Overview
SSO is only available for customers on the Business plan. To upgrade, contact your Customer Success Manager or sales@heap.io.
Azure SSO allows you to manage access and identity for your team by enabling them to access Heap via their Azure sign-in credentials, with no extra passwords needed.
Prerequisites
To set up Azure SSO with Heap, you’ll need to have the following:
- Admin access to your organization’s Heap account
- Application administrative rights in your organization’s Azure account
Note that Heap must enable access to the Heap app in the Azure marketplace for it to appear in your Azure account.
Setup
Note that once SSO is enabled, it will be enforced as mandatory for all non-Admins in your Heap workspace.
To set up Azure SSO with Heap, complete these steps:
1. Sign in to your Azure management portal via https://portal.azure.com/.
2. Click on Enterprise Applications.
3. If you don’t already have an enterprise app for Heap added, click the New Application button. If you already have your Heap app configured, skip to step 6.
4. On the next page, click non-gallery application.
5. On the create application page, add a name for this application (we used Heap) then click the Add button at the bottom.
You will now see your new Heap app listed on the enterprise applications page.
6. Now that you have your app, click on the app to open the app page, then click on Single Sign-on in the left navigation bar.
7. On this page, click the SAML box.
8. On this page, set the Basic SAML Configuration options as follows. The screenshot below shows you where these items are listed in Heap.
Identifier (Entity ID): heapanalytics.com
Reply URL: https://heapanalytics/saml/finalize/<youridhere> which is the Assertion Consumer Service URL listed on the Account > Manage > General Settings page in your Heap account.
Sign On URL: https://heapanalytics/saml/metadata/<youridhere> which is the Metadata URL listed on the Account > Manage > General Settings page in your Heap account.
9. Click the Save icon in Azure to save your settings.
10. In the User Attributes & Claims section, keep all settings as their defaults, except for Unique User Identifier which should be set to user.mail. You may need to edit this setting to update this item.
11. Keep this page open, or copy down the information listed under the Set up section. You’ll need this in a couple of steps.
12. Navigate to the Manage > Properties page.
13. (Optional) On this page, make sure the Visible to users toggle is set to No. This means this app will not be accessible from myapps.microsoft.com, even if they have access within Heap.
Note: If you plan on using an Active Directory group to manage users who have access to Heap, be sure to set ‘User assignment required?’ set to ‘Yes’ on this page.
14. Save this setting to return to the main app page. On this page, click the ‘Set up single sign on’ box again to return to your Azure SAML settings. You’ll want to have these open to copy-paste information into Heap to complete this setup.
15. Next, open the Heap dashboard in a new tab. Navigate to Heap, on the Account > Settings > General Settings page.
16. On this page, copy-paste the following information from Azure into Heap:
- Your SAML Identity Provider certificate > Download the base-64 certificate provided by Azure and copy-paste it into this field
- Remote login URL > add the Login URL provided in Azure
- Logout landing URL > add the Logout URL provided in Azure
17. Click the Save Configuration button. You’ll be provided with the option to test this configuration. Click the Test Configuration button. You’ll see the Microsoft Azure login page appear.
You are now able to use your credentials to sign in! Feel free to configure other Azure settings such as custom roles.
For questions or assistance, reach out to support@heap.io.