Home Administration Secure Access Single Sign-on: OneLogin

Table of Contents

Was this article helpful?

Yes No

Thank you for your feedback!

Single Sign-on: OneLogin

In this article you'll learn:

  • Complete steps for setting up OneLogin single sign-on for Heap
This doc is for: Admins
View instructions for: 

Overview

SSO is only available for customers on the Business plan. To upgrade, contact your Customer Success Manager or sales@heap.io.

OneLogin SSO allows you to manage access to Heap using a secure and scalable identity management system. Integrating with OneLogin means you can provide your teammates with an easy sign-in with no extra passwords needed.

Prerequisites

To set up OneLogin SSO with Heap, you’ll need to have the following:

  • Admin access to your organization’s Heap account
  • Administrator rights in your organization’s OneLogin account

Setup

Note that once SSO is enabled, it will be enforced as mandatory for all non-Admins in your Heap workspace.

To set up OneLogin with Heap, complete these steps:

1. Navigate to the Apps > Add Apps section of your OneLogin administrator dashboard

The Add Apps option in the Apps drop-down of OneLogin

2. Search for and choose SAML Test Connector (IdP)

The SAML test connector as listed on the Add Apps page

3. Update the Display Name, for example, Heap – Connection and Click Save

The Display Name field with the text 'Heap - Connection' in it

4. From Heap, copy the Assertion Consumer URL (ACS) and paste it into the field labeled ACS (Consumer) URL in OneLogin’s configuration tab, and set Audience to heapanalytics.com

The Application details page with arrows pointed to the Audience, URL Validator, and ACS URL fields

5. In the field ACS (Consumer) URL Validator, copy and paste the URL exactly as below – do not modify it, as this is used to validate that the ACS is formatted correctly

https:\/\/heapanalytics\.com\/saml\/finalize\/number\/

6. Return to Heap, navigate to Account > Manage > General Settings, scroll down to the Single Sign-On area, then update the x.509 certificate type to Standard Strength Certificate (2048-bit), click View Details and copy the x.509 certificate over to Okta, including the headers and footers

The SSO tab of the SAML Test Connector (IdP) page

7. Back in Heap’s General Settings, copy and paste the entire certificate into the text box labeled Your SAML Identity Provider certificate. This must include ‘—–BEGIN CERTIFICATE—–‘ and ‘—–END CERTIFICATE —–‘

The General Settings page in Heap with an arrow pointed at the 'Your SAML Identity Provider certificate' field

8. Back in your OneLogin SSO tab, copy the SAML 2.0 Endpoint (Http) URL, then paste it into the Remote login URL field in Heap

9. Save your information in both Heap and OneLogin

10. Back in Heap, click on Configure then Test Provider – if everything is working properly, this should redirect you back to OneLogin!

11. Last but not least, click Enable Provider, then add additional teammates as needed

Once configured, your teammates can select Sign-in with SSO on the Heap login page and log in using their email address only.