All Collections
Technical Resources
Security & SSO
How to set-up a custom SAML single sign-on (SSO)
How to set-up a custom SAML single sign-on (SSO)

With Enterprise Security package, use this guide to set up a custom SAML configuration if your Identity Provider isn't yet supported.

Eric Typaldos avatar
Written by Eric Typaldos
Updated over a week ago

See our overview of Security in Hive.

Before you begin

SAML SSO is only supported if you have the Enterprise Security Add-on. Please enable the Enterprise Security tile in the Apps section to add this to your plan.

If you already use Okta, you can follow this guide to get SSO set up.

Parameters to configure

Assertion Consumer Service URL (ACS URL)

For example, if your workspace ID is "9W72AGwBUhYeKSpiS" then your ACS URL would be:

Entity ID

Settings to include

  • NameID (required): Should use the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" format

  • Email Attribute (required): Should be included.

  • "firstName" attribute (required): Should be included. Can be mapped from whatever attribute your IdP uses for first/given name.

  • "lastName" attribute (required): Should be included. Can be mapped from whatever attribute your IdP uses for last/family/surname.


Hive requires the SAML response to be signed. You'll need to paste a valid x.509 pem Certificate into Hive to verify your identity. This is different from your SSL certificate. Most IdPs will provide this for you when setting up a new application.

Sample custom configuration with Okta

The section that follows will walk you through configuring a custom SAML SSO application with Okta as your IdP.

Before you begin

In order to use SAML SSO with Hive, you must:

  • Be a workspace or organization admin

  • Have a Hive Enterprise plan

Setting up the sample application

  1. Go to the Okta Admin dashboard

  2. Select "Applications"

  3. Click "Add application"

4. Select "Create New App"

5. Choose "Web" as your platform and "SAML 2.0" as your sign on method

6. Name your application, in this case we're calling it "My custom application"

7. Paste in your ACS URL according to your workspace ID. In this example we're using "" where "9W72AGwBUhYeKSpiS" should be replaced with your actual workspace ID. Set the "Audience URI" to be "", the "NameID Format" to be "EmailAddress", the "Application username" to be "Email":

8. Add the "firstName" and "lastName" attribute statements:

9. Hit "Next"
10. Specify the app to be "I'm an Okta customer adding an internal app" and check the checkbox stating that "This is an internal app that we have created":

11. Click "Finish"
12. Go to the "Sign on" tab under your new app and click the "View setup instructions" button to view details which you'll need to paste into Hive:

13. From the setup instructions page, copy the "Identity Provider Single Sign-On URL", "Identity Provider Issuer", and "X.509 Certificate" into Hive:

14. Paste the 3 copied values from Okta into Hive. Go to the menu in the top right of Hive, select "Your workspace", then go to the "Auth" tab to find where to paste the values:

15. Close the menu to save
16. Assign user(s) in Okta to the application and attempt an IdP initiated login to test the SSO

Did this answer your question?