logo

SSO

Hoop implements the Oauth2 protocol + OIDC. The signature of tokens are validated with JWKS or using the userinfo endpoint provided by the identity provider.

Users

Users are active and assigned to the default organization when they signup. A user could be set to an inactive state preventing it from accessing the platform, however it’s recommended to manage the state of users in the identity provider.
  • The sub claim is used as the main identifier of the user in the platform.
  • The profile of the user is derived from the id_token claims email and name.
When a user authenticates for the first time, it performs an automatic signup that persist the profile claims along with it’s unique identifier.
When organization multi tenant is enabled, the name of the organization is derived from the domain, example: - user=johndoe@google.com, org=google
Administrators need to invite and approve users to start interacting with hoop. This mode is available only for our SaaS instance (https://app.hoop.dev)

Groups

Groups allows defining who may access or interact with certain resources.
  • For connection resources it’s possible to define which groups has access to a specific connection, this is enforced when the access control plugin is enabled.
  • For review resources it’s possible to define which groups are allowed to approve an execution, this is enforced when the review plugin is enabled.
This information is derived from the id_token custom claim https://app.hoop.dev/groups, that allows mapping group attributes. When a user performs a login it syncs the groups contained in this claim if it’s available.
💡
For our SaaS instance (https://app.hoop.dev) users needs to manage groups manually in the webapp dashboard

Permission Profiles

  • admin group is a special profile that grants full access to all resources.
This profile is recommended for administrators that are responsible to configure the platform for end users. All other users are regular, meaning that they can access their own resources and interacting with connections.

Required Information

Collect this information from your IDP for setting up SSO
ENVIRONMENT
REQUIRED
DESCRIPTION
API_URL
yes
API URL address
IDP_ISSUER
yes
OIDC issuer name url. Adding the query string _userinfo=1 will force the gateway to validate the access token using the userinfo endpoint.
IDP_CLIENT_ID
yes
IDP_CLIENT_SECRET
yes
IDP_AUDIENCE
no
Oauth2 audience
IDP_CUSTOM_SCOPES
Azure only
Comma separated custom Oauth2 scopes
The API_URL is used as the base address as starting point to redirect users to the provided resources like:
  • Plugin URI resources
  • Environment base name to monitoring services
The IDP_AUDIENCE is required when using auth0
Auth0AzureGoogleJumpcloudAWS CognitoOkta

Powered by Notaku