Account SSO | Bitium

Aha! Knowledge

This article discusses functionality that is included in the Aha! Knowledge Advanced plan. Please contact us if you would like a live demo or want to try using it in your account.

Bitium is a single sign-on identity provider that your Aha! account connects with through our SAML 2.0 support. The configuration of single sign-on will require access in your Aha! account and administrator permissions in Bitium.

Click any of the following links to skip ahead:

In Bitium

  1. Go to Manage Apps.

  2. Select Aha! from the list of installed apps.

  3. Click the Single sign-on tab.

  4. Click the dropdown menu and select SAML authentication.

Top

In your Aha! account

  1. Go to Settings ⚙️→ Account → Security and single sign-on.

  2. Under the single sign-on section, select SAML 2.0 as the identity provider.

  3. Enter a single sign-on provider name and select the radio button to configure with Manual Settings.

  4. Copy the Login URL from Bitium and paste the URL into the Single sign-on endpoint field in your Aha! account.

  5. Copy the X.509 Certificate Fingerprint from Bitium and paste the value into the Certificate fingerprint field in your Aha! account.

  6. Click Enable in your Aha! account.

Top

Back in Bitium

  1. Copy the SAML entity ID from your Aha! account and paste the URL into the Entity ID field in Bitium.

  2. Copy the SAML consumer URL from your Aha! account and paste the URL into the ACS URL field in Bitium.

  3. Click Save Changes in Bitium.

Top

User attributes

The SAML identity provider must be configured to provide four attributes:

  • EmailAddress

  • FirstName

  • LastName

  • NameID

The NameID attribute must be included in the subject. Your Aha! account uses it to uniquely identify the user (separately from their email address). We recommend using a persistent, unique identifier in this field, rather than the user's email address. You must use a unique identifier so that Aha! can maintain a mapping between the user record in Aha! and within your identity provider. This ensures that any changes to the email address within the identity provider will be transparently reflected in your Aha! account.

Each user in your Aha! account needs to have a unique NameID. This value must be unique — an email addresses CANNOT be used as a NameID , or else your single sign-on configuration will error.

Your Aha! account will use these attributes to properly identify the user and automatically provision users. You can also configure your provider to include two additional optional attributes:

  • ProductRole

  • ProductPrefix

By default, users are provisioned with no access or any assigned role. Therefore, an administrator in your Aha! account will need to set the roles for all users. The exception to this is when the administrator is setting up custom attributes to provision specific users to specific roles and/or permissions, such as when using ProductPrefix and ProductRole.

Top

EmailAddress

Every user in your Aha! account is required to have a valid email address, even when using SSO. Since the identity provider is responsible for managing user information, it must send the user's email address to your Aha! account in its assertion. Identity providers use different naming conventions, so your Aha! account will look for an email address in the following attributes sequentially:

  • EmailAddress

  • email

  • Email

  • mail

  • emailAddress

  • User.email

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    This attribute is supported for older versions of Azure. It is not recommended.

Top

FirstName

Just like email addresses, identity providers may send the first name in several common fields. To provide out-of-the-box compatibility with most identity providers, your Aha! account will try to find the first name in the following attributes:

  • FirstName

  • first_name

  • firstname

  • firstName

  • User.FirstName

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Top

LastName

Just like email addresses, identity providers may send the last name in several common fields. To provide out-of-the-box compatibility with most identity providers, your Aha! account will try to find the last name in the following attributes:

  • LastName

  • last_name

  • lastname

  • lastName

  • User.LastName

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Top

NameID

Each user in your Aha! account needs to have a unique NameID. This value must be unique — an email addresses cannot be used as a NameID. This ensures that any changes to a user's email address can be reflected in your Aha! account.

Top

Troubleshooting

We have created an article to help you troubleshoot common SSO configuration issues, complete with explanations and resolutions.

The best place to start in most of these situations is the Recent SSO events for your SSO configuration, at the bottom of the configuration page. Those messages will help diagnose and solve the problem.

Top

If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.