Enterprise Single Sign-On

Enterprise Single Sign-On (SSO) lets your team authenticate with the HiveMQ Platform through your organization’s existing identity provider (IdP).

With SSO active, team members use their corporate credentials to log in. They do not need a separate HiveMQ password. SSO also enforces your organization’s authentication policies from your IdP. For example, multi-factor authentication requirements and session expiration rules, centrally from your IdP.

Enterprise SSO is available for HiveMQ Cloud Enterprise plan customers. Contact your HiveMQ account team or Technical Account Manager (TAM) to request activation.

How Enterprise SSO Works

Enterprise SSO uses two key mechanisms:

Self-Service SSO Ticket URL: After activation, HiveMQ issues the organization owner a secure, one-time URL. This URL opens a setup assistant that lets your IT administrator configure the IdP connection directly. Your team does not share sensitive IdP credentials with HiveMQ during setup.

Home Realm Discovery (HRD): Once SSO is active, HiveMQ detects your corporate email domain at login. When a user enters an email address with a configured domain, HiveMQ redirects the user to your identity provider for authentication. After successful authentication, the user returns to the HiveMQ Platform with an active session.

This design separates the business request from the technical configuration. The organization owner requests SSO activation and forwards the ticket URL to the appropriate IT administrator. The administrator completes the IdP setup independently, with no dependency on HiveMQ support.

Supported Identity Providers

Enterprise SSO supports identity providers that use the following protocols:

Common examples include Okta, Azure Active Directory (Azure AD), and Google Workspace.

Effect on Organization Member Management

When SSO is active, the following changes apply to your organization:

  • The Members list on the Organization page shows only the organization Owner. All other members are managed through your identity provider.

  • Direct member invitation is disabled. Add new members by provisioning them in your identity provider.

For More Information