SAML Federation

Hawcx implements the SAML 2.0 Web Browser SSO Profile as an identity provider. Your service provider redirects login requests to Hawcx, which authenticates the user and returns a signed assertion to establish the session. See the SSO overview for a visual diagram of this flow.

This page covers the SAML-specific configuration: endpoints, SP-side setup, and SCIM user provisioning.

Hawcx SAML Endpoints

All SAML endpoints are scoped to your tenant and served from sandbox.hawcx.com.

The metadata endpoint returns a standard SAML metadata document that most service providers can import directly. It includes the signing certificate, entity ID, and SSO binding locations.

What You Configure on the SP Side

Each service provider has its own admin interface for configuring an external identity provider. The general steps are:

1. Register the domain you want to federate (e.g., sso.yourcompany.com)
2. Point federation settings at Hawcx's metadata and SSO URLs
3. Upload the signing certificate provided by Hawcx (or let the SP fetch it from the metadata URL)
4. Set the authentication protocol to SAML
5. Configure MFA behavior to accept MFA performed by the federated IdP (Hawcx handles MFA natively)

The specifics vary by SP. See the provider-specific guides below for detailed instructions.

SCIM User Provisioning

SCIM (System for Cross-domain Identity Management) keeps your SP's user directory in sync with Hawcx. Instead of manually creating and removing users in Hawcx, your SP pushes changes automatically.

What SCIM Handles

SCIM Endpoint

https://sandbox.hawcx.com/v1/scim/{project_id}/

Your SP authenticates to the SCIM API using a bearer token provided by Hawcx support.

Attribute Mapping

At a minimum, map these attributes from your SP directory to SCIM:

The exact attribute names on the SP side vary by provider. See the provider-specific guides for the correct mappings.

Provider Guides

• Microsoft Entra ID (Azure AD)