Plan availability
Ask , Observe
Book a call with our Sales team, to learn more about Scale plan features. Ask , book a call with our Sales team, to learn more about Scale plan features
Observe
Single Sign-On (SSO) is an identification system that authenticates your identity for multiple applications and services at once. Security Assertion Markup Language (SAML) is most frequently the underlying protocol that makes web-based single sign-on possible.
SAML Single Sign-On lets you access Hotjar through a SAML-Based Identity Provider allowing you to use one set of user identity information to log into many different websites and applications securely without needing to confirm your identity with every service you use.
- How SAML SSO works
- The Benefits of using SAML SSO
- How to request SAML SSO Connection
- How to Connect your Organization to your Identity Provider
- How to Disconnect your SAML SSO Connection
- How to access a SAML SSO enabled Organization
- FAQs
Two-factor authentication (2FA) is not available for customers who sign in with SAML SSO
Users who sign in with SAML SSO will not have access to two-factor authentication.
How SAML SSO works
SAML provides a way to authenticate users to third-party web apps, like Hotjar, by redirecting your browser to a company login page. After successful authentication on that login page, it redirects you back to the third-party web application where you are granted access.
Below are a few key terms that are involved in a typical SAML SSO authentication process:
- Principle/user (aka a Hotjar customer) - The person who is accessing the web applications.
- Identity Provider (IdP) - An identity provider (IdP) is a cloud software service that stores and confirms the user's identity, typically through a login process.
- Service Provider (SP) - This is the cloud-hosted application or service the user wants to use. These are platforms like Gmail, Slack, Salesforce, and Hotjar.
Instead of logging into the Service Provider directly, when single sign-on is used, you'll log into your Identity Provider instead, and SAML will give access instead of a direct login.
The Benefits of using SAML SSO
- Reduced security risks - SAML SSO is used to provide a single point of authentication at a secure identity provider and then assert the identity to others. Having less applications where your identities are stored means there are fewer places for them to be breached or stolen.
- Experience - SAML SSO allows users to securely access multiple applications with a single set of credentials entered once so that you can conduct business faster and more efficiently.
- Username and Password Management - SAML SSO simplifies username and password management by allowing you to securely access multiple applications with a single set of credentials. It also helps you manage any type of personnel changes such as a team member leaving the organization.
How to Request SAML SSO Connection
Account Owner Access Required
Only the Account Owner can access the Single sign-on section of the account to Request an SSO connection. To find out who your account owner is, head to your Team List.
From your Settings page, select Single-sign on
Click Create SSO Connection.
After clicking on Create SSO Connection, fill out the following information.
Login ID: This is an attribute that you specify your SAML SSO users will enter when they log in with SAML SSO. Usually, it's related to your company. For example, for Hotjar, we would use hotjar.
Email attribute: This is the custom attribute that holds the email address of your SAML SSO user. Check with your Identity Provider configuration to ensure the custom attribute is set up, and enter the attribute's name here. Enter the custom attribute exactly as it appears in your Identity Provider configuration; otherwise, the connection will fail.
Login URL: This is the URL that leads to the SAML SSO login form for your Identity Provider. Your IT Team will be able to provide this.
X.509 Certificate: This is available from your SAML SSO Identity Provider
After filling out the information, click Create.
Update your Identity Provider configuration.
Once you’ve entered all of the information above and selected Create, you’ll be provided with the ACS URL Entity ID.
The next step is to add both of these into the SAML SSO configuration of your Identity Provider. After you’ve updated your Identity Provider configuration with the ACS URL and Entity ID, you can connect your Organization to your Identity Provider by following the steps in the section below called How to Connect your Organization to your Identity Provider.
How to Connect your Organization to your Identity Provider
On the Single-sign on page, you’ll see details about your SAML SSO connection including the list of Identity Providers that have been connected to your account. From here, you'll be able to connect your Organization to your Identity Provider. As a heads up, only the Account Owner will have access to the Single-sign on page.
From the list of Identity Providers, click Connect Organization.
From the drop-down, choose your Organization and click Connect Organization.
You'll automatically be prompted to invite team members, to do this, click Invite Team.
You can connect another Organization, or click Done.
How to Disconnect your SAML SSO Connection
From the Single-sign on page, the Account Owner will be able to manage the SAML SSO Connection including connecting other Organizations and disconnecting SAML SSO Connection from Organizations.
Click the down arrow next to the organization to open the settings
Click on the Disconnect Organization. You'll be able to review everything before finishing
When disconnecting your Organization, please be aware of the following:
- Your Organization and sites will not be deleted from Hotjar
- Team Members will no longer be able to use Single Sign-On to access the Organization
- All team members will need to rejoin the Organization using their standard username and password
- Any Team member who doesn’t already have a Hotjar account associated with their email will need to create one
To finish disconnecting the Organization, select Yes, disconnect Organization.
You'll see a confirmation that your organization was disconnected, Click Done.
How to Access a SAML SSO enabled Organization
SAML SSO is enabled at the Organization level. All Team members who were already listed on the Organization will automatically receive an invite to use Hotjar with their SSO logins instead of their username and password.
From the invite, click Sign Up with SSO
Fill in your details and Sign up with SAML SSO
You'll no longer be able to access the SAML SSO Organization with your username and password
You’ll no longer be able to access the Organization where SAML SSO is enabled with your username and password, with the exception of the Account Owner and Hotjar Support (if required). Team members who are part of multiple Organizations will still be able to use their email and password to login to other Organizations where SAML SSO is not enabled.
After you have created your account, next time you access Hotjar, you’ll need to choose the ‘Sign in with SAML SSO’ option and use your company's Login ID to access the SAML SSO enabled Organization.
Single Sign-On (SAML SSO) FAQs
- How do I change ownership of my account when I have a Single Sign-On (SAML SSO) enabled on my Organization?
- How do I transfer my Single Sign-On (SAML SSO) enabled Organization to a listed admin on the Organization?
How do I change ownership of my account when I have a Single Sign-on (SAML SSO) enabled on my Organization?
Account Ownership cannot be transferred to a listed team member on a Single Sign-On (SAML SSO) enabled Organization. You can change Account Ownership by first inviting the new Account Owner to a non-SSO enabled Organization on your account and then follow the steps to change Account Ownership.
The current Account Owner will lose access
Changing Account Owners will remove the current Account Owner from the the Single Sign-On (SAML SSO) enabled Organization
If you only have one Organization on your account and SAML SSO is enabled, you'll first need to create a new Organization before changing Account Owner.
Create a new Organization on the Account.
Invite the new Account Owner to the new Organization
Once the team member is a user on the non SSO enabled Organization, you can change Account Ownership to them.
How do I transfer my Single Sign-On (SAML SSO) enabled Organization to a listed admin on the Organization?
It is not possible to transfer a SAML SSO enabled Organization to a new account. To transfer an Organization, single sign-on will first need to be disabled. Please reach out to support for help.