Hopara supports SP initiated single sign on with SAML. The first step is to get an access token using the client id and secret provided by the Hopara support team. This token should be used in the subsequent Hopara requests.
curl --request POST \
--url https://auth.hopara.app/token \
--header 'Content-Type: application/json' \
--data '{
"clientId": "[your client id]",
"clientSecret": "[your secret]"
}
Then you can get the SSO information by calling the SAML endpoint. You will use this information when adding the Hopara application in your IDP.
curl --location 'https://auth.hopara.app/saml/info?tenant=[your_domain.com] --header 'authorization: Bearer [your_token]'
Example response:
{
"singleSignOnUrl":"https://xxx.auth.us-east-1.amazoncognito.com/saml2/idpresponse",
"audienceUri":"urn:amazon:cognito:sp:yyy"
}
The configuration below should be set when adding the Hopara application in your IDP.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
user.email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
user.firstName
groups
.*
I'm an Okta customer adding an internal app
This is an internal app that we have created
Hopara supports the following permission groups that you can assign to users in your IDP.
You should assign only one group per user. The groups on the top inherit the permission from the groups on the bottom (e.g. the studio profile inherits the scene-builder and visualization permissions).
Group | Permissions |
hopara:profile:admin | Manage users |
hopara:profile:data | Create new datasources and queries |
hopara:profile:studio | Create new visualizations and customize them |
hopara:profile:scene-builder | Manage assets and rooms (e.g. move and place assets) |
hopara:profile:visualization | View only |
After the app is added to the IDP you should have access to the metadata URL. This should be added back to Hopara. You can do so by calling the saml/configure endpoint.
curl --location 'https://auth.hopara.app/saml/configure' \
--header 'Content-Type: application/json' \
--header 'authorization: Bearer [your_token]' \
--data '{
"tenant": "yourdomain.com",
"metadataUrl": "metadata URL from your IDP"
}'
You can test the integration by trying to log in on https://hopara.app.