Articles in this section

Single Sign-On (SAML SSO)

Single Sign-On (SAML SSO) is only available on the Observe Scale plan label plan. To upgrade contact our Sales team.

Single Sign-On (SSO) is an identification system that authenticates your identity for multiple applications and services at once. Security Assertion Markup Language (SAML) is most frequently the underlying protocol that makes web-based single sign-on possible.

SAML Single Sign-On lets you access Hotjar through a SAML-Based Identity Provider allowing you to use one set of user identity information to log into many different websites and applications securely without needing to confirm your identity with every service you use.

Two-factor authentication (2FA) is not available for customers who sign in with SAML SSO

Users who sign in with SAML SSO will not have access to two-factor authentication.

How SAML SSO works

SAML provides a way to authenticate users to third-party web apps, like Hotjar, by redirecting your browser to a company login page. After successful authentication on that login page, it redirects you back to the third-party web application where you are granted access.

Below are a few key terms that are involved in a typical SAML SSO authentication process:

  • Principle/user (aka a Hotjar customer) - The person who is accessing the web applications.
  • Identity Provider (IdP) - An identity provider (IdP) is a cloud software service that stores and confirms the user's identity, typically through a login process.
  • Service Provider (SP) - This is the cloud-hosted application or service the user wants to use. These are platforms like Gmail, Slack, Salesforce, and Hotjar.

Instead of logging into the Service Provider directly, when single sign-on is used, you'll log into your Identity Provider instead, and SAML will give access instead of a direct login.

The Benefits of using SAML SSO

  • Reduced security risks - SAML SSO is used to provide a single point of authentication at a secure identity provider and then assert the identity to others. Having less applications where your identities are stored means there are fewer places for them to be breached or stolen.
  • Experience - SAML SSO allows users to securely access multiple applications with a single set of credentials entered once so that you can conduct business faster and more efficiently.
  • Username and Password Management - SAML SSO simplifies username and password management by allowing you to securely access multiple applications with a single set of credentials. It also helps you manage any type of personnel changes such as a team member leaving the organization.

Back to top

How to Request SAML SSO Connection

Account Owner Access Required

Only the Account Owner can access the Single sign-on section of the account to Request SSO connection. To find out who your account owner is head to your Team List.

From your Settings page, select "Single-sign on"

The Account Settings Page of the Dashboard is shown with an arrow pointing to single-sign-on and a highlighted Request Connection Button

Click "Request SSO Connection"

SAML SSO is enabled by Hotjar Support

At this time, SAML SSO will be added to your account by Hotjar support and will take 1-2 business days from when your "Request to Connect SSO" is received. You'll be notified when SSO is enabled so that you can connect your Organization and invite Team Members.

How to Connect your Organization to your Identity Provider

On the Single-sign on page, you’ll see details about your SAML SSO connection including the list of Identity Providers that have been connected to your account. From here, you'll be able to connect your Organization to your Identity Provider. As a heads up, only the Account Owner will have access to the Single-sign on page.

From the list of Identity Providers, click the "Connect Organization" Button

The Account Settings Page of the Hotjar Dashboard is shown with a ride box highlight the green Connect Organization Button

From the drop-down, choose your Organization and click "Connect Organization"

a menu window is showing with an arrow pointing right towards a drop-down error to select the Organization and a Connect Organization button

You'll automatically be prompted to invite team members, to do this, click "Invite Team"

A confirmation window is shown with a red arrow pointing to a green invite team member box

You can connect another Organization, or click "Done" 

A confirmation window is shown with confirmation that Single Sign On is enabled and the option to connect another Organization or click green done button

How to Disconnect your SAML SSO Connection

From the Single-sign on page, the Account Owner will be able to manage the SAML SSO Connection including connecting other Organizations and disconnecting SAML SSO Connection from Organizations.

Click the down arrow next to the organization to open the settings

Click on the "Disconnect Organization" button. You'll be able to review everything before finishing

When disconnecting your Organization, please be aware of the following:

  • Your Organization and sites will not be deleted from Hotjar
  • Team Members will no longer be able to use Single Sign-On to access the Organization
  • All team members will need to rejoin the Organization using their standard username and password
  • Any Team member who doesn’t already have a Hotjar account associated with their email will need to create one

To finish disconnecting the Organization, select "Yes, disconnect Organization"

You'll see a confirmation that your organization was disconnected, Click "Done"

Back to top

How to Access a SAML SSO enabled Organization

SAML SSO is enabled at the Organization level. All Team members who were already listed on the Organization will automatically receive an invite to use Hotjar with their SSO logins instead of their username and password.

From the invite, click Sign Up with SSO

image is showing the invite message with sign up with SSO button

Fill in your details and Sign up with SAML SSO

hotjar sign up page with arrow pointing to the option to sign up with SAML SSO

You'll no longer be able to access the SAML SSO Organization with your username and password

You’ll no longer be able to access the Organization where SAML SSO is enabled with your username and password, with the exception of the Account Owner and Hotjar Support (if required). Team members who are part of multiple Organizations will still be able to use their email and password to login to other Organizations where SAML SSO is not enabled.

After you have created your account, next time you access Hotjar, you’ll need to choose the ‘Sign in with SAML SSO’ option and use your company's Login ID to access the SAML SSO enabled Organization.

hotjar sign in page showing the option to sign in with SAML SSO

Back to top

Single Sign-On (SAML SSO) FAQs

How do I change ownership of my account when I have a Single Sign-on (SAML SSO) enabled on my Organization?

Account Ownership cannot be transferred to a listed team member on a Single Sign-On (SAML SSO) enabled Organization. You can change Account Ownership by first inviting the new Account Owner to a non-SSO enabled Organization on your account and then follow the steps to change Account Ownership.

The current Account Owner will lose access

Changing Account Owners will remove the current Account Owner from the the Single Sign-On (SAML SSO) enabled Organization

If you only have one Organization on your account and SAML SSO is enabled, you'll first need to create a new Organization before changing Account Owner.

Create a new Organization on the Account.

Invite the new Account Owner to the new Organization

Once the team member is a user on the non SSO enabled Organization, you can change Account Ownership to them.

How do I transfer my Single Sign-On (SAML SSO) enabled Organization to a listed admin on the Organization?

It is not possible to transfer a SAML SSO enabled Organization to a new account. To transfer an Organization, single sign-on will first need to be disabled. Please reach out to support for help.

Back to top

 

Related articles