Portal SSO | OpenID Connect

Aha! Roadmaps

This article discusses proxy votes or ideas portal custom domains. You need to be an Ideas Advanced customer to access these features. Please contact us if you would like a live demo or would like to try using it in your account. If your Aha! account was created before October 20, 2020, you may have access to these integrations, but you will need to upgrade to Ideas Advanced for any future enhancements.

Every organization wants better ideas, but it’s tough to actually capture ideas from customers, employees, and others in a manageable way.

Single Sign-On (SSO) allows your users to log in to your ideas portal using their existing OpenID Connect-enabled identity provider, such as Active Directory, OneLogin, PingIdentity, Okta and many more. With SSO, you can increase engagement of your idea portals as employees and customers no longer need to keep track of yet another email and password.

If you have multiple ideas portals and want to use a single OpenID Connect identity provider configuration between all of them, you may be interested in the Ideas Advanced plan.

This article will provide information on how to set up SSO for your public and private idea portals.

OpenID Connect can be very difficult to configure — and for the purposes of Aha! ideas portal SSO — does not offer significant benefits over a traditional SAML configuration.

Click any of the following links to skip ahead:

How it works

When a user authenticates to the ideas portal, they will be presented with the option to authenticate to the portal via SSO only. If they are already logged in to the OpenID Connect (OIDC) SSO provider, they will automatically be logged in to your portal without any additional actions.

  • Public portal: Once SSO is configured, users will be prompted to log in before posting or voting ideas. Anyone can view ideas, regardless of whether they are logged in.

  • Private portal: In order to access the portal, users will be prompted to log in via SSO. If SSO is configured, any user with the SSO account will be able to access the ideas portal, regardless of email domain.

Note: It is possible to invite an ideas portal user from your ideas portal settings who has not been configured with the identity provider your portal is using. The user will not be able to log in to the ideas portal until they can be authenticated by the identity provider.

Top

Enable SSO for any Aha! Roadmaps portal

You can configure SSO differently for each ideas portal in your Aha! Roadmaps account. To get started, go to Settings ⚙️→ Account → Ideas -> Ideas portals or Ideas → Overview. You will need to be an administrator with customizations permissions to configure an ideas portal.

  • From your account settings, click the name of the ideas portal you wish to edit.

  • From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.

Once you have your portal settings open, navigate to the Users tab, and the SSO section. Select OpenID Connect from the Identify Provider dropdown. The OpenID Connect configuration will display.

The OpenID Connect configuration may differ based on the provider that you use, but you will want to consider these configuration options:

  • Callback URL: Copy the Callback URL and paste it into your identity provider's setting (e.g. Login redirect).

  • Single sign-on endpoint: In your provider, copy the exact endpoint URL specified by your identity provider. Paste it here.

The Single sign-on endpoint value must match the issuer value in your identity provider's discovery response. You can view this discovery response by appending /.well-known/openid-configuration to the SSO endpoint. For example, if your Single sign-on endpoint is https://myprovider.example.com, you can view the discovery response at https://myprovider.example.com/.well-known/openid-configuration.

  • Identifier: In your provider's settings, copy the Identifier (e.g. Client ID). Paste it here.

  • Secret: In your provider's settings, copy the Secret and paste it here.

There are two additional advanced settings beneath Access for Aha! users. They are disabled by default, and most Aha! accounts will not need to use them — in fact, unless you configure these settings carefully, you can break your SSO configuration. If you need help configuring these options, you are welcome to reach out to our Product Success team.

  • Enable CNAME for SSO URLs: This option is rarely needed and will break SSO if not carefully configured. It may be useful if your customers have strict corporate networking policies. You must also enter a custom CNAME below to enable this feature.

  • CNAME: This must match an existing CNAME used in an active ideas portal in your Aha! account. After adding the CNAME click Update URLs and Save or Update SSO. If you have previously configured SSO the URLs must be updated in your external system.

Top

Existing Aha! Roadmaps user accounts and SSO

Aha! Roadmaps portals prompt the user for their email address to determine if they already have an Aha! Roadmaps login. If the email entered is not registered in Aha! Roadmaps they will be redirected to SSO based upon your configuration. If their email address is registered in Aha! Roadmaps, they will be re-directed to login via Aha! Roadmaps to ensure they do not have two separate logins.

This setting is selected by default, and can be disabled by unchecking the box Access for Aha! users.

When using SSO, email addresses should be managed within the identity provider system. If an email address is modified within Aha! Roadmaps, the email address will be reset to the value in the identity provider system.

Disabling this option on custom CNAME portals will prevent Aha! Ideas Advanced users (and Aha! Roadmaps users at account created before October 20, 2020) from accessing the portal.

Top

Optional: Configure your OIDC identity provider to send the information that Aha! Roadmaps needs

In most cases, once you save your OIDC SSO configuration in Aha! Roadmaps, you are ready to go — no further configuration needed. However, if your identity provider does not include the required claims, Aha! Roadmaps will let you know what is missing when you save your SSO settings, so you can configure your identity provider to send the right information.

The following are required OpenID Connect claims:

  • email

  • given_name

  • family_name

And this is the list of OIDC scopes we request:

  • openid

  • email

  • profile

Aha! Roadmaps uses these attributes to identify users and match them to users in your Aha! Roadmaps account or ideas portal.

Top

Share your SSO configuration between portals (Aha! Ideas Advanced plan)

If you have added Ideas Advanced functionality to your Aha! Roadmaps account, the process to create and assign an identity provider looks a little different.

  1. Follow the same steps to enable SSO for your ideas portal listed above.

  2. Navigate to Settings ⚙️→ Account → Ideas -> Single sign-on or Ideas → Overview. You will need to be an administrator with customizations permissions to configure an ideas portal.

    1. From your account settings, click the name of the ideas portal you wish to edit.

    2. From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.

  3. Once you have your portal settings open, navigate to the Users tab, then the SSO section.

  4. Select Add new provider from the Identify Provider dropdown.

    1. Name: Name your identity provider.
      Note: We recommend that you name your provider something easily recognizable to the different portals that might want to use it, like Employees, or Customers.

    2. Type: Choose OIDC as your identity provider type.

    3. Click Save and continue in Aha!

    4. Enter the remaining fields following the OIDC configuration instructions.

  5. Click Enable SSO to enable your identity provider.

To share your identity provider configuration between multiple ideas portals:

  1. Open each portal's settings.

  2. Once you have your portal settings open, navigate to the Users tab, then the SSO section.

  3. Select the identity provider you just created from the Identity provider dropdown.

  4. Congratulations! You just shared your configuration with another portal.

  5. Repeat these steps for each portal you wish to use the shared Identity provider configuration.

You can manage your identity provider configuration — and the portals that use it — from the Identity providers tab in Settings ⚙️→ Account → Ideas -> Single sign-on

Top

Troubleshooting

We have created an article to help you troubleshoot common SSO configuration issues, complete with explanations and resolutions.

The best place to start in most of these situations is the Recent SSO events for your SSO configuration, at the bottom of the configuration page. Those messages will help diagnose and solve the problem.

It is possible to invite an ideas portal user from your ideas portal settings who has not been configured with the identity provider your portal is using. The user will not be able to log in to the ideas portal until they can be authenticated by the identity provider.

Top

If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.