SSO with SAML

If you have an identity provider (IDP) that supports SAML 2.0, you can use it with FireHydrant as a single sign-on provider.

Prerequisites

  • You'll need to reach out to our support team to enable SSO for your organization
  • You will need Owner permissions to configure SSO settings on FireHydrant
  • You will need administrative access to your IDP to create a new SAML application and administer users

Entra ID (Azure AD)

Setting up single-sign on with Entra ID enables employees in your Entra tenant to authenticate to and access FireHydrant accounts.

  1. From the Entra Portal, click into Applications > Enterprise Applications

  2. Click New Application > Create your own application

  3. Name your app "FireHydrant" and select "Integrate any other application you don't find in the gallery (Non-gallery). Click Create.

  4. Click into Single Sign-on once your app has been created and select SAML

  5. Click Edit for "Basic SAML Configuration" and configure it as follows, then Save.

    1. Identifier (Entity ID): firehydrant
      1. (Optional) If you want to enable service provider-initiated (SP) sign-in, add this as a second identifier without switching it to the default: https://app.firehydrant.io/sso/saml/consume
    2. Reply URL (Assertion Consumer Service URL): https://app.firehydrant.io/sso/saml/consume
    3. (Optional) If you want to enable SP-initiated sign-in, set the Sign on URL: https://app.firehydrant.io/sessions/new
  6. Click Edit for "Attributes & Claims" and configure it as follows, then Save:

    1. Unique User Identifier (Name ID)

      1. Name identifier format: Email address
      2. Source: Set to attribute that stores the user's email address. This should match how you expect the user to appear in FireHydrant.
    2. Additional Claims

      Claim NameNamespaceRecommended Mapping
      emailAddresshttp://schemas.xmlsoap.org/ws/2005/05/identity/claimsAttribute that stores user's email address
      firstNamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claimsuser.givenname
      lastNamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claimsuser.surname
  7. Under "SAML Certificates," download the Certificate (Base64). In order to open the certificate in a readable format that you can enter into FireHydrant, you will need to run to run the following:
    openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
    Open the resulting file in a text editor.

  8. In a separate browser tab, open FireHydrant's SSO settings page and check Enable SSO. Enter the following information from Entra ID:

    Entra ID ValueFireHydrant Field
    Login URLIdP Login URL
    Microsoft Entra IdentifierIdP Issuer
    Use the output from step 6IdP X509 Certificate
    1. (Optional) Add a domain for SP-initiated logins. When users attempt to log in to FireHydrant directly with an email address that matches this domain, FireHydrant will display a note and redirect them to your IDP sign-in.
  9. Click Save. You will now be able to test the login process from within Entra by assigning it to yourself and using the Test This Application button.

Google SSO

Setting up single sign-on with Google enables your G Suite account users to authenticate and access FireHydrant accounts.

  1. Follow Google's instructions on setting up a custom SAML application until you get to the Google Identity Provider details page.
  2. In a separate browser tab, open FireHydrant's SSO settings page and check Enable SSO. Three additional fields will appear: IDP Login URL, IDP Issuer, and IDP X509 Certificate. Copy the values from Google into FireHydrant as follows:
Google ValueFireHydrant Field
SSO URLIDP Login URL
Entity IDIDP Issuer
CertificateIDP X509 Certificate
  1. (Optional) In the Domains section of FireHydrant, you can add the email domain name for your organization.

    1. When users attempt to log in to FireHydrant directly with an email address that matches this domain, FireHydrant will display a note and redirect them to your IDP sign-in.
  2. Click Save in FireHydrant.

  3. In Google, click Next. Google prompts you to fill in Service Provider details. For the ACS URL and Entitiy ID fields, enter https://app.firehydrant.io/sso/saml/consume.

  4. Enable the Signed Response checkbox.

  5. Verify that Primary Email is selected for the Name ID section. This is how your SSO configuration automatically creates accounts or logs existing users into FireHydrant.

  6. For the Name ID Format field, select Email. Click Next.

  7. (Optional) On the last step of the Google setup, provide any attribute mappings you'd like to include when users are sent to FireHydrant. These are optional, but we recommend setting the first and last name attributes so when users are provisioned, their names are automatically set correctly in FireHydrant.

    Attribute mapping in Google

    Attribute mapping in Google

  8. Click Finish. This completes your Google SSO setup.

Okta SSO

📘

Note:

When a user is authenticated with Okta, they are automatically added to the organization with a Member role if they do not have an account.

Otherwise, accounts are matched on the email provided by Okta on a successful login. When a user is removed from Okta, they are not automatically removed from FireHydrant.

Our Okta SAML integration is one-way - FireHydrant accounts will be automatically provisioned but not automatically de-provisioned. Users whose accounts are auto-provisioned with Okta are set to the Member role.

  1. As an Okta admin, view all applications in the Applications tab. Then:
  2. Click Browse App Catalog
  3. Search for the FireHydrant app, click it, and then click Add Integration
  4. Name your app and click Next. This will drop you onto the Assignments page.
  5. Click into Sign On and go to View SAML setup instructions.
  6. In a separate browser tab, open FireHydrant's SSO settings page and check Enable SSO. Enter the IDP Login URL, IDP Issuer, and IDP X509 Certificate details from Step #4 into FireHydrant.
    1. (Optional) Add a domain for SP-initiated logins. When users attempt to log in to FireHydrant directly with an email address that matches this domain, FireHydrant will display a note and redirect them to your IDP sign-in.
  7. Enable SSO and save your configuration. This completes the setup for Okta SAML 2.0.

Generic

  1. For other identity providers aside from Google and Okta, you can set up the integration by entering FireHydrant's SAML details as below when creating a new SAML application:
    1. Consumer URL: https://app.firehydrant.io/sso/saml/consume
    2. Recipient URL and Audience URL: Same as the consumer URL
    3. Audience: firehydrant
    4. Attribute statements: First Name as firstName, Last Name as lastName
  2. After you've created your SAML application, you will then need to configure settings within FireHydrant:
    1. In FireHydrant, navigate to Settings > Single Sign On.
    2. On the Single Sign On page, check the box labeled  Enable SSO.
    3. Additional fields appear. In these fields, provide your IDP login URL, IDP issuer, and IDP X509 certificate as generated by your identity provider.
    4. (Optional) If you'd like, you can add Domains. When users attempt to log in to FireHydrant directly with an email address that matches this domain, FireHydrant will display a note and redirect them to your IDP sign-in.

Testing

To test, leave your session in FireHydrant open. Visit your IDP in a new window or tab and attempt to log in with your newly configured integration.

Leaving your FireHydrant session open should prevent you from getting locked out of your account during setup. If you encounter a lockout, submit a ticket on our contact form for help.