Share your product feedback

Add a new idea Subscribe
Status Future consideration
Categories Account settings
Created by Emily Yankush
Created on Dec 15, 2022

RELATED IDEAS

Automatically fetch the new SSO certificate/fingerprint

When an account is configured to use SSO, occasionally a certificate can be updated/changed in the SSO provider.

When this happens, a user trying to log into Aha! will see the error "SAML response certificate does not match fingerprint".

The recommended action for accounts configured with a metadata URL is to go into their Aha! SSO settings and click "Update" to re-fetch the certificate and capture/update the fingerprint. It typically takes a few minutes for this update to work successfully.

It would be a smoother process to automatically attempt to re-fetch this data when we get this error and change the error message to prompt the user to re-try after a certain time period.

Support article on this error: https://www.aha.io/support/ideas/integrations/account-single-sign-on/troubleshooting-sso#saml-response-certificate-does-not-match-fingerprint

  • Attach files
  • Julian Elve
    Reply
    |     Jul 2, 2024

    We use SAML auth from our instance of Microsoft Entra ID (aka Azure AD) and find that they quite frequently change the SAML certificates. Each time this happens we are locked out of our Aha instance and therefore need to create a help ticket to have our admin account temporarily returned to password auth. As well as the failure demand this creates on your service desk, because of timezone differences it can disrupt us for a day.

    An automated periodic check of the metadata URL could be used to check for key rotations (there are usually two keys defined) and trigger an automated update of the configuration.

  • +1
Idea management by Aha!
Create your own ideas portal to crowdsource feedback
© 2024 Aha! Labs Inc.All rights reserved