Single sign-on (SSO) overview

This topic provides an overview for single sign-on (SSO) with your preferred identity provider when users in your organization sign in to the HashiCorp Cloud Platform (HCP). To use HCP's SSO features, sign in to the HCP Portal.

Introduction

HashiCorp Cloud Platform (HCP) allows organizations to configure both SAML 2.0 SSO and OpenID Connect (OIDC) SSO as an alternative to traditional user management with GitHub and email-based options. This security measures can help mitigate Account Take Over (ATO) attacks, provide a universal source of truth to federate identities from your identity provider (IdP), and help you better manage user access to your organization.

SAML and OIDC

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties.

OpenID Connect (OIDC) is an authentication protocol based on the OAuth 2.0 framework that enables sign-in flows through a RESTful API and JSON payloads.

HCP supports both SAML and OIDC for SSO.

Supported identity providers

HCP supports SSO integrations with the following identity providers.

Identity provider	SAML documentation	OIDC documentation
Okta	Add a private SSO integration	Add a private SSO integration
AzureAD	Enable single sign-on for an enterprise application	Add an OpenID Connect-based single sign-on application (OIDC)
Google Cloud	Set up SSO for your organization	Signing in users with OIDC
AWS	Set up single sign-on access to your applications	Create an OpenID Connect (OIDC) identity provider in IAM
Auth0	Manually configure Auth0 SSO integrations	Adopt OIDC-Conformant Authentication
JumpCloud	SAML Single Sign-on	SSO with OIDC
PingID	Add a SAML application	Adding an identity provider - OIDC
CyberArk	Federate with an external IdP using SAML	Federate with an external IdP using OIDC
Duo Security	Duo Single Sign-On for Generic SAML Service Providers	Duo Single Sign-On for Generic OpenID Connect (OIDC) Relying Parties
One Login	Advanced SAML Custom Connector	Adding & Configuring an OIDC Application

SAML attributes

When you set up your identity provider, these are the SAML attributes you use:

Instructions	SAML Attribute	Map to your identity provider
Required	NameID	User’s email
Optional	`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`	User's first name
Optional	`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`	User's last name
Optional	`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`, or `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`	Internal identity for the user that never changes. Do not use the user's email address for this ID.

Workflow

The process to enable SSO for an HCP organization consists of the following steps.

If necessary, verify your domain with HCP.
Initiate SSO creation on HCP.
Continue configuration with your preferred identity provider.
Add information from your identity provider to HCP.
Assign a default role to users.

After you enable SSO, you can manage, update, and delete your SSO from HCP. For more information, refer to manage SSO for your organization.

SSO integration with HCP Terraform

If you signed up for HCP Terraform with an existing HCP account, you may encounter an error when you attempt to use SSO to sign in to HCP Terraform.

HCP Terraform’s SSO requires a login with both an email and password in order to map to an SSO identity. As a result, users who sign up for HCP Terraform using an existing HCP account cannot set up a proper identity for SSO.

Guidance

The following HashiCorp resources are available to help you use HCP’s single sign-on features.

Usage documentation

Troubleshooting

Troubleshoot HCP single sign-on