Portal SSO | Okta

This article is about configuring single sign-on (SSO) for your ideas portal. Read these articles if you want to configure SSO for your Aha! Ideas account.

Ideas portal users who authenticate with Okta can add, vote, or comment on ideas without having to remember yet another user ID and password. Plus, your team will have a single place to manage all your ideas — including the next big one.

Click any of the following links to skip ahead:

• How it works

• Set up SSO for your ideas portal

• Configure the integration in Okta

• Enable the integration in your Aha! account

• Share your SSO configuration across portals

• Troubleshooting

How it works

When a user authenticates to the ideas portal, they will have the option to authenticate to the portal via SSO only. If they are already logged in to Okta, they will automatically be logged in to your portal without any additional actions.

• Public portal: Once SSO is configured, users will be prompted to log in before posting or voting ideas. Anyone can view ideas regardless of whether they are logged in.

• Private portal: To access the portal, users will be prompted to log in via SSO. If SSO is configured, any user with the SSO account will be able to access the ideas portal regardless of email domain.

It is possible to invite an ideas portal user from your ideas portal settings who has not been configured with the identity provider your portal uses. The user will not be able to log in to the ideas portal until they are authenticated by the identity provider.

Top

Set up SSO for your ideas portal

To set up Okta SSO for your ideas portal, you will need to be an administrator in your Okta account and a customizations administrator in your Aha! account.

1. Access your ideas portal settings and navigate to Users → SSO.

2. Click Add new provider.

3. Choose SAML as your identity provider Type. Click Save.

4. The SAML 2.0 configuration will display

5. Select Metadata file from Settings using. (You will generate a metadata file to import here from within your Okta account.)

Leave this page open in a browser tab so you can reference it while configuring settings in Okta.

Top

Configure the integration in Okta

1. Log in to your Okta account.

2. Navigate to Applications.

3. Click Create App Integration. (The pre-configured Aha! SAML integration uses email addresses for the NameID, which is not a best practice. We recommend following the steps in this article instead.)

4. Select SAML 2.0.

5. Click Next. The Create SAML Integration builder will open.

6. From the General Settings tab:

   1. Name your application. Click Next.

7. In the Configure SAML tab:

   1. Paste in the Single sign-on URL. You can copy this URL from the SAML consumer URL field within the ideas portal SAML configuration in your Aha! account. The URL should be your idea portal's URL, followed by "/auth/saml/callback" (for example: https://accountname.ideas.aha.io/auth/saml/callback).

   2. If it is not already checked, check the box to Use this for Recipient URL and Destination URL.

   3. Back in the ideas portal SSO configuration in your Aha! account, copy the SAML entity ID.

   4. Paste the copied SAML entity ID in the Audience URI field.

   5. Next to Name ID format, select Unspecified.

   6. Next to Application username, select Custom.

      1. Custom rule: user.getInternalProperty('id'). This custom rule tells Okta to create a persistent unique ID for every new user. If you have already added users to this application, you will need to update them.

         You must use a unique identifier so your Aha! account can maintain a mapping between the user record in your ideas portal and your identity provider. This ensures any changes to the email address within the identity provider will reflect in your ideas portal.

   7. Update application username on Create and update.

   8. Attribute Statements:

      1. Attribute: FirstName | Value: user.firstName

      2. Attribute: LastName | Value: user.lastName

      3. Attribute: EmailAddress | Value: user.email Note: These attributes are case sensitive. Make sure you copy them exactly.

   9. At the bottom of the page, click Next.

8. From the Feedback tab:

   1. Answer the question. Click Next.

Top

Enable the integration in your Aha! account

1. Before you leave Okta, click View SAML setup instructions on the right side of the page. A new browser tab will open with everything you need to configure Okta in your Aha! account.

   1. Under Optional, copy the IDP metadata XML.

2. Open a new file in a plain text text editor like Notepad (PC) or TextEdit (Mac).

   1. Paste the IDP metadata XML you copied from Okta.

   2. Save your file. This is now the Metadata file you need on the Aha! side.

3. On your ideas portal SSO configuration page in your Aha! account:

   1. Metadata file: Select Metadata file.

   2. Click Choose file. Choose the metadata file you just created.

   3. Scroll down and click Enable.

Congratulations! You have successfully configured Okta SSO for your ideas portal.

Top

Assign users to your Okta application

1. In your Okta application configuration, navigate to the Assignments tab.

2. Click the Assign dropdown, then click Assign to people or Assign to groups.

   1. If you chose to Assign to people, select from the existing users and click Assign to assign a user to the Okta application's people.

   2. If you chose to Assign to groups, select the appropriate group(s), then click Done.

3. The Username modal will appear along with a unique persistent ID for this user.

   This is an important step, as it indicates that you applied the Custom rule to use user.getInternalProperty('id') correctly. You must use a unique identifier so Aha! can maintain a mapping between the user record in Aha! and within your identity provider. This ensures that any changes to the email address within the identity provider will reflect in your Aha! account.

4. Click Save and go back to accept the user ID.

5. Click Done when you have finished assigning users.

Top

Share your SSO configuration across portals (Advanced plan)

To share your identity provider configuration across multiple ideas portals:

1. Open each portal's settings.

2. With your portals' settings open, navigate to the Users tab, then the SSO section.

3. Select the identity provider you just created from the Identity provider dropdown.

4. Congratulations! You just shared your configuration with another portal.

5. Repeat these steps for each portal you wish to use the shared Identity provider configuration on.

You can manage your identity provider configuration — and the portals that use it — from the Identity providers tab in Settings ⚙️→ Account → Ideas portals.

Top

Troubleshooting

If you run into trouble, we have gathered common SSO configuration issues into one article, along with common resolutions.

The best place to start in most of these situations is the integration log messages for your SSO configuration. Those messages will help diagnose and solve the problem.

Top