Skip to main content
Guide to Single sign-on (SAML SSO)

How to set up and manage your HandsHQ logins via Okta or Azure Active Directory

Michelle Kimbler avatar
Written by Michelle Kimbler
Updated over a year ago

Summary

HandsHQ allows you to manage and authenticate user logins via Single sign-on (SSO). This means employees can use one set of login credentials to access multiple systems, including HandsHQ, which are managed centrally by your identity provider.

What's covered in this article?

Who can use this feature?

🏘 Supported on Small Team plans (previously Small Enterprise). Enforceable SSO is available on Enterprise plans.

πŸ‘·β€β™‚οΈ Only account admins can configure SAML SSO

πŸ” SAML SSO identity providers offered: Okta and Azure Active Directory

HandsHQ launches SAML single-sign-on

What is SAML Single sign-on?

Single Sign-on (SSO) allows users to log in to multiple applications or websites using the same identity provider (IdP). Security Assertion Markup Language (SAML) is a security standard for managing authentication and access.

What SSO providers can you configure on HandsHQ?

At the moment, HandsHQ allows SSO with Okta and Azure Active Directory.

You will need to use one of these identity providers to access this feature in HandsHQ. We are looking to expand the listed providers in the future.

Logging in to HandsHQ via SAML SSO

With single sign-on activated, the user will typically log in with the following steps:

  • On the HandsHQ login page, the user selects "Log in with SSO"

  • HandsHQ redirects the user to the identity provider

  • The user enters their SSO password

    • A 2FA request will also show if this is enabled on your IdP

  • If the user is set up in your identity provider, they will successfully log in to HandsHQ

Note: the user needs to be set up in your identity provider first and assigned to HandsHQ for logins to be successful via SSO

The first time a user logs in to HandsHQ via SSO:

  • If the user account previously existed in HandsHQ:

    • The user account will be integrated with the IdP and user will successfully log in

  • If the user account didn't exist previously in HandsHQ:

    • A new user account will instantly be generated in HandsHQ

    • For multi-division accounts: the user account will be generated, but they won't be assigned to any division. See more in the "Setting up new users with SAML SSO" section below.


Enabling single sign-on for your HandsHQ account

Note: you need to be an account administrator or owner to enable single sign-on

To set up single sign-on:

  1. Contact your customer success manager

    1. We will need your email domain(s) to configure the feature on our end

    2. Your CSM will confirm when SSO is turned on your account

  2. Go to Settings (in the parent division 🏠 if you have multiple ones)

    1. Go to the Single sign-on tab

    2. Tick "Enable Single sign-on"

  3. Follow the setup guides below for further instructions on how to configure SSO depending on your provider


Enforcing SAML Single sign-on

🏘 Available on Enterprise plans

Even with SSO enabled, your users will still have the option to log in to HandsHQ using a traditional email and password as their login credentials.

If you want to block users from bypassing SSO, you can choose the option to enforce SSO on your account. This means users will only be able to log in via SSO, and any other login credentials will be disabled.

Simply navigate to Settings > Singe sign-on > tick "Enforce SSO"


Setting up new users with SAML SSO

Account admins can still create and invite new users to HandsHQ via Settings > Users as before.

However, for SAML SSO to work successfully, the user will also need to be set up in your identity provider and assigned to HandsHQ. If the user doesn't exist in the identity provider, they will not be able to log in using SSO.

HandsHQ uses just-in-time provisioning to instantly create a new account the first time a new user logs in via SAML SSO.

Option 1: Set up the user in HandsHQ first

  1. Go to Settings > Users > Add user

  2. Create the user profile, assign permissions and send the invite

  3. Navigate to your IdP and set make sure the same user is set up and assigned to HandsHQ

  4. The user will then be able to accept the user login invite using their SSO credentials

Option 2: Set up the user in your identity provider first

  1. Navigate to your IdP and set up a new user, assigning them to HandsHQ (or assign an existing user to HandsHQ)

    1. Okta configuration guide

    2. Azure AD configuration guide

  2. The user will be able to go straight to the HandsHQ login page and log in with SSO

  3. For single-division accounts:

    1. The user will be automatically logged in

    2. The lowest level of access will automatically be given to the new user account

      1. RAMS accounts: project editor access

      2. Training register accounts: personnel viewer access

    3. If the user needs a higher level of access, this can be edited by an admin in Settings > User

  4. If your account has multiple divisions:

    1. A user account will be instantly created

    2. The new user will have no divisions or permissions assigned to them and thus won't be able to use HandsHQ

    3. An email notification will be sent to all account admins to notify them a new user without permissions has been created

    4. An admin needs to assign the new user to the right division(s) before they can use HandsHQ

To read more about setting up users in HandsHQ, here's our full guide.

Just-in-time provisioning

HandshQ uses Just-in-time (JIT) provisioning to allow users to be instantly created the first time they log in via an identity provider (Okta and Azure Active Directory). This eliminates the need to provision users or create user accounts manually.

Users provisioned JIT are created in the User section in HandsHQ. For a user to be created, their first name, last name, and email are required.

These fields will be filled in with data from the SSO response. This data must be configured in your IdP and made available through attributes or claims. More information on how to set it up is available in our Okta and Azure AD guides.


Did this answer your question?