Single Sign-On (SSO) is an identification system that authenticates your identity for multiple applications and services at once. Security Assertion Markup Language (SAML) is most frequently the underlying protocol that makes web-based single sign-on possible.
SAML Single Sign-On lets you access Hotjar through a SAML-Based Identity Provider allowing you to use one set of user identity information to log into many different websites and applications securely without needing to confirm your identity with every service you use.
- How SAML SSO works
- The Benefits of using SAML SSO
- How to request SAML SSO Connection
- How to Connect your Organization to your Identity Provider
- How to Disconnect your SAML SSO Connection
- How to access a SAML SSO enabled Organization
Two-factor authentication (2FA) is not available for customers who sign in with SAML SSO
Users who sign in with SAML SSO will not have access to two-factor authentication.
How SAML SSO works
SAML provides a way to authenticate users to third-party web apps, like Hotjar, by redirecting your browser to a company login page. After successful authentication on that login page, it redirects you back to the third-party web application where you are granted access.
Below are a few key terms that are involved in a typical SAML SSO authentication process:
- Principle/user (aka a Hotjar customer) - The person who is accessing the web applications.
- Identity Provider (IdP) - An identity provider (IdP) is a cloud software service that stores and confirms the user's identity, typically through a login process.
- Service Provider (SP) - This is the cloud-hosted application or service the user wants to use. These are platforms like Gmail, Slack, Salesforce, and Hotjar.
Instead of logging into the Service Provider directly, when single sign-on is used, you'll log into your Identity Provider instead, and SAML will give access instead of a direct login.
The Benefits of using SAML SSO
- Reduced security risks - SAML SSO is used to provide a single point of authentication at a secure identity provider and then assert the identity to others. Having less applications where your identities are stored means there are fewer places for them to be breached or stolen.
- Experience - SAML SSO allows users to securely access multiple applications with a single set of credentials entered once so that you can conduct business faster and more efficiently.
- Username and Password Management - SAML SSO simplifies username and password management by allowing you to securely access multiple applications with a single set of credentials. It also helps you manage any type of personnel changes such as a team member leaving the organization.
How to Request SAML SSO Connection
Account Owner Access Required
Only the Account Owner can access the Single sign-on section of the account to Request SSO connection. To find out who your account owner is head to your Team List.
From your Settings page, select "Single-sign on"
Click "Request SSO Connection"
SAML SSO is enabled by Hotjar Support
At this time, SAML SSO will be added to your account by Hotjar support and will take 1-2 business days from when your "Request to Connect SSO" is received. You'll be notified when SSO is enabled so that you can connect your Organization and invite Team Members.
How to Connect your Organization to your Identity Provider
On the Single-sign on page, you’ll see details about your SAML SSO connection including the list of Identity Providers that have been connected to your account. From here, you'll be able to connect your Organization to your Identity Provider. As a heads up, only the Account Owner will have access to the Single-sign on page.
From the list of Identity Providers, click the "Connect Organization" Button
From the drop-down, choose your Organization and click "Connect Organization"
You'll automatically be prompted to invite team members, to do this, click "Invite Team"
You can connect another Organization, or click "Done"
How to Disconnect your SAML SSO Connection
From the Single-sign on page, the Account Owner will be able to manage the SAML SSO Connection including connecting other Organizations and disconnecting SAML SSO Connection from Organizations.
Click the down arrow next to the organization to open the settings
Click on the "Disconnect Organization" button. You'll be able to review everything before finishing
When disconnecting your Organization, please be aware of the following:
- Your Organization and sites will not be deleted from Hotjar
- Team Members will no longer be able to use Single Sign-On to access the Organization
- All team members will need to rejoin the Organization using their standard username and password
- Any Team member who doesn’t already have a Hotjar account associated with their email will need to create one
To finish disconnecting the Organization, select "Yes, disconnect Organization"
You'll see a confirmation that your organization was disconnected, Click "Done"
How to Access a SAML SSO enabled Organization
SAML SSO is enabled at the Organization level. All Team members who were already listed on the Organization will automatically receive an invite to use Hotjar with their SSO logins instead of their username and password.
From the invite, click Sign Up with SSO
Fill in your details and Sign up with SAML SSO
You'll no longer be able to access the SAML SSO Organization with your username and password
You’ll no longer be able to access the Organization where SAML SSO is enabled with your username and password, with the exception of the Account Owner and Hotjar Support (if required). Team members who are part of multiple Organizations will still be able to use their email and password to login to other Organizations where SAML SSO is not enabled.
After you have created your account, next time you access Hotjar, you’ll need to choose the ‘Sign in with SAML SSO’ option and use your company's Login ID to access the SAML SSO enabled Organization.
Single Sign-On (SAML SSO) FAQs
- How do I change ownership of my account when I have a Single Sign-On (SAML SSO) enabled on my Organization?
- How do I transfer my Single Sign-On (SAML SSO) enabled Organization to a listed admin on the Organization?
How do I change ownership of my account when I have a Single Sign-on (SAML SSO) enabled on my Organization?
Account Ownership cannot be transferred to a listed team member on a Single Sign-On (SAML SSO) enabled Organization. You can change Account Ownership by first inviting the new Account Owner to a non-SSO enabled Organization on your account and then follow the steps to change Account Ownership.
The current Account Owner will lose access
Changing Account Owners will remove the current Account Owner from the the Single Sign-On (SAML SSO) enabled Organization
If you only have one Organization on your account and SAML SSO is enabled, you'll first need to create a new Organization before changing Account Owner.
Create a new Organization on the Account.
Invite the new Account Owner to the new Organization
Once the team member is a user on the non SSO enabled Organization, you can change Account Ownership to them.
How do I transfer my Single Sign-On (SAML SSO) enabled Organization to a listed admin on the Organization?
It is not possible to transfer a SAML SSO enabled Organization to a new account. To transfer an Organization, single sign-on will first need to be disabled. Please reach out to support for help.