Quick Reference
| What you need | Where to find it |
|---|---|
| ACS URL (Callback URL) | Settings > Security > Configure SSO |
| Entity ID (SP Entity ID) | Settings > Security > Configure SSO |
| SCIM Endpoint URL | Settings > Security > SCIM Provisioning |
| SCIM Bearer Token | Settings > Security > SCIM Provisioning |
Supported Identity Providers
Hiro supports SAML 2.0 SSO with:| Provider | Status |
|---|---|
| Okta | Supported |
| Azure AD / Entra ID | Supported |
| Google Workspace | Supported |
Before You Begin
You’ll need:- Admin access to your identity provider
- Admin role in Hiro
Okta SSO
Get your SP details from Hiro
In Hiro, go to Settings > Security:
- Click Configure SSO
- Copy the ACS URL and Entity ID — you’ll need these in the next step
Create a SAML application in Okta
In your Okta Admin Console:
- Go to Applications > Applications
- Click Create App Integration
- Select SAML 2.0
- Click Next
- Enter app name:
Hiro
Configure SAML settings
Enter the following settings from Hiro’s SSO configuration page:
| Setting | Value |
|---|---|
| Single sign-on URL | Paste the ACS URL from Hiro |
| Audience URI (SP Entity ID) | Paste the Entity ID from Hiro |
| Name ID format | EmailAddress |
| Application username | |
| Update application username on | Create and update |
Get the Metadata URL
After creating the app:
- Go to the Sign On tab
- Find the Metadata URL (under “SAML Signing Certificates” or “Metadata details”)
- Copy this URL — it typically ends in
/sso/saml/metadata
Configure Hiro
In Hiro, go to Settings > Security:
- Click Configure SSO
- Select Okta
- Paste the Metadata URL
- Click Save
- Click Enable to activate SSO
Okta SCIM
Enable SCIM for automated user provisioning. This allows Okta to automatically create users when they’re assigned to Hiro, deactivate users when they’re unassigned, and sync user attributes.SCIM provisioning is only available after you’ve configured Okta SSO.
Generate SCIM credentials in Hiro
In Hiro, go to Settings > Security:
- Find the SCIM Provisioning section
- Click Generate Token
- Copy the SCIM Base URL and Bearer Token
Enable SCIM in your Okta app
In your Okta Admin Console:
- Go to your Hiro app → General tab → App Settings
- Click Edit
- Set Provisioning to SCIM
- Click Save
Configure API integration
- Go to the Provisioning tab → Integration
- Click Configure API Integration
- Check Enable API integration
- Paste the SCIM Base URL from Hiro
- Set Unique identifier field to
userName - Set Authentication Mode to HTTP Header
- Paste the Bearer Token from Hiro
- Click Test API Credentials, then Save
Enable provisioning actions
- Go to Provisioning tab → To App
- Click Edit
- Enable:
- Create Users
- Update User Attributes
- Deactivate Users
- Click Save
Azure AD / Entra ID SSO
Get your SP details from Hiro
In Hiro, go to Settings > Security:
- Click Configure SSO
- Copy the ACS URL and Entity ID — you’ll need these in the next step
Create an enterprise application
In the Azure Portal:
- Go to Microsoft Entra ID > Enterprise applications
- Click New application
- Click Create your own application
- Enter name:
Hiro - Select Integrate any other application you don’t find in the gallery
- Click Create
Configure SAML
- Go to Single sign-on in the left menu
- Select SAML
- Click Edit on Basic SAML Configuration
- Enter values from Hiro’s SSO configuration page:
- Identifier (Entity ID): Paste the Entity ID from Hiro
- Reply URL (ACS URL): Paste the ACS URL from Hiro
- Click Save
Configure attributes
Click Edit on Attributes & Claims:
- Ensure the Unique User Identifier uses
user.mail - Verify email claim is present
Get the Metadata URL
In the SAML Certificates section:
- Find App Federation Metadata Url
- Copy this URL
Configure Hiro
In Hiro, go to Settings > Security:
- Click Configure SSO
- Select Azure AD
- Paste the Metadata URL
- Click Save
- Click Enable to activate SSO
Google Workspace SSO
Get your SP details from Hiro
In Hiro, go to Settings > Security:
- Click Configure SSO
- Copy the ACS URL and Entity ID — you’ll need these in a later step
Create a SAML app
In Google Admin Console:
- Go to Apps > Web and mobile apps
- Click Add app > Add custom SAML app
- Enter name:
Hiro - Click Continue
Copy IdP information
On the Google Identity Provider details page:
- Copy the SSO URL — save this for the metadata URL
- Click Continue
Configure service provider details
Enter values from Hiro’s SSO configuration page:
- ACS URL: Paste the ACS URL from Hiro
- Entity ID: Paste the Entity ID from Hiro
- Name ID format: EMAIL
- Name ID: Basic Information > Primary email
Configure attribute mapping
Add attribute mappings:
Click Finish
| Google Directory | App attribute |
|---|---|
| Primary email | |
| First name | firstName |
| Last name | lastName |
Enable the app
Click on the Hiro app and set User access to ON for everyone or select specific organizational units.
Configure Hiro
In Hiro, go to Settings > Security:
- Click Configure SSO
- Select Google Workspace
- Enter the SSO URL you copied (append
/metadataif needed) - Click Save
- Click Enable to activate SSO
SSO Settings
After configuring SSO, you can adjust these settings in Settings > Security:Enable/Disable SSO
Toggle SSO on or off without deleting the configuration.Enforce SSO
When enabled, all users in your organization must sign in via SSO. Password login is disabled.Troubleshooting
”SAML Response Invalid”
- Verify the ACS URL in your IdP exactly matches the value from Hiro
- Check that the Entity ID matches exactly
- Ensure the Name ID is set to email format
”User Not Found”
- Verify the user is assigned to the Hiro application in your IdP
- Check that email attribute mapping is correct
SSO not working after configuration
- Ensure you clicked Enable after saving the configuration
- Verify the Metadata URL is accessible (try opening it in a browser)
- Check that the IdP app is enabled and users are assigned
Locked Out
If you’ve enforced SSO and can’t log in, contact support@hiro.is with your organization name.Next Steps
Connect Integrations
Link your security tools to Hiro.
Quickstart
Run your first investigation.