Before you begin

SAML SSO is only supported if you're on the Enterprise plan. Please contact Sales if you'd like to upgrade.

If you already use Okta, you can follow this guide to get SSO set up.

Parameters to configure

Assertion Consumer Service URL (ACS URL)

The ACS URL to use is https://app.hive/com/sso/saml/${your_workspace_id}

For example, if your workspace ID is "9W72AGwBUhYeKSpiS" then your ACS URL would be:
https://app.hive/com/sso/saml/9W72AGwBUhYeKSpiS

Entity ID

https://hive.com

Settings to include

  • NameID (required): Should use the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" format
  • Email Attribute (required): Should be included.
  • "firstName" attribute (required): Should be included. Can be mapped from whatever attribute your IdP uses for first/given name.
  • "lastName" attribute (required): Should be included. Can be mapped from whatever attribute your IdP uses for last/family/surname.

Certificates

Hive requires the SAML response to be signed. You'll need to paste a valid x.509 pem Certificate into Hive to verify your identity. This is different from your SSL certificate. Most IdPs will provide this for you when setting up a new application.

Sample custom configuration with Okta

The section that follows will walk you through configuring a custom SAML SSO application with Okta as your IdP.

Before you begin

In order to use SAML SSO with Hive, you must:

  • Be a workspace or organization admin
  • Have a Hive Enterprise plan

Setting up the sample application

  1. Go to the Okta Admin dashboard
  2. Select "Applications"
  3. Click "Add application"

4. Select "Create New App"

5. Choose "Web" as your platform and "SAML 2.0" as your sign on method

6. Name your application, in this case we're calling it "My custom application"


7. Paste in your ACS URL according to your workspace ID. In this example we're using "https://app.hive/com/sso/saml/9W72AGwBUhYeKSpiS" where "9W72AGwBUhYeKSpiS" should be replaced with your actual workspace ID. Set the "Audience URI" to be "https://app.hive.com", the "NameID Format" to be "EmailAddress", the "Application username" to be "Email":


8. Add the "firstName" and "lastName" attribute statements:

9. Hit "Next"
10. Specify the app to be "I'm an Okta customer adding an internal app" and check the checkbox stating that "This is an internal app that we have created":


11. Click "Finish"
12. Go to the "Sign on" tab under your new app and click the "View setup instructions" button to view details which you'll need to paste into Hive:

13. From the setup instructions page, copy the "Identity Provider Single Sign-On URL", "Identity Provider Issuer", and "X.509 Certificate" into Hive:

14. Paste the 3 copied values from Okta into Hive. Go to the menu in the top right of Hive, select "Your workspace", then go to the "Auth" tab to find where to paste the values:


15. Close the menu to save
16. Assign user(s) in Okta to the application and attempt an IdP initiated login to test the SSO

Did this answer your question?