Learn how to configure SAML single sign-on (SSO) with Heap and PingOne.
To configure SSO:
- Sign on to your Heap admin portal and make sure that you’re in the Development section.
- In the left hand pane, go to .
In the Single Sign-On section, copy the
Metadata URL. You’ll need this later.
- In a new tab, sign on to your PingOne admin account and go to .
Click the + icon next to
- On the New Application page, click Advanced Configuration.
In the Choose Connection Type list, on the
SAML line, click
On the Create App Profile page, enter the values
- Application Name (Required)
- Description (Optional)
- Icon (Optional)
On the Configure SAML Connection page, in the
Provide App Metadata section, click
Import From URL and paste in the URL that you
copied previously. Click Import.
After import, all necessary fields will auto populate except for the Assertion Validity Duration.
- In the Assertion Validity Duration field, enter a valid duration value (in seconds), such as 3600.
Update the SUBJECT NAMEID FORMAT section to
If you don’t update this section, you’ll get an error for the integration. SUBJECT NAMEID FORMAT does not automatically update when you upload the service provider metadata.
In the Signing Key section, select
Download Signing Certificate and download in
the X509 PEM (.crt) format. Click Save
On the Attribute Mapping page, update the
Outgoing Value to Email
Address for the saml_subject
No other attributes are required.
Click Save and Close to finalize the creation of
After you create the application, to enable it, click the toggle next
to the application.
Select Configuration and copy the following
values. You’ll need these later.
- Single Logout Service
- Single SignOn Service
In your Heap account, go to the Your SAML Identity Provider
certificate section and paste in the Ping X509
certificate that you downloaded previously.
You must include the
END CERTIFICATEtext as part of the certificate upload.
Paste the URLs that you copied previously into the corresponding
- Single SignOn Service = Remote login URL
- Single Logout Service= Logout landing URL (optional)
Click Save Configuration.
After saving the configuration, a Test Configuration button appears.
Click Test Configuration.
You’re signed out and then prompted to sign on with your username and password.