Enabling SAML SSO with Ping Identity

Harvest supports SAML single sign on (SSO) for accounts on our Premium plan. This article covers setting up Ping Identity SSO for your Harvest account. For information about other SAML SSO options and SAML SSO FAQ, see the SAML SSO section of our Help Center

You can also consult Ping's SAML SSO documentation

How to enable SSO via Ping Identity

Enabling SSO via Ping for your Harvest account is a multi-step process that requires gathering and recording information from/to both Ping and Harvest. For this reason, we recommend keeping Ping and Harvest both open in separate tabs of your browser while you enable the integration.

Step 1: Configure SAML Application in Ping Identity

  1. Log in to your Ping Identity Admin Console.
  2. In the side navigation bar, click Administrators.
  3. Navigate to Applications and click the blue + icon to add a new application.
  4. Provide a name for the application, such as "Harvest".
  5. Select SAML Application and click Configure.
  6. Choose Manual Entry to configure the SAML details.

Step 2: Add SAML Details from Harvest to Ping Identity

  1. In a separate browser tab, sign in to Harvest and navigate to Configure SAML under Settings > Sign in security.
  2. Select Ping Identity as the identity provider. Harvest will provide two key URLs:
    • Entity ID: Copy this and paste it into Ping Identity’s Entity ID field.
    • Single Sign-On URL: Copy this and paste it into Ping Identity’s ACS URL field.
  3. Save the configuration in Ping Identity.

Step 3: Enable the Application and Adjust Mapping

  1. Ensure the new application is activated in Ping Identity by toggling the Enable Application switch to ON.
  2. By default, Ping Identity maps the SAML subject to the User ID. Harvest requires the subject be the email address:
    • Click the Edit button in the SAML configuration.
    • Change the mapping to Email Address and save the changes.

Step 4: Complete Metadata Configuration

  1. In Ping Identity, navigate to the Overview tab of the application.
  2. Copy the IDP Metadata URL.
  3. Return to Harvest and paste the URL into the IDP Metadata URL field.
  4. Save the changes in Harvest.

If successful, a certificate will appear, indicating that Harvest and Ping Identity can communicate.

Step 5: Test the SAML SSO Configuration

  1. Sign out of your Harvest account.
  2. On the Harvest sign in screen, select Sign in with SAML SSO.
  3. Use a test account configured in both Harvest and Ping Identity.
  4. If configured correctly, you will be redirected to Ping Identity for authentication and then signed into Harvest.

Require sign in with Ping Identity in Harvest

Warning: Before making sign in required with SAML SSO, be sure you’ve added yourself and all teammates as users in your created Harvest app in Ping to ensure they’ll be able to sign in via SAML.

If you’ve just enabled SAML SSO via Ping following the steps above and you want to require everyone in the account to sign in with Ping, please follow these steps:

  1. Next to SAML, you’ll notice that the option to Require sign in with Ping is grayed out. To change this, click Sign in with your Ping account in the notification.
  2. Enter the email address associated with your Harvest account. This will take you to Ping to sign in. 
  3. Once you have signed in to your Harvest app using Ping, you’ll be redirected back to Harvest. 
  4. In Harvest, go to your Settings.
  5. Click Sign in security in the left sidebar.
  6. Next to SAML, check the box to  Require sign in with Ping.
    • You’ll see a warning that saving this setting will sign out anyone who isn’t currently signed in with Ping.
    • We’ll also send your team an email to let them know about this change. If you’re okay with this, click Save settings to require signing in with Ping.

Disable SAML SSO with Ping

Note that when SAML SSO is disabled, everyone currently signed in with Ping will be signed out. 

  1. In Harvest, go to your Settings.
    • Only Administrators can access Settings
  2. Click Sign in security in the left sidebar.
  3. Next to SAML, click Disconnect SAML.
  4. Click Disconnect SAML to disconnect.

What happens when I disable SSO via Ping?

SSO via Ping is enabled, but your team is not required to sign in via Ping

  • Everyone who is currently signed in with SAML SSO will be immediately signed out.
  • We will send emails to every user who doesn’t currently have a password set letting them know they need to set a password.

You required your team to sign in to Harvest via Ping

  • Everyone who is currently signed in with SAML SSO will be immediately signed out.
  • We will send an email to every Administrator in Harvest letting them know that signing in with Ping is no longer required.
  • We will send emails to every user who doesn’t currently have a password set letting them know they need to set a password.

Did you find this article helpful?

Still have questions? We’re happy to help!

Contact us