See our overview of Security in Hive.
Before you begin
Note: ADFS does not currently support automatic deprovisioning with SCIM. When users are deprovisioned in your IDP, don't forget to deactivate the user in Hive.
ADFS SSO (and all SAML SSO) is only available on Hive Enterprise plans. Contact our Sales team to learn more.
Step 1: Set up your ADFS instance for Hive
1. Open your ADFS Management console
2. Select the "Add Relying Party Trust..." action
3. Leave the default selected "Claims aware" option, click "Start"
4. On the "Select Data Source" screen, select "Enter data about the relying party manually" and click "Next"
5. On the "Specify Display Name" screen, add a friendly display name. Most people will add their company name with something denoting that it is for Hive. Click "Next"
6. On the "Configure Certificate" screen, leave fields empty and click "Next"
7. On the "Configure URL" screen, select the "Enable support for the SAML 2.0 Web SSO protocol". For the relying party URL, go to your workspace and copy the ACS URL provided in the "Auth" window, then paste it here. The URL should look something like "https://app.hive.com/sso/saml/9W72AGwBUhYeKSpiS" where "9W72AGwBUhYeKSpiS" is unique to your Hive workspace. Click "Next".
8. On the "Configure Identifiers" screen, add an identifier with the value of "https://hive.com". Click "Next".
9. On the "Choose Access Control Policy" screen, leave the "Permit Everyone" policy and click "Next".
10. Once at the "Ready to Add Trust" screen, click "Next". On the final screen, leave the "Configure claims issuance policy for this application" checkbox checked. Click "Close".
11. If the "Edit Claim Issuance Policy" did not appear, right click on your new Trust in the "Relaying Party Trusts" list and click on "Edit Claim Issuance Policy"
12. Select "Add Rule..."
13. Leave the default "Claim rule template" of "Send LDAP Attributes as Claims" selected and click "Next".
14. Name the claim rule "Hive Attributes" or something similar. You will use this to send LDAP attributes to Hive on user provisioning and login.
15. Select "Active Directory" as the "Attribute store"
16. Add 2 field mappings. One with the "Outgoing Claim Type" of "firstName" and another "lastName. You should select whatever LDAP attributes best represent the user's first and last name. Most people use "Given-Name" for "firstName" and "Surname" for "lastName".
17. Click "Finish" to save the attribute mappings.
18. You'll need to add one more rule from the "Claim Issuance Policy" screen. Click "Add rule" again.
19. Select the "Transform an Incoming Claim" option on the "Claim rule template" dropdown. Click "Next".
20. Incoming claim type should be "UPN". Select "Name ID" as the outgoing claim type, and "Persistent Identifier" as the Outgoing name ID format. Click "Finish".
If your AD FS uses a different internal email (UPN) domain than the email addresses used externally (for example, internally you use "firstname.lastname@example.org" but the public-facing email uses "email@example.com"), then you will want to use the "Replace incoming e-mail suffix claims with a new e-mail suffix".
See the example below:
If you do not properly configure this, you may have a mismatch or duplicate users being created in Hive because the email address stored in Hive does not match the one passed by ADFS in the SAML flow.
21. Click "Apply" on the claims issuance window and close it out.
Step 2: Integrate Hive with your ADFS instance
1. Log into your Hive workspace, click on your avatar in the top right of the screen and select "Settings" option in the menu.
2. Select the "Authentication" tab. Note that only Admins will see the Authentication tab.
3. For the "SAML SSO URL", enter your ADFS URL. This is usually something like "https://adfs.acmecorp.com/adfs/ls".
4. For the "Identifier Format", you'll want to use the value "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" to ensure a persistent id is used.
5. Lastly, copy your ADFS service certificate from ADFS and paste it into the "Certificate" field. If you're not sure where to find this certificate, see the section below titled "Exporting your ADFS service certificate".
6. At this point, your filled out "Authentication" screen should look something like below:
7. Once filled in, the settings are applied. At this point, your ADFS configuration is complete. You can test it out by visiting the ACL URL listed in the "Authentication" screen.
Exporting your ADFS service certificate
To export the certificate:
In AD FS, select Service > Certificates
Select the certificate under Token-signing, and click View Certificate under Actions
Click on the Details tab, and click Copy to File...
Click next, select Base-64 encoded x.509, and click next
Choose a location to save the certificate.
Click Next and click Finish
Open the certificate in a text editor
Copy the file's content and paste into Hive