "SAML consumer URL"

    3. Entity ID: copy this from your Aha! Ideas portal SSO settings by navigating to Users → SSO

  9. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.

  10. On the Set up Aha! section, copy the appropriate URL(s) based on your requirement.

Under Attributes & Claims, the default value for the Unique User Identifier will not work. Instead of user.userprincipalname, please use user.employeeID or user.objectID. The attributes available will depend on your Entra ID account configuration.

Top

Back in Aha! Ideas

  1. Update your SSO configuration and change Settings using to Metadata File.

  2. Upload the Federation Metadata XML that your downloaded from Entra ID.

  3. Enter any remaining fields following the SAML 2.0 configuration instructions.

  4. Click Enable SSO to complete the configuration.

Top

User attributes

The SAML identity provider must be configured to provide four attributes:

  • EmailAddress

  • FirstName

  • LastName

  • NameID

The NameID attribute must be included in the subject. Your Aha! ideas portal uses it to uniquely identify the user (separately from their email address). We recommend using a persistent, unique identifier in this field, rather than the user's email address. You must use a unique identifier so that Aha! can maintain a mapping between the ideas portal user record in Aha! and within your identity provider. This ensures that any changes to the email address within the identity provider will be transparently reflected in your Aha! ideas portal.

Each user in your Aha! ideas portal needs to have a unique NameID. This value must be unique — an email addresses CANNOT be used as a NameID , or else your single sign-on configuration will error.

Top

EmailAddress

Every user in your ideas portal is required to have a valid email address, even when using SSO. Since the identity provider is responsible for managing user information, it must send the user's email address to your Aha! ideas portal in its assertion. Identity providers use different naming conventions, so your Aha! ideas portal will look for an email address in the following attributes sequentially:

  • EmailAddress

  • email

  • Email

  • mail

  • emailAddress

  • User.email

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress


Top

FirstName

Just like email addresses, identity providers may send the first name in several common fields. To provide out-of-the-box compatibility with most identity providers, your Aha! ideas portal will try to find the first name in the following attributes:

  • FirstName

  • first_name

  • firstname

  • firstName

  • User.FirstName

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Top

LastName

Just like email addresses, identity providers may send the last name in several common fields. To provide out-of-the-box compatibility with most identity providers, your Aha! ideas portal will try to find the last name in the following attributes:

  • LastName

  • last_name

  • lastname

  • lastName

  • User.LastName

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Top

NameID

Each user in your Aha! ideas portal needs to have a unique NameID. This value must be unique — an email addresses cannot be used as a NameID. This ensures that any changes to a user's email address can be reflected in your Aha! ideas portal.

Top

This article discusses functionality that is included in the Aha! Ideas Advanced plan. Please contact us if you would like a live demo or want to try using it in your account.

Share your SSO configuration between portals (Advanced plan)

If you have added Ideas Advanced functionality to your Aha! account, the process to create and assign an identity provider looks a little different.

  1. Follow the same steps in Entra ID listed above.

  2. Navigate to User menu -> Settings → Account → Ideas portals or Ideas → Overview. You will need to be an administrator with customizations permissions to configure an ideas portal.

    1. From your account settings, click the name of the ideas portal you wish to edit.

    2. From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.

  3. Once you have your portal settings open, navigate to the Users tab, then the SSO section.

  4. Select Add new provider from the Identify Provider dropdown.

    1. Name: Name your identity provider.

      We recommend that you name your provider something easily recognizable to the different portals that might want to use it, like Employees, or Customers.

    2. Type: Choose SAML as your identity provider type.

    3. Click Save and continue in Aha!

    4. Enter the remaining fields following the SAML 2.0 configuration instructions.

  5. Click Enable SSO to enable your identity provider.

To share your identity provider configuration between multiple ideas portals:

  1. Open each portal's settings.

  2. Once you have your portal settings open, navigate to the Users tab, then the SSO section.

  3. Select the identity provider you just created from the Identity provider dropdown.

  4. Congratulations! You just shared your configuration with another portal.

  5. Repeat these steps for each portal you wish to use the shared Identity provider configuration.

You can manage your identity provider configuration — and the portals that use it — from the Identity providers tab in User menu -> Settings → Account → Ideas portals.

Top

Troubleshooting

If you run into trouble, we have gathered common SSO configuration issues into one article, along with common resolutions.

The best place to start in most of these situations is the integration log messages for your SSO configuration. Those messages will help diagnose and solve the problem.

Top

If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.

Feedback received!

Error submitting feedback, please try again later