SSO Setup & user guide
Updated over a week ago

Customers on HOVER’s Scale or Transform membership plan who use an identity provider or a custom SAML implementation can now use Single sign-on (SSO) as an authentication method to access HOVER.

Important things to note about using an SSO with HOVER:

  • Users in an org with Strict SSO enabled cannot be moved to another org/sub-org

  • When Strict SSO is enabled you will not be able to invite users. They must be added through your IdP. An identity provider (IdP) is a service that stores and manages digital identities, contact your SSO provider to find out more.

  • Configuration mode allows previously created users to use a password to login in addition to SSO, but newly created users can only use SSO to login.

  • When a new user is created through SSO, they are given the pro+ permission. They won’t have access to any jobs until invited.

Access SSO Settings

To access SSO settings in HOVER, go to Settings under your email address in the top navigation, navigate to your Organization Settings located under your name in the top navigation, and click on 'SSO' in the menu on the left. If you don't see the 'SSO' menu entry in the menu, please contact your account manager or HOVER support to enable your organization for Single Sign On.

To enable SSO for your organization, you will need complete these 5 steps:

  1. Configure your Identity Provider (IdP) to connect to HOVER

  2. Obtain metadata information from your IdP

  3. Submit metadata to HOVER

  4. Claim your domain

  5. Enable SSO

The following section uses Okta as the reference Identity Provider. If you use Azure, you can reference their instructions here.

If you do not use Okta or Azure, please use the configuration documentation your IdP provides.

1. Configure your Identity Provider (IdP) to connect to HOVER

You must configure your Identity Provider (IdP) to connect to HOVER in order to use SSO. HOVER can work with any Identity Provider that supports SAML 2.0 specification. If your Identity Provider doesn't support SAML 2.0, you cannot use SSO on HOVER.

Follow Okta’s documentation at this link on setting up a new application to create the HOVER app. Then, you must fill the form in the 'SAML Settings' section of the app. You can find a representative screenshot below:

Use the below table as a guide to filling in the form:

2. Obtain metadata information from your Identity Provider

After you have configured the HOVER app in your identity provider, you must obtain your Identity Provider's public certificate, Authentication URL, and Issuer URL. To access this information:

Select the HOVER app under the 'Applications' tab in Okta then select 'Sign On'

Click on 'View Setup Instructions'

Copy the ‘Identity Provider Single Sign-On URL’ and ‘Identity Provider Issuer’ fields, and click on the ‘Download Certificate’ button to download the public certificate.

3. Submit your Identity Provider information to HOVER

With the information you gathered from your Identity Provider, you should now head over to your account on Go to the SSO Configuration page (click on ‘Settings’ under your email address in top navigation, and then click on ‘SSO’ in the menu on the left). Click on ‘Edit’ in the ‘SAML’ section and insert the Identity Provider SSO URL, Identity Provider Issuer URL, and the public certificate.

Once you’ve updated the SAML configuration, you can turn on SSO in ‘Configuration Mode’. This mode will allow you to test Single Sign On, while continuing to enforce username & password based login for your users.

4. Claim your domain

In order to enforce Single Sign On for your users, you must claim your domain. This will secure your SSO implementation by preventing any of your users from logging in with their username & passwords, and will only allow users with your claimed domain in their email address to access HOVER.

To claim a domain, add a TXT record to your domain’s DNS records with a verification key provided by HOVER. To get the verification key, click on the ‘Add domain’ button in the ‘Claim domains’ section and enter the domain you wish to claim.

Once you get the TXT record added to your domain’s DNS record, click on the ‘Verify’ link next to the domain name. HOVER will verify ownership of the domain in the background, and will mark the domain as ‘Verified’ or ‘Failed verification’.

5. Enable SSO

After you’ve completed the SAML Configuration & Domain claiming steps, you will be able to turn on Strict SSO for your users. Once Strict SSO is enabled, your users will only be able to access HOVER via Single Sign On.

With the above 1-5 steps completed, you can now login with SSO on and HOVER mobile apps.

Did this answer your question?