Configuration Guides

Configuring SAML SSO with Heap and PingOne

Learn how to configure SAML single sign-on (SSO) with Heap and PingOne.

Configure SSO with Heap

  1. Sign on to your Heap admin portal and make sure that you’re in the Development section.

  2. In the left hand pane, go to Account → Manage → General Settings.

  3. In the Single Sign-On section, copy the Metadata URL. You’ll need this later.

    Screen capture of Heap SSO Configuration general settings with Main, General Settings, Account, Manage, SSO, and the Metadata URL highlighted in red.

  4. In a new tab, sign on to your PingOne admin account and go to Connections → Applications.

  5. Click the + icon next to Applications.

    Screen capture of admin console Applications section with the plus icon highlighted in red.

  6. On the New Application page, click Advanced Configuration.

  7. In the Choose Connection Type list, on the SAML line, click Configure.

    Screen capture of New Application Advanced Configuration highlighted in red.

  8. On the Create App Profile page, enter the values for:

    • Application Name (Required)

    • Description (Optional)

    • Icon (Optional)

    Screen capture of Create App Profile panel with Heap details entered.

  9. On the Configure SAML Connection page, in the Provide App Metadata section, click Import From URL.

    Paste in the URL that you copied previously and click Import.

    Screen capture of Configure SAML Connection page with the Import from URL radio button and Import URL highlighted in red.

    After import, all necessary fields are auto-populated except for the Assertion Validity Duration.

  10. In the Assertion Validity Duration field, enter a valid duration value (in seconds), such as 3600.

  11. Update the SUBJECT NAMEID FORMAT section to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    If you don’t update this section, you’ll get an error for the integration. SUBJECT NAMEID FORMAT does not automatically update when you upload the service provider metadata.

  12. In the Signing Key section, select Download Signing Certificate and download in the X509 PEM (.crt) format. Click Save and Continue.

    Screen capture of Signing Key section with Download Signing Certificate and X509 PEM (.crt) highlighted in red.

  13. On the Attribute Mapping page, update the Outgoing Value to Email Address for the saml_subject application attribute.

    No other attributes are required.

  14. Click Save and Close to finalize the creation of the application.

    Screen capture of SAML Attribute mapping section with Email Address and Save and Close highlighted in red.

  15. After you create the application, click the toggle next to the application to enable it.

    Screen capture of Heap application added to with the toggle bar highlighted in red.

  16. Select Configuration and copy the following values. You’ll need these later.

    • Single Logout Service

    • Single SignOn Service

    Screen capture of application with the slider next to Heap highlighted in red.

  17. In your Heap account, go to the Your SAML Identity Provider certificate section and paste in the Ping X509 certificate that you downloaded previously.

    You must include the BEGIN CERTIFICATE and END CERTIFICATE text as part of the certificate upload.
    Screen capture of application with Heap selected and Configuration, Single Logout Service, and Single Signon Service fields highlighted in red.

  18. Paste the URLs that you copied previously into the corresponding fields:

    • Single SignOn Service= Remote login URL

    • Single Logout Service= Logout landing URL (optional)

  19. Click Save Configuration.

    Screen capture of Heap SAML Identity Provider details highlighted in red, as well as Save Configuration.

    After saving the configuration, a Test Configuration button appears.

  20. Click Test Configuration.

    You’re signed out and then prompted to sign on with your username and password.

    Screen capture of Heap SSO section with Test Configuration highlighted in red.

  21. After signing on to your Heap account, go to the Single Sign-On settings section and select Enable Configuration to finalize the SSO connection.

    Screen capture of Heap SSO section with Enable Configuration highlighted in red.

Create and assign identities

Before testing your integration, you must create and assign identities in PingOne. If you’ve already assigned identities and groups in PingOne, move on to Test your integration.

  1. In PingOne, go to Identities → Groups and click the + icon next to Groups.

    Screen capture of Groups page with the plus icon highlighted in red.

  2. On the Create New Group page, enter values for the following:

    • Group Name (Required)

    • Description (Optional)

    • Population (Optional)

  3. Click Finish & Save.

    Screen capture of Groups fields for .

  4. To add identities to the group, on the Identities tab, go to Users → + Add User.

    Screen capture of Users page with + Add User highlighted in red.

  5. On the Add User page, enter in all the necessary information for a user.

    Verify that the first name, last name, and email address are correct, as these are values passed in the SAML assertion.

  6. Click Save.

    Screen capture of Add User popup with the Save button highlighted in red.

  7. Assign the user that you created to the group that you created previously. Locate the user you created and do the following:

    1. Expand the section for the user.

    2. Select the Groups tab.

    3. Click Add.

    Screen capture of expanded user profile with Groups and + Add highlighted in red.

  8. In the Available Groups section, select the group that you created and click the icon to add it to the user’s group memberships. Click Save.

    Screen capture of Admin group with the plus icon highlighted in red.

  9. On the Connections tab, for the Heap application:

    • Click the Access tab

    • Click the Pencil icon to edit the configuration

    Screen capture of applications with Heap Access and Pencil edit button highlighted in red.

  10. Select the group that you created and add it to the Applied Groups section. Click Save.

    Screen capture of application list with Heap Apps listed and the plus icon highlighted in red.

Test your integration

  1. In the PingOne admin console, go to Dashboard → Environment Properties.

  2. Right-click on the Application Portal URL and open it in a private browser session.

    Screen capture of Properties Environment section with the Application Portal URL highlighted in red.

  3. Sign on as the test user that you created and click the Heap tile.

    You’re signed on to the user’s Heap account using SSO and testing is complete.

    Screen capture of dock with Heap added as an application.