SAML SSO for Microsoft Entra ID and Okta FAQ
For information on enabling and signing in with SAML SSO, refer to our articles on Enabling SAML SSO with Microsoft Entra ID, Enabling SAML SSO with Okta, and Signing in to Harvest using SAML SSO.
Do you support IdP-initiated sign-in?
Yes, Harvest supports IdP-initiated sign-in through SAML SSO. You and your team will be able to launch and sign in to Harvest directly through a link from within your IdP. No additional setup is required to enable IdP-initiated sign-in; it will be supported through the normal SAML SSO setup process.
Will Harvest provide SCIM (System for Cross-domain Identity Management)?
Harvest will not be providing SCIM at this time. You’ll still need to:
- Manually add any new teammates to both Okta/Entra ID and to Harvest for them to sign in with SAML.
- Manually remove any teammates from both Okta/Entra ID and from Harvest.
- If SAML is required for sign-in on the account, however, removing the teammate’s access from Okta/Entra ID will block sign-in for that user to Harvest. That user’s seat will remain in Harvest until it’s removed or reassigned.
What will happen once SSO SAML is enabled and marked required?
Each active person in your Harvest account will receive an email letting them know about the change and what they need to do to sign in moving forward.
Here is an example of the email:
How does enabling SAML affect my access to the Harvest API?
If you requested a personal access token for Harvest's API prior to requiring sign-in with Okta or Microsoft Entra ID, you'll need to request a new token after you sign back in with SAML.
What happens when you disconnect SAML in Harvest?
SSO via Okta or Microsoft Entra ID is enabled, but your team is not required to sign in via Okta or Microsoft Entra ID:
-
Everyone who is currently signed in with Microsoft Entra ID or Okta will be immediately signed out.
-
We will send emails to every user who doesn’t currently have a password set letting them know they need to set a password.
SSO via Okta or Microsoft Entra ID is enabled, and your team is required to sign in via Okta or Microsoft Entra ID:
- Everyone who is currently signed in with Microsoft Entra ID or Okta will be immediately signed out.
- We will send an email to every Harvest Administrator letting them know that signing in with Microsoft Entra ID or Okta is no longer required.
- We will send emails to every user who does not currently have a password set letting them know they need to set a password.
Can I connect to IDPs other than Microsoft Entra ID and Okta or my own custom IDP?
Not at this time. Harvest currently only offers SAML SSO through Microsoft Entra ID and Okta.
Can I see when the certificate expires for SAML SSO?
Yes—you can find that information by heading to Settings > Sign in security in your Harvest account. Next to SAML, you’ll see when the certificate expires.
If you configured SAML with an XML URL, you can update your certificate in your IdP (identity provider), and Harvest will automatically use the new active certificate.
If you configured SAML with a sign-in URL and a certificate, you’ll be able to click on Edit configuration in Harvest from Settings > Sign in security to update that certificate after generating a new certificate in your IdP.