1. To configure SSO:
    1. Sign on to your Heap admin portal and make sure that you’re in the Development section.
    2. In the left hand pane, go to Account > Manage > General Settings.
    3. In the Single Sign-On section, copy the Metadata URL. You’ll need this later.
      Screen capture of Heap SSO Configuration general settings with Main, General Settings, Account, Manage, SSO, and the Metadata URL highlighted in red.
    4. In a new tab, sign on to your PingOne admin account and go to Connections > Applications.
    5. Click the + icon next to Applications.
      Screen capture of PingOne admin console Applications section with the plus icon highlighted in red.
    6. On the New Application page, click Advanced Configuration.
    7. In the Choose Connection Type list, on the SAML line, click Configure.
      Screen capture of PingOne New Application Advanced Configuration highlighted in red.
    8. On the Create App Profile page, enter the values for:
      • Application Name (Required)
      • Description (Optional)
      • Icon (Optional)Screen capture of PingOne Create App Profile panel with Heap details entered.
    9. On the Configure SAML Connection page, in the Provide App Metadata section, click Import From URL and paste in the URL that you copied previously. Click Import.
      Screen capture of PingOne Configure SAML Connection page with the Import from URL radio button and Import URL highlighted in red.

      After import, all necessary fields will auto populate except for the Assertion Validity Duration.

    10. In the Assertion Validity Duration field, enter a valid duration value (in seconds), such as 3600.
    11. Update the SUBJECT NAMEID FORMAT section to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

      If you don’t update this section, you’ll get an error for the integration. SUBJECT NAMEID FORMAT does not automatically update when you upload the service provider metadata.

    12. In the Signing Key section, select Download Signing Certificate and download in the X509 PEM (.crt) format. Click Save and Continue.
      Screen capture of PingOne Signing Key section with Download Signing Certificate and X509 PEM (.crt) highlighted in red.
    13. On the Attribute Mapping page, update the Outgoing Value to Email Address for the saml_subject application attribute.

      No other attributes are required.

    14. Click Save and Close to finalize the creation of the application.
      Screen capture of PingOne SAML Attribute mapping section with Email Address and Save and Close highlighted in red.
    15. After you create the application, to enable it, click the toggle next to the application.
      Screen capture of Heap application added to PingOne with the toggle bar highlighted in red.
    16. Select Configuration and copy the following values. You’ll need these later.
      • Single Logout Service
      • Single SignOn Service
      Screen capture of PingOne application with the slider next to Heap highlighted in red.
    17. In your Heap account, go to the Your SAML Identity Provider certificate section and paste in the Ping X509 certificate that you downloaded previously.

      You must include the BEGIN CERTIFICATE and END CERTIFICATE text as part of the certificate upload.

      Screen capture of PingOne application with Heap selected and Configuration, Single Logout Service, and Single Signon Service fields highlighted in red.
    18. Paste the URLs that you copied previously into the corresponding fields:
      • Single SignOn Service = Remote login URL
      • Single Logout Service= Logout landing URL (optional)
    19. Click Save Configuration.
      Screen capture of Heap SAML Identity Provider details highlighted in red, as well as Save Configuration.

      After saving the configuration, a Test Configuration button appears.

    20. Click Test Configuration.

      You’re signed out and then prompted to sign on with your username and password.