Skip to content
  • There are no suggestions because the search field is empty.

SAML SSO Setup Guide

Category: SAML Single Sign On | Type: Step by Step guide

This guide walks your IT team through configuring SAML 2.0 Single Sign-On between your identity provider (IdP) and Hive. The setup is self-serve and can be completed in your Hive account settings.

✅ You'll need:

  • An admin account in Hive
  • An admin account in your identity provider (Microsoft Entra, Google Workspace, etc.)
  • About 30 minutes

Before you begin

SAML SSO sits in your Hive Account Settings → Authentication → SAML Single Sign-On.

Two ways to configure it:

  • Upload your IdP metadata XML (recommended) - Hive will auto-fill most fields from the XML file
  • Enter the configuration manually — useful if you want to override specific values

Step 1 — Enable SAML SSO in Hive

  1. In Hive, navigate to Account Settings → Authentication.
  2. Scroll to the SAML Single Sign-On section.
  3. Tick Enable SAML Single Sign-On.

Step 2 — Register Hive as a SAML application in your IdP

In your identity provider (Microsoft Entra, Google Workspace, etc.), create a new SAML 2.0 application for Hive. You'll need two URLs from Hive to register it - both are shown in the Service Provider (SP) - Details section of the Authentication page:

  • Callback URL (also known as ACS URL, Reply URL, Single Sign-On URL, or Recipient URL) — where your IdP returns users after they authenticate
  • Metadata URL (also known as Entity ID, Audience URI, or SP Entity ID) — Hive's SAML assertion consumer service endpoint

Click any field to highlight it, or use the copy button next to each URL. Paste them into the corresponding fields in your IdP when registering Hive.

Step 3 — Upload your IdP metadata

Once Hive is registered in your IdP, export its metadata XML.

Back in Hive, drag and drop your IdP metadata XML into the upload area at the top of the SAML configuration. Hive will automatically populate:

  • IdP entry point URL
  • Entity ID
  • IdP X.509 certificate
  • NameID identifier format (if specified)
  • Signing and digest algorithms

You can review and adjust any of these in the sections below.

Step 4 — Configure the Identity Provider connection manually (if needed)

If you didn't upload metadata, or you need to set specific values, expand the Identity Provider (IdP) — Configuration section and complete:

  • IdP entry point URL — the HTTPS URL where the SAML flow starts at your IdP (also called SSO URL, Sign-on URL, Login URL, or SAML URL)
  • Entity ID — the globally unique identifier for your IdP, usually a URL. Found at EntityDescriptor/@entityID in your metadata XML
  • IdP X.509 certificate — the PEM-encoded public certificate from your IdP, used to verify SAML response signatures
  • NameID identifier format — the URN that defines how your IdP formats the NameID in the SAML assertion. Most organisations use the emailAddress format

These are the minimum fields needed to wire Hive up to your IdP.

Step 5 — Attribute mapping (optional)

If your IdP uses non-standard attribute names for user information (such as email, first name, or department), you can map these to Hive's expected attributes.

In the Identity Provider (IdP) — Attribute mapping section, click Add mapping and enter the source attribute name from your IdP alongside the Hive attribute it should map to.

Leave this section empty to use sensible defaults — most organisations don't need to change anything here.

Step 6 — Advanced overrides (optional)

The Identity Provider (IdP) — Advanced overrides section lets you override values from your uploaded metadata. Most organisations don't need to change these. Configure them only if your IdP requires specific signing behaviour, encryption, or alternative endpoints:

  • Signing — override the signature algorithm (most providers use SHA-256 or SHA-512), digest algorithm (typically SHA-256), or signing certificate. You can also choose to require signed assertions, sign authentication requests, or allow IdP-initiated sign-in. Note: SP-initiated flows are more secure — only allow IdP-initiated sign-in if your IdP requires it.
  • Encryption — tick IdP encrypts assertions if your IdP encrypts SAML assertions. You'll need to provide a decryption private key.
  • Single sign-on service endpoints — add bindings (transport methods paired with URLs) the IdP exposes for sign-in requests.
  • Single logout service endpoints — optional. Only configure if your IdP supports Single Logout (SLO).

Step 7 — Save and test

  1. Click Save Changes in Hive.
  2. Open an incognito or private browser window and go to YourOrganisation.hive.hr/sign-in.
  3. Click Sign in with SSO.
  4. You should be redirected to your IdP, prompted to authenticate, and then returned to Hive — signed in.

 

If anything doesn't work as expected, see the troubleshooting section below.

Troubleshooting

A few common issues to check before contacting Support:

"Invalid SAML response" Usually a certificate mismatch. Verify the X.509 certificate in Hive matches the one your IdP is using to sign assertions.
User is returned to Hive but not signed in Check the NameID format. The format Hive receives needs to match what's configured in the IdP settings. Most setups work with emailAddress.
Clock skew errors  Make sure your IdP server and Hive's systems are roughly time-synchronised. Significant time differences can cause assertion validation to fail.
Users can sign in but data is missing  Check the attribute mapping. The IdP might be sending user details under a different attribute name than Hive expects.

 

🎓 Useful Information

Require further technical assistance? Contact Our Support Team