Article updated: October 22, 2021
Single sign-on with Hootsuite
Single sign-on (SSO) allows you to sign in once and access other software systems. It keeps you from having to sign in to a bunch of systems separately. Hootsuite supports SSO on both web and mobile.
Key benefits of SSO
Hootsuite’s SSO provides the following benefits:
- Fewer passwords - Hootsuite Enterprise members only need their corporate network login, instead of both a Hootsuite login and a corporate network login.
- Centralized access control - Network administrators manage access to Hootsuite through their central identity directory. Central control helps to prevent former employees from accessing the company's Hootsuite account.
- Better password management - Administrators can enforce password management policies like password expiration, minimum password complexity, and reuse of previous passwords.
Hootsuite supports SSO for the following providers:
- Azure AD
- Ping Identity
Any corporate network identity provider that supports Security Assertion Markup Language (SAML) is supported. Hootsuite supports SAML 2.0. SAML 2.0 uses web-based authentication and authorization using the user’s email as the source of truth.
What is SAML?
Security Assertion Markup Language (SAML) is an open standard data format for exchanging authentication and authorization data between a user directory (identity provider) and client application (service provider). SAML 2.0 enables web-based authentication and authorization, including SSO.
Configure a SAML authentication service
Hootsuite customer success managers and professional services consultants configure Hootsuite accounts with SSO. We use the SAML identity provider parameters provided by your system administration team.
- Your users must create Hootsuite user accounts so that a customer success manager can enable SSO for them.
- Your SAML service must be able to retrieve an email address for each user who signs into it. This must be the same address as the one used for the Hootsuite account.
- Your SAML service must use one of the following fields to return the user’s email address to Hootsuite. These are listed in order of preference.
- NameID (in the “subject” node)
- uid (attribute)
- email (attribute)
- email_address (attribute)
- emailAddress (attribute)
Confirm that you have set up the requirements. Provide the following information (found in the SAML metadata file from your identity provider) to your Hootsuite professional services consultant or customer success manager:
- SAML Issuer
- SAML Login URL
- x.509 Public Signing Certificate
Then, depending on the type of SSO being configured, provide the following required information. If your users need to authenticate to Hootsuite or Hootsuite Amplify mobile apps with SSO, you should configure for SP-initiated SSO.
- Entity ID (SP entity id): hootsuite.com
- ACS ID: https://hootsuite.com/login?method=sso
- ACS ID: https://hootsuite.com/sso/org ID
The Org ID will be provided by your professional services consultant or customer success manager.
- SAML Response must be signed at the assertion level. SAML Response may have ONE assertion, which must be signed.
- SAML Response can be signed or unsigned.
- SAML Response must not be encrypted.
- Signature algorithm must be: DSA_SHA1, RSA_SHA1 or RSA_SHA256
- For SP-SSO, Hootsuite does not sign the SAML Request. Hootsuite's public signing certificate is not provided because it is not needed.