Hoop implements the Oauth2 protocol + OIDC. The signature of tokens are validated with JWKS or using the userinfo endpoint provided by the identity provider.


Users are active and assigned to the default organization when they signup. A user could be set to an inactive state preventing it from accessing the platform, however it’s recommended to manage the state of users in the identity provider.
  • The sub claim is used as the main identifier of the user in the platform.
  • The profile of the user is derived from the id_token claims email and name.
When a user authenticates for the first time, it performs an automatic signup that persist the profile claims along with it’s unique identifier.
When organization multi tenant is enabled, the name of the organization is derived from the domain, example: - user=johndoe@google.com, org=google
Administrators need to invite and approve users to start interacting with hoop. This mode is available only for our SaaS instance (https://use.hoop.dev)


Groups allows defining who may access or interact with certain resources.
  • For connection resources it’s possible to define which groups has access to a specific connection, this is enforced when the access control plugin is enabled.
  • For review resources it’s possible to define which groups are allowed to approve an execution, this is enforced when the review plugin is enabled.
This information is derived from the id_token custom claim https://app.hoop.dev/groups, that allows mapping group attributes. When a user performs a login it syncs the groups contained in this claim if it’s available.
For our SaaS instance (https://use.hoop.dev) users needs to manage groups manually in the webapp dashboard

Permission Profiles

  • admin group is a special profile that grants full access to all resources.
This profile is recommended for administrators that are responsible to configure the platform for end users. All other users are regular, meaning that they can access their own resources and interacting with connections.

Required Information

Collect this information from your IDP for setting up SSO
API URL address
OIDC issuer name url.
Oauth2 audience
Comma separated additional Oauth2 scopes
The API_URL is used as the base address as starting point to redirect users to the provided resources like:
  • Plugin URI resources
  • Environment base name to monitoring services
Auth0AzureGoogleJumpcloudAWS CognitoOkta

Powered by Notaku