RELATED IDEAS
Automatically fetch the new SSO certificate/fingerprint
When an account is configured to use SSO, occasionally a certificate can be updated/changed in the SSO provider.
When this happens, a user trying to log into Aha! will see the error "SAML response certificate does not match fingerprint".
The recommended action for accounts configured with a metadata URL is to go into their Aha! SSO settings and click "Update" to re-fetch the certificate and capture/update the fingerprint. It typically takes a few minutes for this update to work successfully.
It would be a smoother process to automatically attempt to re-fetch this data when we get this error and change the error message to prompt the user to re-try after a certain time period.
Support article on this error: https://www.aha.io/support/ideas/integrations/account-single-sign-on/troubleshooting-sso#saml-response-certificate-does-not-match-fingerprint
-
-
-
-
- +1
We use SAML auth from our instance of Microsoft Entra ID (aka Azure AD) and find that they quite frequently change the SAML certificates. Each time this happens we are locked out of our Aha instance and therefore need to create a help ticket to have our admin account temporarily returned to password auth. As well as the failure demand this creates on your service desk, because of timezone differences it can disrupt us for a day.
An automated periodic check of the metadata URL could be used to check for key rotations (there are usually two keys defined) and trigger an automated update of the configuration.