Single Sign-On (SSO)

Integrations / Single Sign-On β Production view
Single Sign-On lets your tenants and administrators authenticate into HqO using the same credentials they use for other company tools β no separate HqO password required.
Overview
HqO supports Service Provider (SP)-initiated SSO using OpenID Connect (OIDC). In this model, HqO acts as the Service Provider (SP) and your organization's identity platform acts as the Identity Provider (IdP). When a user signs in, HqO routes authentication to your IdP based on their email domain.
SSO is configured at the tenant company level. Each tenant company with SSO enabled has a routing rule created based on their email domain.
β οΈ Note: SSO requires inclusion in your HqO contract. Contact your HqO Customer Success Manager or Implementation Manager to enable it.
Supported identity providers
| Provider | Protocol |
|---|---|
| Okta | OIDC |
| Microsoft Azure Active Directory (Azure AD) | OIDC / SAML |
| Ping Identity | OIDC / SAML |
Other OIDC or SAML-compatible identity providers may also be supported. Contact your HqO account team to confirm compatibility.
How SSO works with HqO
- A user opens the HqO app or admin portal and enters their work email address.
- HqO checks the email domain against configured SSO routing rules.
- If a match is found, the user is redirected to their company's IdP to authenticate.
- The IdP returns a token to HqO confirming the user's identity.
- HqO grants access without requiring a separate HqO password.
Benefits for property teams
- Tenants with SSO typically show higher registration and retention rates because login uses familiar company credentials.
- User lifecycle management shifts to the tenant's IT team β when an employee leaves, revoking IdP access automatically removes HqO access.
- Eliminates password reset requests for HqO-specific credentials.
Setting up SSO
SSO configuration requires HqO team involvement. To set up SSO for a tenant:
- Contact your HqO Customer Success Manager or Implementation Manager.
- Complete the SSO intake form provided by the HqO team.
- HqO creates a routing rule for the tenant's email domain.
- The tenant's IT team configures their IdP (Okta, Azure AD, or Ping) to trust HqO as a service provider.
- HqO requires that all expected users have a unique, company-specific email address that can authenticate through their IdP.
Provider-specific notes
Okta
- HqO supports SP-initiated OIDC transactions with Okta.
- Available globally.
- The user's email is used as the OAuth unique account identifier.
Microsoft Azure AD
- Supported via OIDC or SAML.
- Common in enterprise deployments with Microsoft 365 environments.
Ping Identity
- Supported via OIDC or SAML.
- Contact your HqO team for Ping-specific setup requirements.
User experience with SSO
When SSO is active for a tenant company:
- The user opens the HqO app and enters their work email.
- They are redirected to their company's login page (Okta, Microsoft, etc.).
- After authenticating with their company credentials, they are returned to HqO automatically.
- No additional HqO password is required.
FAQ
Does SSO apply to HqO Admin as well as the tenant app? SSO can be configured for both admin users and tenant end-users. Scope is determined during the setup process with your HqO team.
What happens when an employee leaves the company? When the tenant's IT team disables or deletes the employee's account in their IdP, that user can no longer authenticate into HqO. HqO access is automatically revoked.
Can SSO and password login exist at the same time? This depends on your configuration. Some deployments enforce SSO only; others allow both methods. Contact your HqO account team for details.
How long does SSO setup take? Setup typically takes 1β2 weeks depending on the complexity of your IdP configuration and the responsiveness of the tenant's IT team.
Is SSO available globally? Yes. HqO's Okta integration is available globally. Azure AD and Ping are also available globally subject to your contract.
Need help?
Contact your HqO account team or email appsupport@hqo.co.
Related
- Integrations Overview
- HID Mobile Access
- Features β enable SSO for specific audiences