SSO is only available for customers on the Business plan. To upgrade, contact your Customer Success Manager or firstname.lastname@example.org.
OneLogin SSO allows you to manage access to Heap using a secure and scalable identity management system. Integrating with OneLogin means you can provide your teammates with an easy sign-in with no extra passwords needed.
To set up OneLogin SSO with Heap, you’ll need to have the following:
- Admin access to your organization’s Heap account
- Administrator rights in your organization’s OneLogin account
Note that once SSO is enabled, it will be enforced as mandatory for all non-Admins in your Heap workspace.
To set up OneLogin with Heap, complete these steps:
1. Navigate to the Apps > Add Apps section of your OneLogin administrator dashboard
2. Search for and choose SAML Test Connector (IdP)
3. Update the Display Name, for example, Heap – Connection and Click Save
4. From Heap, copy the Assertion Consumer URL (ACS) and paste it into the field labeled ACS (Consumer) URL in OneLogin’s configuration tab, and set Audience to heapanalytics.com
5. In the field ACS (Consumer) URL Validator, copy and paste the URL exactly as below – do not modify it, as this is used to validate that the ACS is formatted correctly
6. Return to Heap, navigate to Account > Manage > General Settings, scroll down to the Single Sign-On area, then update the x.509 certificate type to Standard Strength Certificate (2048-bit), click View Details and copy the x.509 certificate over to Okta, including the headers and footers
7. Back in Heap’s General Settings, copy and paste the entire certificate into the text box labeled Your SAML Identity Provider certificate. This must include ‘—–BEGIN CERTIFICATE—–‘ and ‘—–END CERTIFICATE —–‘
8. Back in your OneLogin SSO tab, copy the SAML 2.0 Endpoint (Http) URL, then paste it into the Remote login URL field in Heap
9. Save your information in both Heap and OneLogin
10. Back in Heap, click on Configure then Test Provider – if everything is working properly, this should redirect you back to OneLogin!
11. Last but not least, click Enable Provider, then add additional teammates as needed
Once configured, your teammates can select Sign-in with SSO on the Heap login page and log in using their email address only.