Article updated: May 13, 2021
Single sign-on with Hootsuite
Hootsuite account authentication supports single sign-on (SSO) for both web and mobile. With SSO set up, you can sign in to your Hootsuite account using your corporate network credentials, instead of with separate Hootsuite credentials.
What is SSO?
SSO, or single sign-on, enables you to sign in once, typically to a corporate or enterprise network, and gain access to other software systems without being prompted to sign in to each of them. SSO provides enterprise customers with granular control over account management, but integration capabilities vary across SSO solutions.
Key benefits of SSO
Hootsuite’s SSO solution provides the following benefits:
- Reduced number of passwords - Hootsuite Enterprise users require only their corporate network login, instead of needing a Hootsuite login and corporate network login.
- Centralized access control - Enterprise customer network administrators can manage access to Hootsuite through their central identity directory. Central control makes it easy to prevent former employees from accessing Hootsuite.
- Advanced password management - Administrators can enforce password management policies such as password expiry, minimum password complexity, and no recycling of previous passwords.
Hootsuite supports SSO for the following providers:
- Azure AD
- Ping Identity
Any corporate network identity provider that supports Security Assertion Markup Language (SAML) is supported. Hootsuite supports SAML 2.0 as it enables web-based authentication and authorization with the user’s email as our source of truth.
What is SAML?
Security Assertion Markup Language (SAML) is an open standard data format for exchanging authentication and authorization data between a user directory (identity provider) and client application (service provider). SAML 2.0 enables web-based authentication and authorization scenarios including SSO.
Configuring a SAML authentication service to use with Hootsuite
Hootsuite customer success managers and professional services consultants configure Hootsuite accounts with SSO using the SAML identity provider parameters provided by your system administration team.
- Hootsuite user accounts must be created first so that the SSO feature can be enabled for them by a customer success manager.
- Your SAML service must be able to retrieve an email address for each user who signs in to it (and it must be the same address as the one used to create a corresponding Hootsuite account).
- Your SAML service must return the user’s email address to Hootsuite in the response by using one of the following fields (in order of preference):
- NameID (in the “subject” node)
- uid (attribute)
- email (attribute)
- email_address (attribute)
- emailAddress (attribute)
When you have confirmed that the requirements are in place, provide the following information (found in the SAML metadata file from your identity provider) to your Hootsuite professional services consultant or customer success manager:
- SAML Issuer
- SAML Login URL
- x.509 Public Signing Certificate
Then provide the following required information, depending on the type of SSO being configured. If your users will need to authenticate into the Hootsuite or Hootsuite Amplify mobile apps with SSO, you should configure for SP-initiated SSO.
- Entity ID (SP entity id): hootsuite.com
- ACS ID: https://hootsuite.com/login?method=sso
- ACS ID: https://hootsuite.com/sso/org ID
The Org ID will be provided by your professional services consultant or customer success manager.
- SAML Response must be signed at the assertion level. SAML Response may have at most ONE assertion, which must be signed.
- SAML Response can be signed or unsigned.
- SAML Response must not be encrypted.
- Signature algorithm must be: DSA_SHA1, RSA_SHA1 or RSA_SHA256
- For SP-SSO, Hootsuite does not sign the SAML Request; therefore, Hootsuite's public signing certificate is not provided because it is not needed.