Home Administration Secure Access Single Sign-on: Okta

Table of Contents

Was this article helpful?

Yes No

Thank you for your feedback!

Single Sign-on: Okta

In this article you'll learn:

  • Complete steps for setting up Okta single sign-on for Heap
This doc is for: Admins
View instructions for: 

Overview

SSO is only available for customers on the Business plan. To upgrade, contact your Customer Success Manager or sales@heap.io.

Okta SSO allows you to provide secure identity management for your team in Heap using one of the most popular enterprise access management tools available on the market today. Okta offers ease of access, the ability to quickly block credentials for departed team members, multi-factor authentication, and more.

Prerequisites

To set up Okta SSO with Heap, you’ll need to have the following:

  • Admin access to your organization’s Heap account
  • Administrator rights in your organization’s Okta account

Setup

Note that once SSO is enabled, it will be enforced as mandatory for all non-Admins in your Heap workspace.

To set up SSO via Okta, complete these steps:

1. Login to your Okta account

2. Click Admin

3. Click the Add Applications shortcut

4. Click the Create New App button

5. Select the SAML 2.0 radio button and then click Create

The 'Create a New Application Integration' page in Okta with SAML 2.0 selected

6. Name the app (such as ‘Heap’), add any of the optional fields, and then click Next

The General Settings page in Okta with the App name set to 'Heap - SSO'

7. Open the Heap dashboard in a new tab and navigate to Account > Manage > General Settings, then scroll down to the Single Sign-On section

The Single Sign-On section of the General Settings page in Heap

8. Copy the Assertion Consumer URL (ACS) from Heap into the Okta Single Sign-On URL field in Okta

The Single sign on URL field in Okta with the Assertion Consumer URL (ACS) from Heap added

9. Copy the Entity ID from Heap into the Audience URI (SP Entity ID) field in Okta

10. In Okta, click Next and fill in the Feedback

11. Click the View Setup Instructions button on the new screen

The 'View Setup Instructions' pop-up in Okta

12. Copy the Identity Provider Single Sign-On URL from Okta and paste it back into Heap’s Remote Login URL within the Your SAML Provider details area

The Single Sign-On URL as listed in Okta
Th Your SAML Provider details field in Heap

13. Within Okta, copy the text including Begin Certificate and End Certificate and paste it back into the Your SAML Identity Provider certificate field in Heap

The Your SAML Identity Provider certificate field in Heap with no text added

14. Add teammates in Okta who you want to grant access to Heap (or at a minimum, add yourself)

The Heap - SSO app in Okta with the 'Assign to People' button showcased

Back in Heap, click Configure then Test Provider – if everything is working properly, this should redirect you to sign in. From here, you can add additional teammates in Okta who should have access to Heap as needed.

Once configured, your teammates can select ‘Sign-in with SSO’ on the Heap login page, and log in with their email address only. Admins will still have access to sign in with an email and password combination, while all other users will be pushed to use SSO.

Troubleshooting

If you are having issues logging in with Okta SSO, please delete the Okta cookie and try again. Currently, we are seeing Okta cookies expiring and not permitting proper login. If deleting the cookie doesn’t work, please reach out to support@heap.io.