Customers on HOVER’s Scale or Transform membership plan who use an identity provider or a custom SAML implementation can now use Single sign-on (SSO) as an authentication method to access HOVER.

Important things to note about using an SSO with HOVER:

Access SSO Settings

To access SSO settings in HOVER, go to Settings under your email address in the top navigation, navigate to your Organization Settings located under your name in the top navigation, and click on 'SSO' in the menu on the left. If you don't see the 'SSO' menu entry in the menu, please contact your account manager or HOVER support to enable your organization for Single Sign On.

You must configure your Identity Provider (IdP) to connect to HOVER in order to use SSO. HOVER can work with any Identity Provider that supports SAML 2.0 specification. If your Identity Provider doesn't support SAML 2.0, you cannot use SSO on HOVER.

Follow Okta’s documentation at this link on setting up a new application to create the HOVER app. Then, you must fill the form in the 'SAML Settings' section of the app. You can find a representative screenshot below:

Use the below table as a guide to filling in the form:

After you have configured the HOVER app in your identity provider, you must obtain your Identity Provider's public certificate, Authentication URL, and Issuer URL. To access this information:

Select the HOVER app under the 'Applications' tab in Okta then select 'Sign On'

Click on 'View Setup Instructions'

Copy the ‘Identity Provider Single Sign-On URL’ and ‘Identity Provider Issuer’ fields, and click on the ‘Download Certificate’ button to download the public certificate.

With the information you gathered from your Identity Provider, you should now head over to your account on hover.to. Go to the SSO Configuration page (click on ‘Settings’ under your email address in top navigation, and then click on ‘SSO’ in the menu on the left). Click on ‘Edit’ in the ‘SAML’ section and insert the Identity Provider SSO URL, Identity Provider Issuer URL, and the public certificate.

Once you’ve updated the SAML configuration, you can turn on SSO in ‘Configuration Mode’. This mode will allow you to test Single Sign On, while continuing to enforce username & password based login for your users.

In order to enforce Single Sign On for your users, you must claim your domain. This will secure your SSO implementation by preventing any of your users from logging in with their username & passwords, and will only allow users with your claimed domain in their email address to access HOVER.

To claim a domain, add a TXT record to your domain’s DNS records with a verification key provided by HOVER. To get the verification key, click on the ‘Add domain’ button in the ‘Claim domains’ section and enter the domain you wish to claim.

Once you get the TXT record added to your domain’s DNS record, click on the ‘Verify’ link next to the domain name. HOVER will verify ownership of the domain in the background, and will mark the domain as ‘Verified’ or ‘Failed verification’.

After you’ve completed the SAML Configuration & Domain claiming steps, you will be able to turn on Strict SSO for your users. Once Strict SSO is enabled, your users will only be able to access HOVER via Single Sign On.

With the above 1-5 steps completed, you can now login with SSO on hover.to and HOVER mobile apps.