[Beta] Enabling SAML SSO with Microsoft Entra ID

SAML SSO is currently in beta and the beta is at maximum capacity. We plan to release SAML SSO publicly after we’ve had time to gather insights from our beta testers and make necessary updates and enhancements.

Harvest supports SAML SSO through Microsoft Entra ID and Okta. This article covers setting up SAML SSO with Microsoft Entra ID for your Harvest account. For steps to set up Okta, see our article on enabling SAML SSO with Okta

You can also find more information about SAML SSO in Harvest in our articles on Signing in to Harvest using SAML SSO and SAML SSO for Microsoft Entra ID and Okta FAQ.

How to enable SSO via Microsoft Entra ID

Enabling SSO via Microsoft Entra ID for your Harvest account is a multi-step process that requires gathering and recording information from/to both Microsoft Entra ID and Harvest. For this reason, we recommend keeping Microsoft Entra ID and Harvest both open in separate tabs of your browser while you enable the integration.

Step 1:  Add Harvest application in Microsoft Entra ID 

  1. In Microsoft Entra ID, select Applications > Enterprise applications
  2. Click + New application then Create your own application.
  3. Name your app “Harvest” and select the option Integrate any other application you don't find in the gallery (Non-gallery).
  4. Once the application is created and you’re taken to its overview page, select ManageSingle sign-on > SAML.
  5. On the Basic SAML configuration, click Edit.

Step 2:  Get SAML values from Harvest

  1. In Harvest, go to your Settings.
  2. Click Sign in security in the left sidebar.
  3. Click Configure SAML… next to SAML
  4. You’ll see two values on this page with copy icons. You’ll need to copy and paste these values into Microsoft Entra in the steps below. 

Step 3:  Add SAML Harvest data to Microsoft Entra ID

  1. In Microsoft Entra ID, click Add identifier under Identifier (Entity ID) and copy and paste the Entity ID from Harvest into the field.
  2. Click Add reply URL under Reply URL (Assertion Consumer Service URL) and copy and paste the Single sign-on URL from Harvest into the field.
  3. Click Save.

Step 4:  Add Identity Provider XML configuration URL to Harvest

  1. After saving the reply URL and Entity ID, scroll down to step 3 on the  Microsoft Entra ID Set up Single Sign-On with SAML page. 
  2. UnderSAML Certificates, copy the App Federation Metadata URL from Microsoft Entra ID.
  3. Back in Harvest, paste that into the Identity Provider XML configuration URL field.
  4. Click Save.

You’ll see a confirmation message at the top of Harvest ID letting you know SAML with Microsoft Entra ID has been enabled. 

Alternate step 4:  Set up Microsoft Entra ID SSO with Harvest using the Sign in URL + certificate

We recommend completing this step using the App Federation Metadata URL from Microsoft Entra ID, but you can also complete this step using the Sign in URL and manually enter the Identity Provider certificate by taking the steps below:

  1. Under Set up Harvest SSO in Step 4 of Microsoft Entra ID’s “Set up single sign-on with SAML” copy the Login URL and paste that into the Sign in URL field in Harvest.
  2. Download Certificate (Base64) from Entra. Open it in a code editor and copy and paste the entire content of the certificate file into the Identity Provider certificate field in Harvest.
  3. Click Save

You’ll see a confirmation message at the top of Harvest ID letting you know SAML with Microsoft Entra ID has been enabled. 

Step 5: Assign users to the Harvest application in Microsoft Entra

  1. Click ManageUsers and groups
  2. Click Add user/group.
  3. On the Add Assignment pane, click None Selected under Users.
  4. Search for and select the user that you want to assign to the application. 
  5. Click Select.
  6. Click None Selected under Select a role and then select the role that you want to assign to the user.
  7. Click Select.
  8. Click Assign at the bottom of the page to assign the user to the application.
    • Please note that this will not add someone to your Harvest account. Harvest doesn’t offer SCIM provisioning at this time.

After you assign the user to the application, ensure you set the application to be visible to the user. To make it visible to assigned users, select Properties in the left pane, and then set Visible to users? to Yes.

Require sign in with Microsoft Entra ID in Harvest

Warning: Before making sign-in required with SAML SSO, be sure you’ve added yourself and all teammates as users in your created Harvest app in Microsoft Entra ID to ensure they’ll be able to sign-in via SAML

If you’ve just enabled SAML SSO via Microsoft Entra ID following the steps above and you want to require everyone in the account to sign in with Microsoft Entra ID, please follow these steps:

  1. Next to SAML, you’ll notice that the option to Require sign in with Microsoft Entra ID is grayed out. To change this, click Sign in with your Microsoft Entra ID account in the notification.
  2. Enter the email address associated with your Harvest account. This will take you to Microsoft Entra ID to sign in. 
  3. Once you have signed in to your Harvest app using Microsoft Entra ID, you’ll be redirected back to Harvest. In Harvest, return to your Settings.
  4. In Harvest, go to your Settings.
  5. Click Sign in security in the left sidebar.
  6. Next to SAML, check the box to  Require sign in with Microsoft Entra ID.
    • You’ll see a warning that saving this setting will sign out anyone who isn’t currently signed in with Microsoft Entra ID
    • We’ll also send your team an email to let them know about this change. If you’re okay with this, click Save settings to require signing in with Microsoft Entra ID 

Disable SAML SSO with Microsoft Entra ID

Note that when SAML SSO is disabled, everyone currently signed in with Microsoft Entra ID will be signed out. 

  1. In Harvest, go to your Settings.
    • Only Administrators can access Settings
  2. Click Sign in security in the left sidebar.
  3. Next to SAML, click Disconnect SAML.
  4. Click Disconnect SAML to disconnect.

What happens when I disable SSO via Microsoft Entra ID?

SSO via Microsoft Entra ID is enabled, but your team is not required to sign in via Microsoft Entra ID

  • Everyone who is currently signed in with Microsoft Entra ID will be immediately signed out.
  • We will send emails to every user who doesn’t currently have a password set letting them know they need to set a password.

You required your team to sign in to Harvest via Microsoft Entra ID

  • Everyone who is currently signed in with Microsoft Entra ID will be immediately signed out.
  • We will send an email to every admin letting them know that signing in with Microsoft Entra ID is no longer required.
  • We will send emails to every user who doesn’t currently have a password set letting them know they need to set a password.

Did you find this article helpful?

Still have questions? We’re happy to help!

Contact us