This article discusses functionality that is included in the Aha! Knowledge Advanced plan. Please contact us if you would like a live demo or want to try using it in your account.
Every organization wants better ideas. But it is tough to actually capture ideas from customers, employees, and others in a manageable way.
Single sign-on (SSO) allows your users to log in to your ideas portal using their existing SAML-enabled ID provider, such as Active Directory, OneLogin, PingIdentity, Okta, and many more. With SSO, you can increase engagement of your idea portals as employees and customers no longer need to keep track of yet another email and password. This allows you to tightly integrate your idea management system with the roadmapping process.
If you have multiple ideas portals and want to use a single SAML 2.0 identity provider configuration between all of them, you may be interested in the Aha! Ideas Advanced plan.
This article will provide information on how to set up SAML 2.0 SSO for your public and private ideas portals.
Click any of the following links to skip ahead:
This article discusses proxy votes or ideas portal custom domains. You need to be an Aha! Ideas Advanced plan customer to access these features. Please contact us if you would like a live demo or would like to try using it in your account. If your Aha! account was created before October 20, 2020, you may have access to these integrations, but you will need to upgrade to Aha! Ideas Advanced for any future enhancements.
How it works
When a user authenticates to the ideas portal, they will be presented with the option to authenticate to the portal via SSO only. They cannot self-register with a username and password. If they are already logged in to the SSO provider, they will automatically be logged in to your portal without any additional actions.
Public portal: Once SSO is configured, users will be prompted to log in before posting or voting on ideas in the public portal. Anyone can view ideas, regardless of whether they are logged in.
Private portal: In order to access the private portal, users will be prompted to log in via SSO. If SSO is configured, any user with the SSO account will be able to access the ideas portal, regardless of email domain.
It is possible to invite an ideas portal user from your ideas portal configuration who has not been configured with the identity provider your portal is using. The user will not be able to log in to the ideas portal until they can be authenticated by the identity provider.
Enable SSO for any ideas portal
There are two ways to enable SAML 2.0 SSO in your ideas portals.
-
Navigate to User menu -> Settings → Account → Ideas → Ideas portals or Ideas → Overview. You will need to be an to configure an ideas portal.
From your account settings, click the name of the ideas portal you wish to edit.
From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.
Once you have your portal settings open, navigate to the Users tab, and the SSO section.
Click Add new provider.
Choose SAML as your identity provider Type. Click Save.
The SAML 2.0 configuration will display. Enter the remaining fields following the SAML 2.0 configuration requirements.
The SAML 2.0 configuration will differ based on the SAML provider that you've selected.Click Enable SSO to complete the configuration.
The email domains you specify in the Users → Employee section will still determine a portal users type when you provision portal users through SSO. This means that they can still be provisioned as an employee type portal user if their email domain matches what you entered in the Employee configuration.
Note: Adding a new email domain will not automatically mark existing portal users as employees.
There are two additional advanced settings beneath Access for Aha! users. They are disabled by default, and most Aha! accounts will not need to use them — in fact, unless you configure these settings carefully, you can break your SSO configuration. If you need help configuring these options, you are welcome to reach out to our Customer Success team.
Enable CNAME for SSO URLs: This option is rarely needed and will break SSO if not carefully configured. Enabling this option causes SSO to use the as well. This is not necessary for most portals, even when using a CNAME for the portal. It may be useful if your customers have strict corporate networking policies.
CNAME: This must match an existing used in an active ideas portal in your Aha! account. After adding the CNAME click Update URLs and Save or Update SSO. If you have previously configured SSO the URLs must be updated in your external system.
Configure your SAML identity provider
The last step in configuring your ideas portal for SAML 2.0 SSO is to configure your identity provider so that it will send your Aha! account the right information. Particularly, you should ensure that the identity provider is sending the required user attributes to your Aha! account.
EmailAddress
FirstName
LastName
-
NameID
We strongly recommend using a persistent, unique identifier in this field rather than the user's email address.
Your Aha! account uses these attributes to identify users and match them to users in your Aha! account or ideas portal.
Share your SSO configuration between portals (Aha! Ideas Advanced plan)
If you have added Aha! Ideas Advanced plan functionality to your Aha! account, the process to create and assign an identity provider looks a little different.
Follow the same steps to enable SSO for your ideas portal listed above.
-
Navigate to User menu -> Settings → Account → Ideas -> Single sign-on or Ideas → Overview. You will need to be an to configure an ideas portal.
From your account settings, click the name of the ideas portal you wish to edit.
From Ideas → Overview, click the pencil icon by the name of the ideas portal you wish to edit.
Once you have your portal settings open, navigate to the Users tab, then the SSO section.
-
Select Add new provider from the Identity provider dropdown.
-
Name: Name your identity provider.
We recommend that you name your provider something easily recognizable to the different portals that might want to use it, like Employees, or Customers.
Type: Choose SAML as your identity provider type.
Click Save and continue in Aha!
Enter the remaining fields following the SAML 2.0 configuration instructions.
-
Click Enable SSO to enable your identity provider.
To share your identity provider configuration between multiple ideas portals:
Open each portal's settings.
Once you have your portal settings open, navigate to the Users tab, then the SSO section.
Select the identity provider you just created from the Identity provider dropdown.
Congratulations! You just shared your configuration with another portal.
Repeat these steps for each portal you wish to use the shared Identity provider configuration.
You can manage your identity provider configuration — and the portals that use it — from the Identity providers tab in User menu -> Settings → Account → Ideas portals.
Existing Aha! user accounts and SSO
Aha! idea portals prompt the user for their email address to determine if they already have an Aha! account login. If the email entered is not registered in your Aha! account, they will be redirected to SSO based upon your configuration. If their email address is registered in your Aha! account they will be redirected to log in via your Aha! account to ensure they do not have two separate logins.
This setting is selected by default, and can be disabled by unchecking the box Access for Aha! users.
When using SSO, email addresses should be managed within the identity provider system. If an email address is modified within your Aha! account, the email address will be reset to the value in the identity provider system.
Disabling this option on custom portals will prevent Aha! users from accessing the portal.
Set contact custom field values
Portal SSO can set idea portal contact custom fields when a user signs in. Your SSO provider (JWT or SAML) sends attributes that map to specific contact custom fields in your Aha! account. Each incoming attribute maps to a contact custom field by its API key and then sets or updates the value on the portal contact. This works for both new and existing portal users.
This capability is useful when you already maintain important user data in your identity provider. You can store an internal user identifier, region, or other key attributes directly on the portal contact. New contacts receive these values at creation. Existing contacts are updated the next time the user signs in, so your Aha! account stays aligned with your source of truth without additional API calls.
To set contact custom field values through portal SSO:
Identify the data you want to sync.
-
Configure custom fields on your contact layout.
Navigate to User menu -> Settings -> Account -> Custom layout.
Edit the contact layout for your account and confirm or create new fields for each attribute you want to sync.
For each field, note the API key exactly as it appears in the configuration. You will use this in your SSO mapping.
-
Map attributes in your SSO identify provider.
Add attributes to the assertion for your portal.
Set each attribute name to match the corresponding contact custom field API key from your Aha! account.
Map each attribute to the correct data source in your identity provider so the value reflects what you want stored in the portal contact.
-
Test with a single user.
Choose a test user in your identity provider and use it to log in to your portal via SSO.
In your Aha! account, open the portal contact record for that user and confirm that the custom fields now contain the expected values.
Troubleshooting
If you run into issues with portal SSO:
Start with the integration log messages for your SSO configuration. They often pinpoint the exact claim or setting that you need to adjust.
Review the list of common SSO configuration issues in our knowledge base. These examples include typical problems with claims, scopes, and redirect URLs.
If you get stuck, please reach out to our Customer Success team. Our team is made up entirely of product experts and responds fast.