Home Administration Secure Access Single Sign-on: Okta

Table of Contents

Was this article helpful?

Yes No

Thank you for your feedback!

Single Sign-on: Okta

In this article you'll learn:

  • Complete steps for setting up Okta single sign-on for Heap
This doc is for: Admins

Overview

This feature is only available to customers on Pro and Premier plans. To upgrade, contact your Customer Success Manager or sales@heap.io

Security Best Practice

If you use SSO, we strongly recommend that you set up mandatory 2FA for all Heap admins.

To learn more, see enabling mandatory 2FA for your Heap domain.

Okta SSO allows you to provide secure identity management for your team in Heap using one of the most popular enterprise access management tools available on the market today. Okta offers ease of access, the ability to quickly block credentials for departed team members, multi-factor authentication, and more.

Prerequisites

To set up Okta SSO with Heap, you’ll need to have the following:

  • Admin access to your organization’s Heap account
  • Administrator rights in your organization’s Okta account

Setup

Note that once SSO is enabled, it will be enforced as mandatory for all non-Admins in your Heap workspace.

To set up SSO via Okta, complete these steps:

1. Login to your Okta account

2. Click Admin

3. Navigate to the Applications section

4. Click Browse App Catalog

5. Search for Heap, select the Heap application, and click Add

6. Name the app (such as ‘Heap’), then click Next

7. Open the Heap dashboard in a new tab and navigate to Account > Manage > Account settings then scroll down to the Single Sign-On section

8. Copy the App ID from Heap into the App ID field in Okta

9. Update the Application username format to Email

10. Click Done

11. Switch to the Sign On tab and click the View Setup Instructions button on the new screen

12. Copy the x.509 certificate in PEM Text Format including Begin Certificate and End Certificate and paste it back into the Your SAML Identity Provider certificate field in Heap

13. Copy the Login URL/SignOn URL from Okta and paste it back into Heap’s Remote Login URL within the Your SAML Provider details area

14. Add teammates in Okta who you want to grant access to Heap (or at a minimum, add yourself)

15. Back in Heap, click on Save Configuration then Test Provider – if everything is working properly, this should redirect you back to Heap!

16. Last but not least, click Enable Provider, then add additional teammates as needed

Once configured, your teammates can select ‘Sign-in with SSO’ on the Heap login page, and log in with their email address only. Admins will still have access to sign in with an email and password combination, while all other users will be pushed to use SSO.

Troubleshooting

If you are having issues logging in with Okta SSO, please delete the Okta cookie and try again. Currently, we are seeing Okta cookies expiring and not permitting proper login. If deleting the cookie doesn’t work, please reach out to support@heap.io.