In March 2024, Microsoft renamed Azure Active Directory (Azure AD) as Entra ID.
You can use Entra ID as an identity provider for ideas portal users in Aha! Roadmaps based on SAML 2.0. You will need to be an administrator in Aha! Roadmaps and in Entra ID to configure SSO.
If you have multiple ideas portals and want to use a single Entra ID single sign-on configuration between all of them, you may be interested in the Ideas Advanced plan.
Click any of the following links to skip ahead:
This article discusses functionality that is included in the Aha! Ideas Advanced plan. Please contact us if you would like a live demo or want to try using it in your account.
In Aha! Roadmaps
-
Navigate to User menu -> Settings → Account → Ideas → Ideas portals or Ideas → Overview. You will need to be an administrator with customizations permissions to configure an ideas portal.
From your account settings, click the name of the ideas portal you wish to edit.
From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.
Once you have your portal settings open, navigate to the Users tab, and the SSO section.
Click Add new provider.
Choose SAML as your identity provider Type. Click Save.
The SAML 2.0 configuration will display. Leave this open for reference in the next set of steps.
In Entra ID
Log in to Entra ID. If you have not already done so, select the Entra ID service from the left sidebar.
Click Enterprise applications.
Select All applications from the Application type dropdown.
-
If you do not see Aha! as one of your available applications, you may need to add it. Click New application.
Scroll or search for Aha!, then select it.
Click Create.
In the getting started form, Name your application, then move on to the SAML SSO configuration quick start guide.
On the Aha! Roadmaps application integration page, find the Manage section and select Single sign-on.
On the Select a Single sign-on method page, select SAML.
On the Set up Single Sign-On with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.
-
On the Basic SAML Configuration section, perform the following steps:
In the Sign on URL text box, copy the URL from the Aha! Roadmaps ideas portal SSO settings by navigating to Users → SSO.
In the Identifier (Entity ID) text box, copy the URL from the Aha! Roadmaps ideas portal SSO settings by navigating to Users → SSO.
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.
On the Set up Aha! section, copy the appropriate URL(s) based on your requirement.
Under Attributes & Claims, the default value for the Unique User Identifier will not work. Instead of user.userprincipalname, please use user.employeeID or user.objectID. The attributes available will depend on your Entra ID account configuration.
Back in Aha! Roadmaps
Update your SSO configuration and change Settings using to Metadata File.
Upload the Federation Metadata XML that your downloaded from Azure AD.
Enter any remaining fields following the SAML 2.0 configuration instructions.
Click Enable SSO to complete the configuration.
User attributes
The SAML identity provider must be configured to provide four attributes:
EmailAddress
FirstName
LastName
NameID
The NameID attribute must be included in the subject. Your Aha! ideas portal uses it to uniquely identify the user (separately from their email address). We recommend using a persistent, unique identifier in this field, rather than the user's email address. You must use a unique identifier so that Aha! can maintain a mapping between the ideas portal user record in Aha! and within your identity provider. This ensures that any changes to the email address within the identity provider will be transparently reflected in your Aha! ideas portal.
Each user in your Aha! ideas portal needs to have a unique NameID. This value must be unique — an email addresses CANNOT be used as a NameID , or else your single sign-on configuration will error.
EmailAddress
Every user in your ideas portal is required to have a valid email address, even when using SSO. Since the identity provider is responsible for managing user information, it must send the user's email address to your Aha! ideas portal in its assertion. Identity providers use different naming conventions, so your Aha! ideas portal will look for an email address in the following attributes sequentially:
EmailAddress
email
Email
mail
emailAddress
User.email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
FirstName
Just like email addresses, identity providers may send the first name in several common fields. To provide out-of-the-box compatibility with most identity providers, your Aha! ideas portal will try to find the first name in the following attributes:
FirstName
first_name
firstname
firstName
User.FirstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
LastName
Just like email addresses, identity providers may send the last name in several common fields. To provide out-of-the-box compatibility with most identity providers, your Aha! ideas portal will try to find the last name in the following attributes:
LastName
last_name
lastname
lastName
User.LastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
NameID
Each user in your Aha! ideas portal needs to have a unique NameID. This value must be unique — an email addresses cannot be used as a NameID. This ensures that any changes to a user's email address can be reflected in your Aha! ideas portal.
Share your SSO configuration between portals (Aha! Ideas Advanced plan)
If you have added Ideas Advanced functionality to your Aha! Roadmaps account, the process to create and assign an identity provider looks a little different.
Follow the same steps in Entra ID listed above.
-
Navigate to Settings ⚙️→ Account → Ideas → Ideas portals or Ideas → Overview. You will need to be an administrator with customizations permissions to configure an ideas portal.
From your account settings, click the name of the ideas portal you wish to edit.
From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.
Once you have your portal settings open, navigate to the Users tab, then the SSO section.
-
Select Add new provider from the Identity provider dropdown.
Name: Name your identity provider.
Note: We recommend that you name your provider something easily recognizable to the different portals that might want to use it, like Employees, or Customers.Type: Choose SAML as your identity provider type.
Click Save and continue in Aha!
Enter the remaining fields following the SAML 2.0 configuration instructions.
Click Enable SSO to enable your identity provider.
To share your identity provider configuration between multiple ideas portals:
Open each portal's settings.
Once you have your portal settings open, navigate to the Users tab then the SSO section.
Select the identity provider you just created from the Identity provider dropdown.
Congratulations! You just shared your configuration with another portal.
Repeat these steps for each portal you wish to use the shared Identity provider configuration.
You can manage your identity provider configuration — and the portals that use it — from the Identity providers tab in Settings ⚙️→ Account → Ideas portals.
Troubleshooting
We have created an article to help you troubleshoot common SSO configuration issues, complete with explanations and resolutions.
The best place to start in most of these situations is the Recent SSO events for your SSO configuration, at the bottom of the configuration page. Those messages will help diagnose and solve the problem.
It is possible to invite an ideas portal user from your ideas portal settings who has not been configured with the identity provider your portal is using. The user will not be able to log in to the ideas portal until they can be authenticated by the identity provider.
If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.