[Beta] Enabling SAML SSO with Okta

SAML SSO is currently in beta and the beta is at maximum capacity. We plan to release SAML SSO publicly after we’ve had time to gather insights from our beta testers and make necessary updates and enhancements.

Harvest supports SAML single sign on (SSO) through Microsoft Entra ID and Okta. This article covers setting up Okta SSO for your Harvest account. For steps to set up Microsoft Entra ID see our article on enabling Microsoft Entra ID.

You can also find more information about SAML SSO in Harvest in our articles on Signing in to Harvest using SAML SSO and SAML SSO for Microsoft Entra ID and Okta FAQ.

How to enable SSO via Okta

Enabling SSO via Okta for your Harvest account is a multi-step process that requires gathering and recording information from/to both Okta and Harvest. For this reason, we recommend keeping Okta and Harvest both open in separate tabs of your browser while you enable the integration.

Note: Only Administrators can access these settings.

Step 1:  Add Harvest application in Okta

  1. In Okta, select the Applications drop-down from the menu on the left.
  2. Select Applications.
  3. Click on Create App Integration.
  4. Select SAML 2.0
  5. Enter "Harvest" as the app name.

Step 2:  Get SAML values from Harvest

  1. In  Harvest, go to your Settings.
  2. Click Sign in security in the left sidebar.
  3. Click Configure SAML… next to SAML
  4. You’ll see two values on this page with copy icons. You’ll need to copy and paste these values into Okta by following the steps below.

Step 3:  Add SAML Harvest data to Okta 

  1. Paste the Single sign-on URL and Audience URI (SP Entity ID) into the same fields in Okta.
  2. Click Next.
  3. Select the This is an internal app we have created option.
  4. Click Finish.
  5. Back in Harvest, click Continue to take you to the next page.

Step 4:  Add Okta metadata URL to Harvest using the Metadata URL

  1. In Okta, click on the Sign on tab and copy the Metadata URL.
  2. In Harvest, paste the Metadata URL into the Identity Provider XML configuration URL field in Harvest.
  3.  Click Save.

You’ll see a confirmation message at the top of Harvest ID letting you know SAML with Okta has been enabled.

Alternate step 4:  Set up Okta SSO with Harvest using the Sign in URL + certificate

We recommend completing step 4 using the Metadata URL from Okta as outlined above, but you can also complete this step using the Sign in URL and manually entering the Identity Provider certificate by taking the steps below:

  1. In Okta, click on the Sign on tab and then click More Details to expand it.
  2. Copy the Sign on URL.
  3. In Harvest, paste this URL into Harvest’s Sign in URL box.
  4. Back in Okta, click on Generate new certificate
  5. On the new certificate, click on Actions > Activate
  6. Click on Actions > Download certificate.
  7. Open that certificate in a text editor, like the Text Edit app.
  8. Copy the entire content and paste it into the Identity Provider certificate box in Harvest.
  9. Click Save.

You’ll see a confirmation message at the top of Harvest ID letting you know SAML with Okta has been enabled.

Step 5: Assign users to the Harvest application in Okta

  1. In Okta, go back to the General view of your application and click on Assignments.
  2. Click Assignments.
  3. Click Assign to People and search for the necessary accounts to link.
    • Please note that this will not add someone to your Harvest account. Harvest doesn’t offer SCIM provisioning at this time.
  4. Save the assignment(s).

Require sign in with Okta in Harvest

Warning: Before making sign-in required with SAML SSO, be sure you’ve added yourself and all teammates as users in your created Harvest app in Okta to ensure they’ll be able to sign-in via SAML.

If you’ve just enabled SAML SSO via Okta following the steps above and you want to require everyone in the account to sign in with Okta, please follow these steps:

  1. Next to SAML, you’ll notice that the option to Require sign in with Okta is grayed out. To change this, click Sign in with your Okta account in the notification.
  2. Enter the email address associated with your Harvest account. This will take you to Okta to sign in. 
  3. Once you have signed in to your Harvest app using Okta, you’ll be redirected back to Harvest. In Harvest, return to your Settings.
  4. Click Sign in security in the left sidebar.
  5. Next to SAML, check the box to  Require sign in with Okta.
    • You’ll see a warning that saving this setting will sign out anyone who isn’t currently signed in with Okta.
  6. We’ll also send your team an email to let them know about this change. If you’re okay with this, click Save settings to require signing in with Okta.

How to disable SSO via Okta

Note that when SSO is disabled, everyone currently signed in with Okta will be signed out. 

  1. In Harvest, go to your Settings.
    • Only Administrators can access Settings
  2. Click Sign in security in the left sidebar.
  3. Next to SAML, click Disconnect SAML.
  4. Click Disconnect SAML to disconnect.

What happens when I disable SSO via Okta?

SSO via Okta is enabled, but your team is not required to sign in via Okta

  • Everyone who is currently signed in with Okta will be immediately signed out.

  • We will send emails to every user who doesn’t currently have a password set letting them know they need to set a password.

You require your team to sign in to Harvest via Okta

  • Everyone who is currently signed in with Okta will be immediately signed out.
  • We will send an email to every Harvest Administrator  letting them know that signing in with Okta is no longer required.
  • We will send emails to every user who does not currently have a password set letting them know they need to set a password.

Did you find this article helpful?

Still have questions? We’re happy to help!

Contact us