How to Configure SAML 2.0 for Aha!

Contents

• Supported Features
• Configuration Steps
• Notes
• Custom Attributes

---

Supported Features

The Okta/Aha! SAML integration currently supports the following features:

• IdP-initiated SSO
• SP-initiated SSO
• Just In Time (JIT) Provisioning

For more information on the listed features, visit the Okta Glossary.

---

Configuration Steps

1. Login to Aha! as an Administrator.

2. Click Settings (the gear icon), then select Account:

   

3. Navigate to Security and single sign-on, then, in the Single sign-on section, select SAML 2.0 from the Identity provider dropdown menu:

   

4. Enter the following:

   • Name: Enter OKTA.

   • Configure using: Select Metadata URL.

   • Metadata URL: Copy and paste the following Metadata URL:

     Sign into the Okta Admin dashboard to generate this value.

   • Click Enable:

   

5. Done!

---

Notes

• Make sure that you entered the correct value in the Subdomain field under the General application tab in Okta. Using the wrong value will prevent you from authenticating via SAML to Aha!.

• Okta sends the following default attributes as part of the SAML assertion:

  Name	Value
  FirstName	user.firstName
  LastName	user.lastName
  EmailAddress	user.userName

• In addition to the default attributes, Okta supports the following custom attributes:

  Display Name	Variable Name
  ProductPrefix	appuser.productPrefix
  ProductRole	appuser.productRole

SP-initiated SSO

1. Go to https://[yourSubDomain].aha.io/session/new.

   Where [yourSubDomain] is your Aha! subdomain.

2. Select the Login button adjacent to log in with OKTA:

---

Custom Attributes

OPTIONAL

By default Okta only sends 3 SAML attributes in the SAML assertion: FirstName, LastName, and EmailAddress. To send custom attributes follow the steps below:

1. In Okta, navigate to Directory > Profile Editor:

   

2. Search for your Aha! SAML app, then click the Profile edit button:

   

3. Click Add Attribute, then add any of the custom attributes you'd like to have:

   Display Name	Variable Name
   ProductPrefix	productPrefix
   ProductRole	productRole

   

   Scope: If you check User personal, the current attribute will be available once you assign the user to the Aha! app and will not be available once you assign the group to the Aha! SAML app. For example, in the following screenshot, the User personal Scope was applied to the ProductPrefix attribute:

   

4. Once you have completed the steps above, you should see a similar list to what is shown below, depending on what optional attributes you added:

   

5. Now you can set the ProductPrefix attribute to automatically grant access to a specific product or product line. This can be set to any valid product prefix on your account and requires that you also set the ProductRole attribute. (See below). The product is only added at provision time and does not update if changed. It is very handy for giving new users a default product. For advanced product permissions, you will want to manage users directly in Aha!.

   The ProductRole attribute works in conjunction with the ProductPrefix attribute and allows you to specify which level of access a user should have. Just like ProductPrefix, this is only used when a user is initially provisioned. Values match with roles in Aha! and must be one of the following:

   • product_owner
   • contributor
   • reviewer
   • viewer
   • none