Portal SSO | Google Cloud Identity

Aha! Ideas

Google Cloud Identity single sign-on (SSO) makes it easier to seamlessly capture ideas without requiring your users to remember an additional set of credentials.

Ideas portal users who authenticate with Cloud Identity SSO can add, vote, or comment without having to remember yet another user ID and password. And your team has a single place to manage all of the ideas — including the next big one.

Click any of the following links to skip ahead:

How it works

When a user authenticates to the ideas portal, they will be presented with the option to authenticate to the portal via SSO only. If they are already logged in to the SSO provider, they will automatically be logged in to your portal without any additional actions.

  • Public portal: Once SSO is configured, users will be prompted to log in before posting or voting on ideas. Anyone can view ideas, regardless of whether they are logged in.

  • Private portal: In order to access the portal, users will be prompted to log in via SSO. If SSO is configured, any user with the SSO account will be able to access the ideas portal, regardless of email domain.

It is possible to invite an ideas portal user from your ideas portal settings who has not been configured with the identity provider your portal is using. The user will not be able to log in to the ideas portal until they can be authenticated by the identity provider.

Top

Configuration in Aha!

To set up Cloud Identity single sign-on you will need to be both an admin for your Cloud Identity account as well as an administrator for your Aha! account.

  1. The first step is to create an ideas portal in Aha! by navigating to Settings ⚙️ → Account → Ideas portals and organizations or Ideas → Overview. From either page, click Add ideas portal to open the portal builder.

  2. Once you create your portal, the portal settings will open in a new tab. Navigate to Users → SSO to add single sign-on to your portal.

  3. Click Add new provider.

  4. Choose SAML as your identity provider Type. Click Save.

  5. The SAML 2.0 configuration will display

  6. Select Metadata file from Settings using. You will generate a metadata file to use here shortly from within your Cloud Identity account.

Top

Configuration in Google Cloud Identity

  1. Next, log in to your Cloud Identity account.

  2. Navigate to the Apps menu and select SAML Apps → Add a service/App to your domain → Setup my own custom App.

  3. You will be given the option to manually configure Google as your identity provider or to use an IdP metadata file. We recommend using the metadata file because you can upload it directly to Aha! to handle the Aha! side configuration. Click Download to download the metadata file.

  4. You will be prompted to enter a name for your app and provided the option to upload an image. You can name the app whatever you want.

  5. After naming your app you will be prompted to provide the ACS URL and the Entity ID. Both of these are located within your account on the ideas portal SSO settings by navigating to Users → SSO.
    Note: You will also want to select
    EMAIL as the Name ID Format value on this page.

  6. After entering the ACS URL and Entity ID, you will be prompted to set up attribute mapping. You want to define EmailAddress, FirstName, and LastName as shown below. Those three values are required for Aha! SAML SSO.

Top

Enable the integration

  1. Back in your Aha! Ideas account, you will need to take the metadata file you downloaded from Cloud Identity and upload it to the Metadata file field. This will allow you to upload the metadata file, which will provide Aha! the information it needs to connect to your Cloud Identity SSO configuration.

  2. Lastly, enable the app you created in Cloud Identity by selecting the ON for everyone option.

    New apps can take up to 24 hours to fully activate for all users in Cloud Identity. Users attempting to log on prior to the app fully activating may be presented with a login error: "403 error app_not_configured_for_user." This should resolve itself within 24 hours.

There are two additional advanced settings beneath Access for Aha! users. They are disabled by default, and most Aha! accounts will not need to use them — in fact, unless you configure these settings carefully, you can break your SSO configuration. If you need help configuring these options, you are welcome to reach out to our Customer Success team.

  • Enable CNAME for SSO URLs: This option is rarely needed and will break SSO if not carefully configured. It may be useful if your customers have strict corporate networking policies. You must also enter a custom CNAME below to enable this feature.

  • CNAME: This must match an existing CNAME used in an active ideas portal in your Aha! account. After adding the CNAME click Update URLs and Save or Update SSO. If you have previously configured SSO the URLs must be updated in your external system.

Top

Share your SSO configuration between portals (Advanced plan)

If you have added Ideas Advanced functionality to your Aha! account, the process to create and assign an identity provider looks a little different.

  1. Follow the same steps in Azure AD listed above.

  2. Navigate to Settings ⚙️→ Account → Ideas portals or Ideas → Overview. You will need to be an administrator with customizations permissions to configure an ideas portal.

    1. From your account settings, click the name of the ideas portal you wish to edit.

    2. From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.

  3. Once you have your portal settings open, navigate to the Users tab, then the SSO section.

  4. Select Add new provider from the Identify Provider dropdown.

    1. Name: Name your identity provider.
      Note: We recommend that you name your provider something easily recognizable to the different portals that might want to use it, like Employees, or Customers.

    2. Type: Choose SAML as your identity provider type.

    3. Click Save and continue in Aha!

    4. Enter the remaining fields following the SAML 2.0 configuration instructions.

  5. Click Enable SSO to enable your identity provider.

To share your identity provider configuration between multiple ideas portals:

  1. Open each portal's settings.

  2. Once you have your portal settings open, navigate to the Users tab, then the SSO section.

  3. Select the identity provider you just created from the Identity provider dropdown.

  4. Congratulations! You just shared your configuration with another portal.

  5. Repeat these steps for each portal you wish to use the shared Identity provider configuration.

You can manage your identity provider configuration — and the portals that use it — from the Identity providers tab in Settings ⚙️→ Account → Ideas portals.

Top

Troubleshooting

If you run into trouble, we have gathered common SSO configuration issues into one article, along with common resolutions.

The best place to start in most of these situations is the integration log messages for your SSO configuration. Those messages will help diagnose and solve the problem.

Top