Single Sign-On
Use Hawcx as your identity provider for enterprise single sign-on
Enterprise Feature
SSO is available for enterprise customers. Contact [email protected] to provision SSO for your organization. Self-service configuration is coming soon.
Overview
Hawcx can act as a SAML identity provider (IdP) for your organization, enabling employees to authenticate through Hawcx when accessing your service providers. This replaces password-based login at the SP with Hawcx's device-bound, zero-knowledge authentication.
When SSO is configured, your service provider redirects login requests to Hawcx. Hawcx authenticates the user, then returns a signed assertion back to the SP to establish the session.
Why This Matters
Most organizations already federate their SaaS applications (Slack, Salesforce, GitHub, Jira, Zoom, etc.) through a central directory like Microsoft Entra, Google Workspace, or AWS Cognito. By configuring Hawcx as the identity provider for that directory, every application that federates through it becomes passwordless automatically. You don't need to integrate Hawcx into each application individually. Instead, you federate once at the directory level and every downstream application inherits Hawcx's device-bound authentication.
Supported Protocols
| Protocol | Status |
|---|---|
| SAML 2.0 | Available |
| OIDC | Coming soon |
Supported Service Providers
| Service Provider | Guide |
|---|---|
| Microsoft Entra ID (Azure AD) | Setup guide |
What Hawcx Provides
When you contact Hawcx support to enable SSO, you will receive:
| Item | Description |
|---|---|
| Project ID | Your unique organization identifier |
| SAML metadata URL | Endpoint your SP uses to discover Hawcx's IdP configuration |
| SSO endpoint | The URL your SP redirects authentication requests to |
| Signing certificate | X.509 certificate used to verify SAML assertions |
| SCIM endpoint | Base URL for automated user provisioning |
| SCIM bearer token | Authentication token for the SCIM provisioning API |
All endpoints are served from sandbox.hawcx.com.
User Provisioning (SCIM)
Hawcx supports SCIM 2.0 for automated user lifecycle management. When SCIM is enabled, your service provider directory syncs user accounts to Hawcx automatically. This means:
- New users are provisioned in Hawcx when added to the assigned group
- User profile updates (name, email) propagate automatically
- Deactivated users lose access without manual intervention
SCIM provisioning is configured as part of the SP-specific setup. See the Microsoft Entra guide for a complete walkthrough.
Next Steps
- How SAML works with Hawcx to understand the federation model
- Microsoft Entra setup guide for step-by-step configuration