Skip to main content
Hoop.dev supports a variety of Identity Providers for user authentication. The guides below cover providers we have validated, but any OIDC-compliant or SAML2.0 IDP should work using the same integration method.

Auth0

Okta

Google

Azure

Jump Cloud

AWS Cognito

OneLogin

Users

Users are active and assigned to the default organization on signup. A user can be set to an inactive state to block platform access, but managing user state in the identity provider is the recommended approach.
  • The sub claim is the main user identifier in the platform.
  • For OIDC, the user profile is derived from the email and name claims in the id_token.
  • For SAML, the user profile is derived from assertion Attribute Values

SAML 2.0 Attribute Values

To propagate information from your Identity Provider to Hoop, propagate them via Attribute Values. The supported attributes are described below:

Email Address

  • email
  • emailaddress
  • mail
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

First Name

  • first_name
  • name
  • http://schemas.microsoft.com/identity/claims/displayname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name

  • last_name
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Groups

If the SAML Assertion contains an attribute value with the name groups it will synchronize this attribute on every login.

Groups

Groups define who can access or interact with specific resources:
  • For connection resources, groups control which users can access a specific connection. This is enforced when the Access Control feature is enabled.
  • For access requests, groups define who can approve an execution. This is enforced when the Access Requests feature is enabled.
Groups can be managed manually in the web app or propagated automatically by the identity provider via the ID token (OIDC) or SAML attribute value. When using IdP propagation, group memberships are synchronized on every user login.

Roles

  • The admin group grants full access to all resources.
Assign this role to users responsible for managing the Gateway. All other users are standard, meaning they can access their own resources and interact with connections.
  • The auditor group grants read-only access to session resources.

Configuration Page

This feature is available beginning with version 1.38.12
Configure the identity provider directly from the Webapp.
After saving the configuration, the identity provider reloads automatically with the new settings. Environment variables are not considered as part of the configuration after this point.

Troubleshooting

A misconfigured IDP can lock you out of the application. To wipe all configuration, connect to the Hoop Postgres database and delete the following row: 
-- clear all configuration
DELETE FROM private.authconfig WHERE org_id = (SELECT id FROM private.orgs);
To update a single configuration: 
UPDATE private.authconfig
SET admin_role_name = 'my-new-admin-role-group'
WHERE org_id = (SELECT id FROM private.orgs);
Upcoming releases will improve this experience to avoid this situation.