You can use Single Sign On (SSO) to easily manage your employees' access to Hover from a single place. Your employees can log into Hover using their existing Active Directory credentials.

SSO also gives you complete control over provisioning and de-provisioning your employees' access to Hover as they join or leave your company.

Hover's SSO configuration pertains to the specific Org ID that the SSO was configured on and will trickle down all of the same configurations to any sub-orgs that may exist underneath.

If new users are added to Hover by way of an SSO setup (meaning new users added to that Identity Provider), they will be added to the parent org (assuming that is where the Hover SSO configuration occurred) and not to a specific sub-org underneath.

We can work with any identity provider that supports SAML 2.0 specification. Many of the popular providers like Okta, OneLogin, Azure Active Directory, Auth0, etc. have support for SAML 2.0

The standard Hover session will last 30 Days and that holds true for SSO, also.

Your organization must be enabled for Single Sign On, and your individual Hover account must have administrator privileges in order to configure SSO for your organization.

To request enabling SSO for your organization, please contact your Hover account manager or the Hover support team. Then, if you are not already a Hover admin, reach out to the admin within your team or contact the Hover support team to have your account updated to "administrator".

Once that has been done, you can log into your Hover account as an admin and find the SSO configuration screen under Settings.

Refer to this step-by-step guide.

Yes, we do have a sandbox where you can test the configuration before rolling out on production. Please reach out to your account manager or Hover support team for details.

Yes. While setting up SSO, you can select 'Configuration Mode'. This allows you to test SSO but will not impact any of your existing employees' access to Hover.

Once you are satisfied with testing and have assigned the Hover app to your employees, you can change the selection to 'Strict SSO'. From this point onwards, your employees' existing Hover credentials will stop working.

If you are using 'Configuration Mode', SSO will be the default experience, but existing users' password and email address will continue to work if they choose to sign on with those credentials.

Once 'Strict SSO' is enabled for your organization, any existing users' email and password credentials will stop working. They will have to use SSO to log into Hover.

We require an email address to be included in the SAML Subject. Please use the following name ID format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified while setting up the Hover app in your Identity Provider dashboard.

We also require the user's first & last name to be included in the Attribute Statements as first_name and last_name.

At this point, we do not support SCIM. However, we do auto-provision new users who login via SSO.

No. If your organization is on 'Strict SSO', any previous employees of your company won't be able to access Hover because they will no longer have access to your identity provider. Their session will time out after 30 days from their last login date.

If the org is on 'Strict SSO', users cannot be added or removed. But they can be moved to another org through the assistance of the Hover support team.

If the organization is on 'Configuration Mode', then users can be added, or removed. If users need to be moved, the Hover support team will need to provide assistance.

Yes. There isn’t a capability, currently, for Hover admins to archive or delete a user on an account. Once your organization deactivates a user(s) from the IdP, they will no longer be able to login, but their account will still appear under your organization in Hover.

To have them permanently removed, reach out to the Hover support team for assistance.

Claiming a domain adds a layer of security by only allowing members with a claimed domain in their email address to access Hover.

Once you’ve claimed a domain, we will also enforce Single Sign On as the only login method for users with an email address matching the claimed domain. In other words, they will not be able to use their existing username & password to log into Hover.