Allow SAML / SSO created users to be placed in a default permissions group

We are allowing all the engineers in our company to view the roadmap information in Aha! by enabling SSO registration. It's a transparency policy that enables the engineers to see how the feature pipeline is determined.

Issue here is that  SSO created users have no permissions by default to view any products.

So as an admin, I am dreading the 3-4 clicks PER USER to enable the reviewers to see the product lines they work on. And with the delay in enabling permissions, most users will register; see nothing in the tool, and leave thinking it's all broken.

A default permissions scheme that users could be automatically enrolled into would be this desired feature.

  • Marcus Gavel
  • May 22 2015
  • Already exists
Release time frame
  • Attach files
  • Admin
    Chris Waters commented
    May 22, 2015 02:49

    You should configure the ProductPrefix and ProductRole attributes in your directory server as described here: http://support.aha.io/hc/en-us/articles/204068485-Single-sign-on-SAML-2-0

    This will allow you to set the default permission for SSO users. The best way to do this is to give users Viewer or Reviewer permission for a product line that encompasses the products you want the users to have access to.

  • Michael Nigels commented
    March 23, 2016 14:53

    Not sure if it's better to respond to this original idea or open a new one, but I would like to revisit this if possible.  I understand that the SAML integration supports custom attributes to achieve this functionality, however not all SAML providers support this.  Specifically we are using Azure AD which has an App configuration for Aha! available (details here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-aha-tutorial/).  Unfortunately though it does not appear that Azure AD supports passing the required custom attributes.  Even if it did, it would valuable to set a global default product and permission level from within the Aha! application.  In a large organization with distributed administrative responsibilities, that would allow the Aha! product administrator control over how new users are provisioned which is where it would often be more appropriate.

  • Admin
    Chris Waters commented
    March 23, 2016 19:33

    I believe that the Azure app configuration passes the custom attributes automatically. Basically that is what the app configuration does - it provides pre-configured options based on what Aha! needs.

    It appears that Azure now supports more customizable SAML configuration too. It is described here: https://blogs.technet.microsoft.com/ad/2015/06/17/bring-your-own-app-with-azure-ad-self-service-saml-configuration-now-in-preview/

  • Michael Nigels commented
    March 23, 2016 19:54

    Thanks for the response Chris.  I found the new custom attribute feature in Azure AD shortly after writing my previous post.  It's a new feature in Azure AD (currently in "Preview") that I wasn't previously aware of.  The good news is that it works as advertised and I was able to successfully add the 2 custom attributes needed for Aha!.  So, at this point it looks like Azure AD as the SAML provider can handle everything we need to make this work the way want.  I still think there might be value in allowing the ability to set a default from within Aha!, however for our implementation it is not a high priority now that Azure AD can handle the task.  Thanks for the follow-up.

  • Antti Toivonen commented
    25 Apr 13:05

    I would see value enabling this possibility for SSO via SAML on Aha! side. One case example is Okta, which does provide Aha! app on their platform, but it specifically does not support these additional attributes. Only way to make this work for Okta SSO is to make custom configuration for Aha!.

    If this could be set on Aha! side, the standard app could be used and hassle with custom configuration option would not be needed.

    Related to: https://big.ideas.aha.io/ideas/APP-I-6016