Single sign-on with Hootsuite

  

Hootsuite account authentication supports single sign-on (SSO) for both web and mobile. With SSO set up, you can sign in to your Hootsuite account using your corporate network credentials, instead of with separate Hootsuite credentials.

Plans: Enterprise only

What is SSO?

SSO, or single sign-on, enables you to sign in once, typically to a corporate or enterprise network, and gain access to other software systems without being prompted to sign in to each of them. SSO provides enterprise customers with granular control over account management, but integration capabilities vary across SSO solutions.

Key benefits of SSO

Hootsuite’s SSO solution provides the following benefits:

  • Reduced number of passwords - Hootsuite Enterprise users require only their corporate network login, instead of needing a Hootsuite login and corporate network login.
  • Centralized access control - Enterprise customer network administrators can manage access to Hootsuite through their central identity directory. Central control makes it easy to prevent former employees from accessing Hootsuite.
  • Advanced password management - Administrators can enforce password management policies such as password expiry, minimum password complexity, and no recycling of previous passwords.

Supported providers

Hootsuite supports SSO for the following providers:

  • Okta
  • Azure AD
  • OneLogin
  • Google
  • Ping Identity

Any corporate network identity provider that supports Security Assertion Markup Language (SAML) is supported. Hootsuite supports SAML 2.0 as it enables web-based authentication and authorization with the user’s email as our source of truth.

What is SAML?

Security Assertion Markup Language (SAML) is an open standard data format for exchanging authentication and authorization data between a user directory (identity provider) and client application (service provider). SAML 2.0 enables web-based authentication and authorization scenarios including SSO.

Configuring a SAML authentication service to use with Hootsuite

Hootsuite customer success managers and professional services consultants configure Hootsuite accounts with SSO using the SAML identity provider parameters provided by your system administration team.

Requirements

  1. Hootsuite user accounts must be created first so that the SSO feature can be enabled for them by a customer success manager.
  2. Your SAML service must be able to retrieve an email address for each user who signs in to it (and it must be the same address as the one used to create a corresponding Hootsuite account).
  3. Your SAML service must return the user’s email address to Hootsuite in the response by using one of the following fields (in order of preference):
    1. NameID (in the “subject” node)
    2. uid (attribute)
    3. email (attribute)
    4. email_address (attribute)
    5. emailAddress (attribute)

Initiating setup

When you have confirmed that the requirements are in place, provide the following information (found in the SAML metadata file from your identity provider) to your Hootsuite professional services consultant or customer success manager:

  • SAML Issuer
  • SAML Login URL
  • x.509 Public Signing Certificate

Then provide the following required information, depending on the type of SSO being configured. If your users will need to authenticate into the Hootsuite or Hootsuite Amplify mobile apps with SSO, you should configure for SP-initiated SSO.

SP-initiated SSO:

  • Entity ID (SP entity id): hootsuite.com
  • ACS ID: https://hootsuite.com/login?method=sso

IdP-initiated SSO:

  • ACS ID: https://hootsuite.com/sso/org ID
    The Org ID will be provided by your professional services consultant or customer success manager.

Configuration notes

  • SAML Response must be signed at the assertion level. SAML Response may have at most ONE assertion, which must be signed.
  • SAML Response can be signed or unsigned.
  • SAML Response must not be encrypted.
  • Signature algorithm must be: DSA_SHA1, RSA_SHA1 or RSA_SHA256
  • For SP-SSO, Hootsuite does not sign the SAML Request; therefore, Hootsuite's public signing certificate is not provided because it is not needed.