Skip to main content
All CollectionsAdmin Guides
Configuring SSO Access to Harvey
Configuring SSO Access to Harvey
Updated over a week ago

Overview

Harvey employs Security Assertion Markup Language (SAML) to facilitate seamless Single Sign-On (SSO) integration.

SSO Setup Process

To initiate the configuration process, contact your Account Manager. The Harvey Solutions team will securely send you the necessary information you need to create the X509 Signing Certificate:

  • Assertion Customer Service URL

  • Entity ID

In addition, you will need to to configure the following:

  • Name ID: Primary Email / Preferred Email

  • Primary Email / Preferred Email → email

Roles

We provide the following basic roles that can be assigned to users:

  • Organization Admin: Has access to the Admin Dashboard, including the ability to view and export usage metrics and the history of all users.

  • User: Basic access to Harvey with access only to their specific history.

Your Account Manager can help you with updating role assignments. It is also possible to customize or add additional roles to serve your needs in collaboration with your customer success team. For example if you do not want Organization Admins to be able to view the history of all users, that is possible as well. We are working on a self-service portal.

Feature Flags

You can decide which features of Harvey are available to each of your users. Please work with your Account Manager to understand the different features available and assign them to the correct users.

User Provisioning and De-Provisioning

Once SSO is configured, you can provision and deprovision user access to Harvey simply by adding or removing them from the relevant Security Group(s).

Authentication with SAML

In most cases, users authenticate through their firm’s Identity Provider (e.g. Microsoft Entra, Okta, Google Workspace, etc.), which connects via SAML to our Auth0 tenant.

The identity provider’s password policy and MFA requirements apply, as well as any other configured security policies apply. Many identity providers support the enforcement of context-aware access, meaning that you can restrict access to Harvey to your corporate network, corporate-managed devices, etc. It is the customer’s responsibility to manage the identity provider.

Application Level Controls

You can restrict access to Harvey so that only users added directly by an Admin can log in. This method requires manual provisioning by Admins but allows for granular access control without needing an access group setup through your identity provider. This is an optional setting and is not enabled by default. Please discuss this solution with your Account Manager if you'd like to implement it.

Using SSO and Single-Use Passwords

By default, once your workspace uses SSO for authentication, we can no longer support sending single-use passwords over email. Due to this restriction, we highly recommend scheduling a short call with our Solutions team to test your newly configured SSO connection end-to-end. This will help identify and resolve any issues quickly, mitigating potential access loss for your users. To set up a call with the Solutions team, please contact your Account Manager.

For further assistance, please contact [email protected]

Did this answer your question?