Learn how to configure SAML single sign-on (SSO) with Heap and PingOne.
-
To configure SSO:
- Sign on to your Heap admin portal and make sure that you’re in the Development section.
- In the left hand pane, go to Account > Manage > General Settings.
- In the Single Sign-On section, copy the Metadata URL. You’ll need this later.
- In a new tab, sign on to your PingOne admin account and go to Connections > Applications.
- Click the + icon next to Applications.
- On the New Application page, click Advanced Configuration.
- In the Choose Connection Type list, on the SAML line, click Configure.
-
On the Create App Profile page, enter the values
for:
- Application Name (Required)
- Description (Optional)
- Icon (Optional)
-
On the Configure SAML Connection page, in the
Provide App Metadata section, click
Import From URL and paste in the URL that you
copied previously. Click Import.
After import, all necessary fields will auto populate except for the Assertion Validity Duration.
- In the Assertion Validity Duration field, enter a valid duration value (in seconds), such as 3600.
-
Update the SUBJECT NAMEID FORMAT section to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
Note:
If you don’t update this section, you’ll get an error for the integration. SUBJECT NAMEID FORMAT does not automatically update when you upload the service provider metadata.
- In the Signing Key section, select Download Signing Certificate and download in the X509 PEM (.crt) format. Click Save and Continue.
-
On the Attribute Mapping page, update the
Outgoing Value to Email
Address for the saml_subject
application attribute.
Note:
No other attributes are required.
- Click Save and Close to finalize the creation of the application.
- After you create the application, to enable it, click the toggle next to the application.
-
Select Configuration and copy the following
values. You’ll need these later.
- Single Logout Service
- Single SignOn Service
-
In your Heap account, go to the Your SAML Identity Provider
certificate section and paste in the Ping X509
certificate that you downloaded previously.
Note:
You must include the
BEGIN CERTIFICATE
andEND CERTIFICATE
text as part of the certificate upload. -
Paste the URLs that you copied previously into the corresponding
fields:
- Single SignOn Service = Remote login URL
- Single Logout Service= Logout landing URL (optional)
-
Click Save Configuration.
After saving the configuration, a Test Configuration button appears.
-
Click Test Configuration.
You’re signed out and then prompted to sign on with your username and password.
- After signing on to your Heap account, go to the Single Sign-On settings section and select Enable Configuration to finalize the SSO connection.
-
Test your integration:
After creating your integration, you must test it. Before testing the integration, you must create and assign identities in PingOne. If you’ve already assigned identities and groups in PingOne, start at step 2k.
- In PingOne, go to Identities > Groups and click the + icon next to Groups.
-
On the Create New Group page, enter values for
the following:
- Group Name (Required)
- Description (Optional)
- Population (Optional)
- Click Finish & Save.
- To add identities to the group, on the Identities tab, go to Users > + Add User.
-
On the Add User page, enter in all the necessary
information for a user.
Important:
Verify that the first name, last name, and email address are correct, as these are values passed in the SAML assertion.
- Click Save.
-
Assign the user that you created to the group that you created
previously. Locate the user you created and:
- Expand the section for the user.
- Select the Groups tab.
- Click + Add.
- In the Available Groups section, select the group that you created and click the + icon to add it to the user’s group memberships. Click Save.
-
On the Connections tab, for the Heap
application:
- Click the Access tab
- Click the Pencil icon to edit the configuration
-
Select the group that you created and add it to the Applied
Groups section. Click Save.
You’re now ready to test the integration.
- In the PingOne admin console, go to Dashboard > Environment Properties.
- Right-click on the Application Portal URL and open it in a private browser session.
-
Sign on as the test user that you created and click the Heap
tile.
You’re signed on to the user’s Heap account using SSO and testing is complete.