Enabling SAML SSO with a custom SAML provider

Harvest supports SAML single sign on (SSO) for accounts on our Premium plan. This article covers setting up a custom SAML SSO provider for your Harvest account. For information about other SAML SSO options such as Okta, Microsoft Entra ID, JumpCloud, and Ping Identity as well as SAML SSO FAQ, see the SAML SSO section of our Help Center

How to enable SAML SSO with a custom provider

Enabling SAML SSO with a custom provider for your Harvest account is a multi-step process that requires gathering and recording information from/to both your provider and Harvest. For this reason, we recommend keeping your provider and Harvest both open in separate tabs of your browser while you enable the integration.

Step 1: Configure SAML SSO with your Identity Provider

  1. Sign in to your Identity Provider Admin Console.
  2. Create a new application using SAML SSO.
  3. Provide a name for the application, such as “Harvest,” and save the application.
  4. Navigate to the configuration settings for the new application to proceed with SAML setup.

Step 2: Add SAML Details from Harvest to the Identity Provider

  1. Sign in to Harvest and navigate to Configure SAML under Settings > Sign in security.
  2. Select Custom SAML Provider as your identity provider. 
  3. Harvest will display the following details, which need to be added to your identity provider's SAML configuration:
    • Entity ID: Copy this value and paste it into the corresponding field in your identity provider.
    • Single sign-on URL: Copy this value and paste it into the corresponding field in your identity provider.
  4. Save the configuration in your identity provider.

Step 3: Complete Metadata Configuration

  1. In your identity provider’s Admin Console, locate the Metadata URL or certificate and sign-in URL.
  2. Go back to Harvest and paste either of these into the SAML Settings configuration.
  3. Save the changes in Harvest.

If successful, a certificate will appear, indicating that Harvest and your Identity Provider can communicate.

 

Step 4: Test the SAML SSO Configuration

  1. Sign out of your Harvest account.
  2. On the sign in screen, select Sign in with SAML SSO.
  3. Choose the user account you configured.
  4. If configured correctly, you will be redirected to your identity provider for authentication and then signed into Harvest.

Require sign in with your custom identity provider in Harvest

Warning: Before making sign in required with SAML SSO, be sure you’ve added yourself and all teammates as users in your created Harvest app in your identity provider to ensure they’ll be able to sign in via SAML.

If you’ve just enabled SAML SSO using a custom identity provider following the steps above and you want to require everyone in the account to sign in with SAML SSO, please follow these steps:

  1. Next to SAML, you’ll notice that the option to Require sign in with [identity provider name] is grayed out. To change this, click Sign in with your [identity provider name] account in the notification.
  2. Enter the email address associated with your Harvest account. This will take you to your identity provider to sign in. 
  3. Once you have signed in to your Harvest app using your identity provider, you’ll be redirected back to Harvest. 
  4. In Harvest, go to your Settings.
  5. Click Sign in security in the left sidebar.
  6. Next to SAML, check the box to  Require sign in with [identity provider name].
    • You’ll see a warning that saving this setting will sign out anyone who isn’t currently signed in with your identity provider.
    • We’ll also send your team an email to let them know about this change. If you’re okay with this, click Save settings to require signing in with SAML SSO.

Disable SAML SSO 

Note that when SAML SSO is disabled, everyone currently signed in with SAML SSO will be signed out. 

  1. In Harvest, go to your Settings.
    • Only Administrators can access Settings
  2. Click Sign in security in the left sidebar.
  3. Next to SAML, click Disconnect SAML.
  4. Click Disconnect SAML to disconnect.

What happens when I disable SAML SSO?

SAML SSO is enabled, but your team is not required to sign in via your identity provider

  • Everyone who is currently signed in with SAML SSO will be immediately signed out.
  • We will send emails to every user who doesn’t currently have a password set letting them know they need to set a password.

You required your team to sign in to Harvest SAML SSO

  • Everyone who is currently signed in with SAML SSO will be immediately signed out.
  • We will send an email to every Administrator in Harvest letting them know that signing in with your identity provider is no longer required.
  • We will send emails to every user who doesn’t currently have a password set letting them know they need to set a password.

Did you find this article helpful?

Still have questions? We’re happy to help!

Contact us