Skip to main content

Setting Up SAML SSO with Hive Using CAS (Centrally Authenticated Service)

Ellen Kajca avatar
Written by Ellen Kajca
Updated today

This article walks through how to configure SAML-based SSO between Hive and an identity provider that uses CAS (or a similar SAML-capable IdP), and how to troubleshoot common errors such as 401 Unauthorized and Invalid signature.

1. Overview

Hive supports SAML 2.0 single sign-on through a workspace-specific SAML endpoint. This means each Hive workspace has its own SSO URL that you will configure in your identity provider.

This guide is intended for IT admins and IdP owners who are:

  • Using CAS (or another SAML provider, not Okta)

  • Configuring SAML SSO into Hive

  • Seeing errors such as 401 Unauthorized or Invalid signature during login

2. Hive SAML Service Provider Details

Use the following values when configuring Hive as a SAML Service Provider (SP) in your IdP:

  • Entity ID (Audience):
    https://hive.com

  • Assertion Consumer Service (ACS) URL:
    https://app.hive.com/sso/saml/[YOUR_WORKSPACE_ID]

  • Single Sign-On URL:
    https://app.hive.com/sso/saml/[YOUR_WORKSPACE_ID]

  • NameID Format:
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • Protocol Binding:
    HTTP-POST

Important: Replace [YOUR_WORKSPACE_ID] with your actual Hive workspace ID.
You can find this in your Hive URL (the part that looks like an ID token after /workspace/) or contact Hive Support if you are unsure.

3. NameID and Attribute Requirements

Hive uses the SAML NameID to identify the user attempting to sign in.

  • Required mapping:

    • NameID must map to the user's email address in your identity provider.

    • The email must exactly match the email address of an existing user in your Hive workspace.

      • Same spelling

      • Same domain

      • No extra spaces or case differences that your IdP might normalize

If the NameID email does not match an existing Hive user, the login will fail with a 401 Unauthorized response.

4. Certificate Requirements

Hive validates SAML signatures using the IdP’s signing certificate.

4.1 Which certificate to use

In your Hive workspace, under Enterprise Security → Certificate, you must paste:

  • The IdP signing certificate used for SAML assertions

  • Not your HTTPS/TLS certificate

This certificate is what Hive uses to verify signatures coming from your IdP.

4.2 Certificate formatting

When you paste the certificate in Hive:

  • Ensure there are no extra spaces or line breaks before, within, or after the certificate.

  • It must begin exactly with:
    -----BEGIN CERTIFICATE-----

  • It must end exactly with:
    -----END CERTIFICATE-----

Hidden whitespace or wrapping (for example, from copying from an email or document) can cause validation issues. If you suspect formatting problems:

  1. Copy the certificate from your IdP’s source again.

  2. Paste it into a plain-text editor to clean up formatting.

  3. Paste it into Hive’s Enterprise Security → Certificate field and save.

5. Testing the SAML SSO Flow

After configuring both CAS (or your IdP) and Hive:

  1. In a browser, navigate directly to:
    https://app.hive.com/sso/saml/[YOUR_WORKSPACE_ID]

  2. You should be redirected to your IdP’s sign-in page (for example, your CAS login).

  3. Log in with a user whose email:

    • Is the NameID value in the SAML assertion

    • Exists as an active user in your Hive workspace

  4. After successful authentication at the IdP, you should be redirected back to Hive and logged in.

If everything is configured correctly, the user will land in the Hive workspace without errors.

6. Common Errors and How to Fix Them

6.1 Invalid signature errors

If Hive logs or your support contact mention an “Invalid signature” error, it usually points to a problem with the certificate that Hive is using to validate SAML responses.

Checklist:

  1. Certificate type

    • Confirm you are using the IdP signing certificate, not the HTTPS certificate.

  2. Certificate formatting

    • No trailing or leading whitespace.

    • No additional characters or hidden formatting.

    • Starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

  3. Recent changes

    • If your IdP’s signing certificate changed, make sure the new certificate is updated in Hive as well.

After updating the certificate, test SSO again by navigating to the SAML URL and signing in.

6.2 401 Unauthorized after successful IdP login

If the user logs into the IdP successfully but sees a 401 Unauthorized from Hive afterward, the most common causes are:

  1. Email / NameID mismatch

    • The NameID email in the SAML response does not match any existing user in Hive.

    • Action:

      • Confirm the exact email address for the user in your IdP.

      • Confirm that the same email is used for that user in Hive.

      • Correct any mismatch and test again.

  2. Incorrect workspace ID in the URL

    • The ACS and SSO URLs must match your actual Hive workspace ID:

      • https://app.hive.com/sso/saml/[YOUR_WORKSPACE_ID]

    • Action:

      • Double-check the workspace ID in your Hive URL.

      • Ensure your IdP configuration uses that exact value.

  3. Certificate formatting still incorrect

    • Even if you removed visible whitespace once, hidden characters may remain.

    • Action:

      • Paste the IdP signing certificate again from a clean source into Hive.

      • Save and retest.

  4. Request signing configuration

    • If you enable SAML request-signing on the IdP side without corresponding configuration on Hive’s side, it can cause issues.

    • Action:

      • Temporarily disable request signing in your IdP, or

      • If you want it enabled, provide the IdP signing certificate to Hive (via the Enterprise Security certificate field) and validate it with Hive Support.

  5. Audience and NameID format mismatch

    • Confirm your IdP configuration uses:

      • Audience: https://hive.com

      • NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

If all of the above are correct and the 401 error persists, contact Hive Support with a recent SAML trace and the approximate time of your latest login attempt so they can check backend logs.

7. Advanced: RequestedAuthnContext setting

Some identity providers (including certain ADFS and CAS setups) can return unexpected AuthnContext values that cause authentication problems at the browser level.

In Hive, there is a setting that can help in this scenario:

  • In your Hive workspace, go to Enterprise Security.

  • Enable the option “Disable RequestedAuthnContext metadata.”

  • Save your changes and confirm the setting is active.

  • Run through the SAML login flow again.

If enabling this does not resolve the issue, capture a new SAML trace and contact Hive Support for further assistance.

Related Articles
How to set-up a custom SAML single sign-on (SSO)
How to configure ADFS single sign-on (SSO)
How to set-up GSuite SAML SSO
Security in Hive
Setting up SAML 2.0 with Okta
Did this answer your question?