Troubleshoot single sign-on issues

Aha! Knowledge

This article discusses functionality that is included in the Aha! Knowledge Advanced plan. Please contact us if you would like a live demo or want to try using it in your account.

In most cases, once you save your single sign-on (SSO) configuration in your Aha! account, you are ready to go — no further configuration needed.

In case you do run into trouble, we have gathered some of the most common SSO issues here, along with recommended solutions.

The best place to start in most of these situations is the integration log messages for your SSO configuration. Those messages will help diagnose and solve the problem.

Please click any of the following links to skip ahead:

Required user permissions

For most account-level SSO problems, you will need to be an administrator with account-level permissions to change your configuration.

We recommend that you keep one Aha! account administrator configured with a username and password in case your SSO system is updated and all SSO users are locked out of your Aha! account.

If you are locked out, please have an account-level administrator in your account reach out to our Customer Success team and ask us to convert their user from SSO to use username/password so they can log in and fix the issue.

For most ideas portal SSO problems, you will need to be an administrator with customizations permissions to change your ideas portal configuration.

Top

Users registered for multiple Aha! accounts cannot be configured as SSO users

Symptom

You enable single sign-on for your Aha! account (not for an ideas portal or knowledge base), but some of your users are not able to convert from the username and password login experience to the SSO login experience.

Explanation

Once you enable SSO for your Aha! account, that overwrites the users' standard username and password. But for any users registered with the same username in multiple Aha! accounts, this cannot happen, and the conversion fails.

Resolution

Most often, users in this situation are still registered for a trial account that has expired. Occasionally, users in your Aha! account may also be registered for a secondary Aha! account.

If this happens, please reach out to our Customer Success team. We can help remove the user from their secondary account, which will allow them to correctly convert over to single sign-on.

Top

An error occurred attempting to log you in: identity provider not configured

Symptom

This is a common error message to receive. The full error message is usually something like this:

An error occurred attempting to log you in: (SAML login unsuccessful. This usually means the Identity Provider is not configured or the SAML user does not have permission for the application. Authentication Failed).

Explanation

You will see this error message in one of two situations:

  • Your identity provider is not configured correctly to enable SSO in your Aha! account.

  • Your identity provider is configured correctly, but there is a problem with your specific user profile.

Resolution

Speak to a member of your IT team to ensure that you have been set up with your SSO provider for access to your Aha! account.

Top

An error occurred attempting to log you in: current time is earlier than NotBefore condition

Symptom

This is a common error message to receive. The full error message is usually something like this:

An error occurred attempting to log you in: (Current time is earlier than NotBefore condition ({date/time stamp})). Please try again then contact your account administrator or support@aha.io. (Error code 49624539-eaa5-4d14-98b5-7f55e864c9f9)

Explanation

If you see this error message, it means that the server running the single sign-on software does not have the correct time set on it. Part of the security in SSO is ensuring the requests are coming through at the same time. Your Aha! account will always honor the time from the identity provider to the second, so to fix this problem, you need to add a skew in your identity provider.

Resolution

The date/time stamp gives Aha! a relative variance. In the example here the variance is three seconds and so we would recommend adding a 5- or 10-second skew.

Example date/time stamp:

2019-06-24 11:52:13 UTC < 2019-06-24 11:52:16 UTC

The Aha! server clocks are synchronized using NTP, so they should be fairly consistent. It should be possible in your identity provider to skew the NotBefore parameter.

Note: We cannot introduce a skew on the receiving end because the NotBefore condition comes from your provider's SAML envelope. By the definition of the spec, we have to honor that time to the second.

Top

SAML response certificate does not match fingerprint

Symptom

You have configured SSO with your Aha! account using the Metadata URL or Metadata file options, but are unable to log in to your Aha! account through your identity provider. You receive an error message that looks something like this:

SAML response certificate does not match fingerprint

Explanation

A certificate fingerprint error indicates that the certificate provided to Aha! at the time of configuration is different than the certificate provided to Aha! when a user signs in. This can happen because the certificate was rotated on your SSO provider but not subsequently updated in your Aha! account.

Resolution

  • Metadata URL: If you configured SSO in your Aha! account using the Metadata URL, visit the SSO configuration in your settings, enter your Metadata URL, and click Update. Even if the Metadata URL itself has not changed, Aha! will re-fetch the certificate and capture/update the fingerprint, which should resolve the error.

  • Metadata file: If you configured SSO with your Aha! account using the Metadata file, you will need to provide an updated Metadata file. Talk to your IT team if you are unsure how to acquire this.

Top

Users named "Unknown Unknown"

Symptom

You have users in your Aha! account with the name "Unknown Unknown."

Explanation

When this happens, it means that your identity provider is not sending the first and last name attributes for the user in a format that Aha! recognizes.

Resolution

Please review the SAML 2.0 user attributes documentation and ensure you are using one of the listed attribute names.

Top

Changing email domains

Symptom

You are changing email domains and concerned about how that will affect users in your SSO configuration.

Explanation

When setting up SSO, we recommend using a unique identifier from your identity provider (IDP) as the NameID in your SAML response. This way changing email domains will not affect your users.

Resolution

If you followed our recommendation then no additional action is needed when changing a user's email address in your IDP — the change will automatically be reflected in your Aha! account the next time the user signs in. This is true whether you're changing a single email, e.g. marital status change, or many emails at once.

If you did not follow our recommendation, then you should contact our Customer Success team immediately, or else your users will be provisioned as brand-new users next time they log in with the new email.

Top

Error screen from identity provider

Symptom

You are trying to access your Aha! account via your SSO configuration, but you see an error screen from your identity provider.

Explanation

The error is very likely due to a problem with your identity provider and not the Aha! application.

Resolution

Follow up with your internal team to research and resolve the issue.

Top

If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.