Overview
SSO is only available for customers on the Business plan. To upgrade, contact your Customer Success Manager or sales@heap.io.
Okta SSO allows you to provide secure identity management for your team in Heap using one of the most popular enterprise access management tools available on the market today. Okta offers ease of access, the ability to quickly block credentials for departed team members, multi-factor authentication, and more.
Prerequisites
To set up Okta SSO with Heap, you’ll need to have the following:
- Admin access to your organization’s Heap account
- Administrator rights in your organization’s Okta account
Setup
Note that once SSO is enabled, it will be enforced as mandatory for all non-Admins in your Heap workspace.
To set up SSO via Okta, complete these steps:
1. Login to your Okta account
2. Click Admin

3. Click the Add Applications shortcut

4. Click the Create New App button

5. Select the SAML 2.0 radio button and then click Create

6. Name the app (such as ‘Heap’), add any of the optional fields, and then click Next

7. Open the Heap dashboard in a new tab and navigate to Account > Manage > General Settings, then scroll down to the Single Sign-On section

8. Copy the Assertion Consumer URL (ACS) from Heap into the Okta Single Sign-On URL field in Okta

9. Copy the Entity ID from Heap into the Audience URI (SP Entity ID) field in Okta

10. In Okta, click Next and fill in the Feedback
11. Click the View Setup Instructions button on the new screen

12. Copy the Identity Provider Single Sign-On URL from Okta and paste it back into Heap’s Remote Login URL within the Your SAML Provider details area


13. Within Okta, copy the text including Begin Certificate and End Certificate and paste it back into the Your SAML Identity Provider certificate field in Heap

14. Add teammates in Okta who you want to grant access to Heap (or at a minimum, add yourself)

Back in Heap, click Configure then Test Provider – if everything is working properly, this should redirect you to sign in. From here, you can add additional teammates in Okta who should have access to Heap as needed.
Once configured, your teammates can select ‘Sign-in with SSO’ on the Heap login page, and log in with their email address only. Admins will still have access to sign in with an email and password combination, while all other users will be pushed to use SSO.
Troubleshooting
If you are having issues logging in with Okta SSO, please delete the Okta cookie and try again. Currently, we are seeing Okta cookies expiring and not permitting proper login. If deleting the cookie doesn’t work, please reach out to support@heap.io.