Skip to main content

  Article updated: October 22, 2021

Single sign-on with Hootsuite

Single sign-on (SSO) allows you to sign in once and access other software systems. It keeps you from having to sign in to a bunch of systems separately. Hootsuite supports SSO on both web and mobile.

Plans: Enterprise

Using Hootsuite Single Sign On video

Key benefits of SSO

Hootsuite’s SSO provides the following benefits:

  • Fewer passwords - Hootsuite Enterprise members only need their corporate network login, instead of both a Hootsuite login and a corporate network login.
  • Centralized access control - Network administrators manage access to Hootsuite through their central identity directory. Central control helps to prevent former employees from accessing the company's Hootsuite account.
  • Better password management - Administrators can enforce password management policies like password expiration, minimum password complexity, and reuse of previous passwords.

Supported providers

Hootsuite supports SSO for the following providers:

  • Okta
  • Azure AD
  • OneLogin
  • Google
  • Ping Identity

Any corporate network identity provider that supports Security Assertion Markup Language (SAML) is supported. Hootsuite supports SAML 2.0. SAML 2.0 uses web-based authentication and authorization using the user’s email as the source of truth.

What is SAML?

Security Assertion Markup Language (SAML) is an open standard data format for exchanging authentication and authorization data between a user directory (identity provider) and client application (service provider). SAML 2.0 enables web-based authentication and authorization, including SSO.

Configure a SAML authentication service

Hootsuite customer success managers and professional services consultants configure Hootsuite accounts with SSO. We use the SAML identity provider parameters provided by your system administration team.

Requirements

  1. Your users must create Hootsuite user accounts so that a customer success manager can enable SSO for them.
  2. Your SAML service must be able to retrieve an email address for each user who signs into it. This must be the same address as the one used for the Hootsuite account.
  3. Your SAML service must use one of the following fields to return the user’s email address to Hootsuite. These are listed in order of preference.
    1. NameID (in the “subject” node)
    2. uid (attribute)
    3. email (attribute)
    4. email_address (attribute)
    5. emailAddress (attribute)

Initiating setup

Confirm that you have set up the requirements. Provide the following information (found in the SAML metadata file from your identity provider) to your Hootsuite professional services consultant or customer success manager:

  • SAML Issuer
  • SAML Login URL
  • x.509 Public Signing Certificate

Then, depending on the type of SSO being configured, provide the following required information. If your users need to authenticate to Hootsuite or Hootsuite Amplify mobile apps with SSO, you should configure for SP-initiated SSO.

SP-initiated SSO:

  • Entity ID (SP entity id): hootsuite.com
  • ACS ID: https://hootsuite.com/login?method=sso

IdP-initiated SSO:

  • ACS ID: https://hootsuite.com/sso/org ID
    The Org ID will be provided by your professional services consultant or customer success manager.

Configuration notes

  • SAML Response must be signed at the assertion level. SAML Response may have ONE assertion, which must be signed.
  • SAML Response can be signed or unsigned.
  • SAML Response must not be encrypted.
  • Signature algorithm must be: DSA_SHA1, RSA_SHA1 or RSA_SHA256
  • For SP-SSO, Hootsuite does not sign the SAML Request. Hootsuite's public signing certificate is not provided because it is not needed.