SAML / Single Sign-On

Overview

With Heeler, you can enable single sign-on (SSO) using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML), such as Okta, Microsoft Entra ID, Google, or Ping Identity.

Heeler uses SAML 2.0 for all SAML SSO configurations. This includes configurations with supported Identity Providers and any custom configurations.

Requirements

SAML 2.0 Identity Provider
Download the IDP metadata xml from your Identity Provider

Heeler (Service Provider) Setup

Navigate to SAML Setup from the Administration icon -> Settings

Upload the Metadata XML file retrieved from your Identity Provider to Heeler

Identity Provider Setup

Copy the Entity ID, Assertion Consumer URL, and ACS Binding settings over to your IDP to configure Heeler as a Service Provider.

Heeler supports the HTTP-POST binding for SAML2: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Heeler specifies urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress for the format of the NameIDPolicy in assertion requests
Required that SAML Responses are Signed
Required Attributes:
- First Name
- Last Name
- Email

Optional SAML Settings

SAML Strict (recommended): Requires the SAML standard is strictly followed by the IDP including signing and encryption
Just-in-Time Provisioning (recommended): Once granted access in the IDP, new users are automatically created in Heeler when they log in from the IDP.
Group Mapping: Automatically sync group membership of the IDP in Heeler.

PreviousUser Management

Last updated 7 months ago