Skip to Main Content

Share your product feedback

Status Already exists
Categories User management
Created by Marcus Gavel
Created on May 22, 2015

Allow SAML / SSO created users to be placed in a default permissions group

We are allowing all the engineers in our company to view the roadmap information in Aha! by enabling SSO registration. It's a transparency policy that enables the engineers to see how the feature pipeline is determined.

Issue here is that  SSO created users have no permissions by default to view any products.

So as an admin, I am dreading the 3-4 clicks PER USER to enable the reviewers to see the product lines they work on. And with the delay in enabling permissions, most users will register; see nothing in the tool, and leave thinking it's all broken.

A default permissions scheme that users could be automatically enrolled into would be this desired feature.

  • Attach files
  • Haneesh V
    Reply
    |
    Aug 21, 2020

    We are able to successfully setup the SSO, but when a new user access Aha from IdP (AzureAD), they are not assigned to any role and receive a message to reach out to our account admins. Is there a way we can default all our users to have viewer rights to a specific product? We are passing the custom attributes ProductPrefix and ProductRole from AAD to Aha.

  • Antti Toivonen
    Reply
    |
    Apr 25, 2018

    I would see value enabling this possibility for SSO via SAML on Aha! side. One case example is Okta, which does provide Aha! app on their platform, but it specifically does not support these additional attributes. Only way to make this work for Okta SSO is to make custom configuration for Aha!.

    If this could be set on Aha! side, the standard app could be used and hassle with custom configuration option would not be needed.

    Related to: https://big.ideas.aha.io/ideas/APP-I-6016

  • Michael Nigels
    Reply
    |
    Mar 23, 2016

    Thanks for the response Chris.  I found the new custom attribute feature in Azure AD shortly after writing my previous post.  It's a new feature in Azure AD (currently in "Preview") that I wasn't previously aware of.  The good news is that it works as advertised and I was able to successfully add the 2 custom attributes needed for Aha!.  So, at this point it looks like Azure AD as the SAML provider can handle everything we need to make this work the way want.  I still think there might be value in allowing the ability to set a default from within Aha!, however for our implementation it is not a high priority now that Azure AD can handle the task.  Thanks for the follow-up.

  • Admin
    Chris Waters
    Reply
    |
    Mar 23, 2016

    I believe that the Azure app configuration passes the custom attributes automatically. Basically that is what the app configuration does - it provides pre-configured options based on what Aha! needs.

    It appears that Azure now supports more customizable SAML configuration too. It is described here: https://blogs.technet.microsoft.com/ad/2015/06/17/bring-your-own-app-with-azure-ad-self-service-saml-configuration-now-in-preview/

  • Michael Nigels
    Reply
    |
    Mar 23, 2016

    Not sure if it's better to respond to this original idea or open a new one, but I would like to revisit this if possible.  I understand that the SAML integration supports custom attributes to achieve this functionality, however not all SAML providers support this.  Specifically we are using Azure AD which has an App configuration for Aha! available (details here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-aha-tutorial/).  Unfortunately though it does not appear that Azure AD supports passing the required custom attributes.  Even if it did, it would valuable to set a global default product and permission level from within the Aha! application.  In a large organization with distributed administrative responsibilities, that would allow the Aha! product administrator control over how new users are provisioned which is where it would often be more appropriate.

  • Admin
    Chris Waters
    Reply
    |
    May 22, 2015

    You should configure the ProductPrefix and ProductRole attributes in your directory server as described here: http://support.aha.io/hc/en-us/articles/204068485-Single-sign-on-SAML-2-0

    This will allow you to set the default permission for SSO users. The best way to do this is to give users Viewer or Reviewer permission for a product line that encompasses the products you want the users to have access to.