1. To configure SSO:
    1. Sign on to your Heap admin portal and make sure that you’re in the Development section.
    2. In the left hand pane, go to Account > Manage > General Settings.
    3. In the Single Sign-On section, copy the Metadata URL. You’ll need this later.
      Screen capture of Heap SSO Configuration general settings with Main, General Settings, Account, Manage, SSO, and the Metadata URL highlighted in red.
    4. In a new tab, sign on to your PingOne admin account and go to Connections > Applications.
    5. Click the + icon next to Applications.
      Screen capture of PingOne admin console Applications section with the plus icon highlighted in red.
    6. On the New Application page, click Advanced Configuration.
    7. In the Choose Connection Type list, on the SAML line, click Configure.
      Screen capture of PingOne New Application Advanced Configuration highlighted in red.
    8. On the Create App Profile page, enter the values for:
      • Application Name (Required)
      • Description (Optional)
      • Icon (Optional)Screen capture of PingOne Create App Profile panel with Heap details entered.
    9. On the Configure SAML Connection page, in the Provide App Metadata section, click Import From URL and paste in the URL that you copied previously. Click Import.
      Screen capture of PingOne Configure SAML Connection page with the Import from URL radio button and Import URL highlighted in red.

      After import, all necessary fields will auto populate except for the Assertion Validity Duration.

    10. In the Assertion Validity Duration field, enter a valid duration value (in seconds), such as 3600.
    11. Update the SUBJECT NAMEID FORMAT section to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
      Note:

      If you don’t update this section, you’ll get an error for the integration. SUBJECT NAMEID FORMAT does not automatically update when you upload the service provider metadata.

    12. In the Signing Key section, select Download Signing Certificate and download in the X509 PEM (.crt) format. Click Save and Continue.
      Screen capture of PingOne Signing Key section with Download Signing Certificate and X509 PEM (.crt) highlighted in red.
    13. On the Attribute Mapping page, update the Outgoing Value to Email Address for the saml_subject application attribute.
      Note:

      No other attributes are required.

    14. Click Save and Close to finalize the creation of the application.
      Screen capture of PingOne SAML Attribute mapping section with Email Address and Save and Close highlighted in red.
    15. After you create the application, to enable it, click the toggle next to the application.
      Screen capture of Heap application added to PingOne with the toggle bar highlighted in red.
    16. Select Configuration and copy the following values. You’ll need these later.
      • Single Logout Service
      • Single SignOn Service
      Screen capture of PingOne application with the slider next to Heap highlighted in red.
    17. In your Heap account, go to the Your SAML Identity Provider certificate section and paste in the Ping X509 certificate that you downloaded previously.
      Note:

      You must include the BEGIN CERTIFICATE and END CERTIFICATE text as part of the certificate upload.

      Screen capture of PingOne application with Heap selected and Configuration, Single Logout Service, and Single Signon Service fields highlighted in red.
    18. Paste the URLs that you copied previously into the corresponding fields:
      • Single SignOn Service = Remote login URL
      • Single Logout Service= Logout landing URL (optional)
    19. Click Save Configuration.
      Screen capture of Heap SAML Identity Provider details highlighted in red, as well as Save Configuration.

      After saving the configuration, a Test Configuration button appears.

    20. Click Test Configuration.

      You’re signed out and then prompted to sign on with your username and password.

      Screen capture of Heap SSO section with Test Configuration highlighted in red.
    21. After signing on to your Heap account, go to the Single Sign-On settings section and select Enable Configuration to finalize the SSO connection.
      Screen capture of Heap SSO section with Enable Configuration highlighted in red.
  2. Test your integration:

    After creating your integration, you must test it. Before testing the integration, you must create and assign identities in PingOne. If you’ve already assigned identities and groups in PingOne, start at step 2k.

    1. In PingOne, go to Identities > Groups and click the + icon next to Groups.
      Screen capture of PingOne Groups page with the plus icon highlighted in red.
    2. On the Create New Group page, enter values for the following:
      • Group Name (Required)
      • Description (Optional)
      • Population (Optional)
    3. Click Finish & Save.
      Screen capture of Groups fields for PingOne.
    4. To add identities to the group, on the Identities tab, go to Users > + Add User.
      Screen capture of PingOne Users page with + Add User highlighted in red.
    5. On the Add User page, enter in all the necessary information for a user.
      Important:

      Verify that the first name, last name, and email address are correct, as these are values passed in the SAML assertion.

    6. Click Save.
      Screen capture of PingOne Add User popup with the Save button highlighted in red.
    7. Assign the user that you created to the group that you created previously. Locate the user you created and:
      1. Expand the section for the user.
      2. Select the Groups tab.
      3. Click + Add.Screen capture of expanded PingOne user profile with Groups and + Add highlighted in red.
    8. In the Available Groups section, select the group that you created and click the + icon to add it to the user’s group memberships. Click Save.
      Screen capture of PingOne Admin group with the plus icon highlighted in red.
    9. On the Connections tab, for the Heap application:
      • Click the Access tab
      • Click the Pencil icon to edit the configurationScreen capture of PingOne applications with Heap Access and Pencil edit button highlighted in red.
    10. Select the group that you created and add it to the Applied Groups section. Click Save.
      Screen capture of PingOne application list with Heap Apps listed and the plus icon highlighted in red.

      You’re now ready to test the integration.

    11. In the PingOne admin console, go to Dashboard > Environment Properties.
    12. Right-click on the Application Portal URL and open it in a private browser session.
      Screen capture of PingOne Properties Environment section with the Application Portal URL highlighted in red.
    13. Sign on as the test user that you created and click the Heap tile.

      You’re signed on to the user’s Heap account using SSO and testing is complete.Screen capture of PingOne dock with Heap added as an application.