This article discusses functionality that is included in the Aha! Knowledge Advanced plan. Please contact us if you would like a live demo or want to try using it in your account.

Aha! Roadmaps | Knowledge base SSO | Microsoft Active Directory Federation Services (ADFS) (Aha! Knowledge Advanced)

You can use Microsoft Active Directory Federation Services (ADFS) as an identity provider for your knowledge base with SAML 2.0. You will need to have in your Aha! account and in ADFS to configure SSO.

Click any of the following links to skip ahead:

In ADFS
In your Aha! account
Share your SSO configuration
Troubleshooting

In ADFS

In Server Manager, click Tools AD FS Management.
Click Add Relying Party Trust under Actions. This will open the Add Relying Party Trust Wizard.
In the Welcome step, click Claims aware, then Start.
In the Select Data Source step, choose Import data about the relying party, then enter your Aha! Roadmaps account URL in the Federation metadata address field. You can copy it from the Aha! Roadmaps knowledge base SSO settings by navigating to Users SSO.

The metadata URL will only work once SAML authentication is enabled in your Aha! Roadmaps account.

In the Specify Display Name step, name your relying party (e.g. "Aha! Roadmaps").
The Configure Certificate step is optional. Click Next.
The Configure URL step is optional. Click Next.
In the Configure Identifiers step, enter your knowledge base URL.
In the Choose Access Control Policy step, choose to Permit everyone.
Review your settings on the Ready to Add Trust step, then click Next.
On the Finish step, press Close. This will open the Edit Claim Rules modal.
On the Issuance Transform Rules tab, click Add Rule....
Select the Send LDAP Attributes as Claims template.
Click Next. Name your rule, select Active Directory as the attribute store, and then add the following mappings:
LDAP Attribute
Outgoing Claim Type
NameID
NameID
Given-Name
Given Name
Surname
Surname

Each user in your Aha! account needs to have a unique NameID. This value must be unique — an email addresses cannot be used as a NameID. This ensures that any changes to a user's email address can be reflected in your Aha! account.

Click OK.
On the Issuance Transform Rules tab, click Add Rule... again.
Select the Transform an Incoming Claim template, then click Next.
Name the rule and make the following selections:
- Incoming claim type: NameID
- Outgoing claim type: NameID
- Outgoing name ID format: Email
- Pass through all claim values
Click OK.

Top

In your Aha! account

Navigate to Settings ⚙️ Account Knowledge Knowledge bases. You will need to be an administrator with customizations permissions to configure a knowledge base.
Click the name of the knowledge base you wish to edit.
Once you have your knowledge base settings open, navigate to the Access section of the Overview tab. In the Authentication dropdown, select SSO.
Choose SAML as your identity provider Type. Click Save.
The SAML 2.0 configuration will display.
For the Metadata URL, enter the URL to the metadata xml listed in AD FS 2.0 console, e.g. https://adfs.<company>.com/FederationMetadata/2007-06/FederationMetadata.xml.
Enter the remaining fields following the SAML 2.0 configuration instructions.
Click Enable SSO to complete the configuration.

Top

Since SSO for ideas portals is configured in the same way as knowledge base SSO, knowledge bases and ideas portals can share an SSO configuration.

The table below explains how many ideas portals and knowledge bases can share a single SSO configuration, depending on which Aha! plan(s) you are subscribed to.

Aha! plans	Number of ideas portals on a single SSO configuration	Number of knowledge bases on a single SSO configuration	Notes
Aha! Roadmaps	1	0*	One SSO configuration per ideas portal.
Aha! Roadmaps + Aha! Ideas Advanced	2+	0*	One SSO configuration can be shared between multiple ideas portals.
Aha! Roadmaps + Aha! Knowledge Advanced	2+	2+	One SSO configuration can be shared between one ideas portal and multiple knowledge bases.
Aha! Roadmaps + Aha! Ideas Advanced + Aha! Knowledge Advanced	2+	2+	One SSO configuration can be shared between multiple ideas portals and multiple knowledge bases.

* Publishing a knowledge base requires an Aha! Knowledge Advanced plan.

To share your identity provider configuration between multiple knowledge bases and/or with a single ideas portal:

Navigate to Settings ⚙️ Account Knowledge Knowledge bases. You will need to be an administrator with customizations permissions to do this.
Click a knowledge base to open its settings.
Once you have your knowledge base settings open, navigate to Overview Authentication.
Select an identity provider you have configured from the Identity provider dropdown.
Repeat these steps for each knowledge you wish to use the shared Identity provider configuration.

You can manage your identity provider configuration — and the knowledge bases or portal that uses it — from the Identity providers tab in Settings ⚙️ Account Knowledge SSO.

Top

Troubleshooting

We have created an article to help you , complete with explanations and resolutions.

The best place to start in most of these situations is the Recent SSO events for your SSO configuration, at the bottom of the configuration page. Those messages will help diagnose and solve the problem.

It is possible to invite an ideas portal user from your ideas portal settings who has not been configured with the identity provider your portal is using. The user will not be able to log in to the ideas portal until they can be authenticated by the identity provider.

Top

LDAP Attribute	Outgoing Claim Type
NameID	NameID
Given-Name	Given Name
Surname	Surname

Aha! Roadmaps | Knowledge base SSO | Microsoft Active Directory Federation Services (ADFS) (Aha! Knowledge Advanced)

In ADFS

In your Aha! account

Share your SSO configuration

Troubleshooting

In ADFS

In your Aha! account

Share your SSO configuration

Troubleshooting