The Okta/Aha! SAML integration currently supports the following features:
For more information on the listed features, visit the Okta Glossary.
Login to Aha! as an Administrator.
Click Settings (the gear icon), then select Account:
Navigate to Security and single sign-on, then, in the Single sign-on section, select SAML 2.0 from the Identity provider dropdown menu:
Enter the following:
Name: Enter OKTA.
Configure using: Select Metadata URL.
Metadata URL: Copy and paste the following Metadata URL:
Sign into the Okta Admin dashboard to generate this value.
Click Enable:
Done!
Make sure that you entered the correct value in the Subdomain field under the General application tab in Okta. Using the wrong value will prevent you from authenticating via SAML to Aha!.
Okta sends the following default attributes as part of the SAML assertion:
Name | Value |
---|---|
FirstName | user.firstName |
LastName | user.lastName |
EmailAddress | user.userName |
In addition to the default attributes, Okta supports the following custom attributes:
Display Name | Variable Name |
---|---|
ProductPrefix | appuser.productPrefix |
ProductRole | appuser.productRole |
Go to https://[yourSubDomain].aha.io/session/new.
Where [yourSubDomain] is your Aha! subdomain.
Select the Login button adjacent to log in with OKTA:
OPTIONAL
By default Okta only sends 3 SAML attributes in the SAML assertion: FirstName, LastName, and EmailAddress. To send custom attributes follow the steps below:
Display Name | Variable Name |
---|---|
ProductPrefix | productPrefix |
ProductRole | productRole |
Scope: If you check User personal, the current attribute will be available once you assign the user to the Aha! app and will not be available once you assign the group to the Aha! SAML app. For example, in the following screenshot, the User personal Scope was applied to the ProductPrefix attribute:
Now you can set the ProductPrefix attribute to automatically grant access to a specific product or product line. This can be set to any valid product prefix on your account and requires that you also set the ProductRole attribute. (See below). The product is only added at provision time and does not update if changed. It is very handy for giving new users a default product. For advanced product permissions, you will want to manage users directly in Aha!.
The ProductRole attribute works in conjunction with the ProductPrefix attribute and allows you to specify which level of access a user should have. Just like ProductPrefix, this is only used when a user is initially provisioned. Values match with roles in Aha! and must be one of the following: