Contact Us
  1. Harvest Help Center
  2. Harvest ID & signing in
  3. SSO and two-factor authentication

SAML SSO FAQ

For information on enabling and signing in with SAML SSO, refer to the SAML SSO section of our Help Center

Do you support IdP-initiated sign-in?

Yes, Harvest supports IdP-initiated sign-in through SAML SSO. You and your team will be able to launch and sign in to Harvest directly through a link from within your IdP. No additional setup is required to enable IdP-initiated sign-in; it will be supported through the normal SAML SSO setup process.

Will Harvest provide SCIM (System for Cross-domain Identity Management)?

Harvest will not be providing SCIM at this time. You’ll still need to:

  • Manually add any new teammates to your IdP and to Harvest for them to sign in with SAML.
  • Manually remove any teammates from both IdP and from Harvest.
    • If SAML is required for sign-in on the account, however, removing the teammate’s access from the IdP will block sign-in for that user to Harvest. That user’s seat will remain in Harvest until it’s removed or reassigned.

Can I enable SAML SSO only for some teammates?

If you set up SAML SSO but don't require it, teammates can always choose whether to sign in that way or with one of our other sign-in options (email + password or Google sign-in). If you require sign-in with SAML SSO, though, that will apply to everyone in the account.

What will happen once SAML SSO is enabled and marked required?

Each active person in your Harvest account will receive an email letting them know about the change and what they need to do to sign in moving forward. 


Here is an example of the email:

 

 

 

How does enabling SAML affect my access to the Harvest API?

If you requested a personal access token for Harvest's API prior to requiring sign-in with SAML SSO, you'll need to request a new token after you sign back in with SAML. 

What happens when you disconnect SAML in Harvest?

When SAML SSO is disabled in your Harvest account:

  • Everyone who is currently signed in with SAML SSO will be immediately signed out.
  • We will send an email to every Harvest Administrator letting them know that signing in with SAML SSO is no longer required.
  • We will send emails to every user who does not currently have a password set letting them know they need to set a password.

Can I see when the certificate expires for SAML SSO?

Yes—you can find that information by heading to Settings > Sign in security in your Harvest account. Next to SAML, you’ll see when the certificate expires.

 If you configured SAML with an XML URL, you can update your certificate in your IdP (identity provider), and Harvest will automatically use the new active certificate.

 If you configured SAML with a sign-in URL and a certificate, you’ll be able to click on Edit configuration in Harvest from Settings > Sign in security to update that certificate after generating a new certificate in your IdP.

 

Did you find this article helpful?

Still have questions? We’re happy to help!

Contact us