Skip to main content

  Article updated: October 16, 2023

Single sign-on set up guide

Single sign-on (SSO) lets your employees use a single set of credentials (name and password) to sign in and access multiple applications and websites. With SSO, you can manage your employees' credentials, increasing your security and access control.

Plans: Enterprise. If you're an Enterprise member and don't see the SSO option, please reach out to your customer account manager.

Your employees can bid farewell to the days of remembering multiple passwords and resetting forgotten ones - they can use SSO to access the software they need without having to sign in to each one each time.

Supported identity providers

Hootsuite supports any corporate network provider that uses Security Assertion Markup Language (SAML) 2.0. Hootsuite supports SSO for the following popular identity providers:

  • Okta
  • Microsoft Entra (previously Microsoft Azure Active Directory)
  • OneLogin
  • Google
  • Ping Identity

What is SAML?

Security Assertion Markup Language (SAML) is an open standard data format for exchanging authentication and authorization data between an identity provider (IdP) and service provider (SP).

We support SAML 2.0 on both the Hootsuite web version and mobile app.

What's the difference between IdP and SP?

Your company manages and stores credentials for your employees, so they're what we call the Identity provider (IdP). Applications and websites (like Hootsuite, Google Workspace, or Salesforce) that provide services to your employees are Service providers (SP).

There are two different methods for initiating the SSO authentication process. The main difference between them lies in which provider initiates the process - the IdP or the SP. Following are descriptions of both types of SSO:

  • IdP-initiated SSO - The IdP initiates the authentication process by redirecting the user to the SP's sign in page. Once authenticated, the IdP sends a response to the SP, granting access to the requested resource. With IdP-initiated SSO, a user signs in to a company resource to access applications and websites.
  • SP-initiated SSO - The user signs in to a resource provided by the SP. The SP then redirects them to the IdP for authentication. With SP-initiated SSO, a user signs in to an application or website without first signing in to their company resources. They are then asked to sign in with SSO.

You can configure either IdP-initiated or SP-initiated, or choose both methods (recommended).

The web version of Hootsuite supports IdP-initiated and SP-initiated SSO. The Hootsuite mobile app only supports SP-initiated SSO.

Before we begin

Give yourself some time to get set up and to test your SSO configuration. You may want to consider choosing a time when your employees are not trying to sign in to Hootsuite. You'll need to do the following before you start:

  • Make sure you have super admin permissions for your Hootsuite organization. Learn more about Hootsuite permissions.
  • When you configure SSO, you'll need to copy information between Hootsuite and your IdP - so make sure you have both open and available.
  • Add the members that you want to use SSO to your Hootsuite organization. You can add a few members to test your configuration, and then return and add more later. Learn how to add members to an organization.

Gather your data

You'll want to gather the following information to make your connection:

  • Entity ID - hootsuite.com
  • SP SAML return URL - hootsuite.com
  • IdP SAML return URL - https://hootsuite.com/sso/{orgID}
  • SAML 2.0 xml metadata - You can upload a SAML 2.0 xml file, or you can manually enter the metadata. If you plan on entering it manually, make sure you have the Entity ID, SAML login URL, and x.509 signing certificate.

Need help finding your metadata? Here are some help links for the following popular IdPs:

Connect Hootsuite to your IdP

Connect Hootsuite to your IdP so your employees can sign in to Hootsuite using SSO. If you have all of the information you need, this process should take less than an hour to configure, test, and get connected.

  1. Go to My profile , and then select Manage accounts and teams.
  2. Select SSO in your organization.
  3. Select your initiation method (learn more about your options). We support SP-initiated and IdP-initiated SSO. To use the Hootsuite mobile app, you must use SP-initiated SSO.
    SSO configuration with llist showing SP & IdP-initiated selected.
  4. Your IdP requires the Entity ID, IdP SAML return URL, and SP SAML return URL. As a shortcut, you can use Copy, and then paste them into your IdP configuration.
  • Okta - If you're using Okta as your IdP, you'll be asked for a single return URL. Use the IdP SAML return URL. You'll still be able to use either IdP- or SP-initiated SSO.
  • Add your IdP metadata. You can upload a SAML 2.0 xml file, or you can manually enter the metadata. If you plan on entering it manually, make sure you have the Entity ID, SAML login URL, and x.509 signing certificate. Need help finding your metadata?
  • Important: If you turn on SSO for your entire organization and your configuration has a problem, you won't be able to sign in to make changes. If you're testing, the super admin can sign in without SSO to make changes.

    Test your configuration

    Don't forget to test!

    1. Select a few members from your Hootsuite organization that you can use to test your configuration. Learn how to add members to an organization.
    2. Select Save.
    3. Have your test accounts sign in to Hootsuite using their SSO credentials. If sign in is successful, celebrate! If it isn't successful, your super admin can log in without SSO to make changes.

    Note: During your tests, members who haven't been added to SSO can only sign in to Hootsuite with their email address and Hootsuite password.

    Turn SSO on for all your members

    Once you've tested and confirmed your SSO set up is working properly, you can return to Hootsuite, add your members to your Hootsuite organization, and turn on SSO for all of them.

    1. Return to Hootsuite. Make sure you've added all of your members to your Hootsuite organization. Learn how to add members to an organization.
    2. Return to SSO setup (go to My profile, select Manage accounts and teams, and then select SSO in your organization).
    3. Select Turn on SSO for all members.
      Note: If you're adding a lot of members, SSO can take up to 10 minutes to turn on for all of them.
    4. Your employees will receive an email with instructions on how to sign in to Hootsuite using SSO. They will no longer be able to sign in to Hootsuite with their email address and Hootsuite password.
    Tip: If you need to allow some members to sign in to Hootsuite with their email address and Hootsuite password (bypass SSO), contact your Customer Account Manager.

    Keep your signing certificate up-to-date

    For security and to comply with regulatory standards, SSO x.509 signing certificates are set to expire after a period of time. The expiration date is typically set by the certificate authority associated with your provider. When your certificate expires, your members will not be able to sign in to Hootsuite using SSO.

    You can update your x.509 signing certificate for the SSO service provider you've configured in Hootsuite. If you need to change your service provider, please reach out to your customer account manager and provide them with the SAML login URL, SAML issuer, and x.509 certificate.

    1. Go to My profile, and then select Manage accounts and teams.
    2. Select SSO in your organization.
    3. Select Configure SSO, and then select Update certificate.

     

    Can't find what you're looking for? We're here to help