What identity providers does Hubstaff SSO support?

Hubstaff SSO supports a wide range of identity providers, including Microsoft Azure, ADFS, Okta, OneLogin, Google Workspace, and Office 365.

Can I require all users to log in via SSO?

Yes. Organization Owners can enable the Require SSO Login setting (https://support.hubstaff.com/configuring-single-sign-on/) to make sure all members authenticate through your identity provider.

What identity provider does SCIM work with?

Hubstaff currently supports SCIM provisioning through Microsoft Azure. But if you use another identity provider, contact support@hubstaff.com to discuss other available options and setup steps.

How often does SCIM sync identity data?

SCIM member data sync runs approximately every 40 minutes by default. Microsoft Azure also supports on-demand provisioning for immediate updates.

Who can configure SSO and SCIM settings?

Organization Owners, Organization Managers, and users with the Manage IT custom permission can configure and manage SSO and SCIM settings.

Are SSO and SCIM available on all Hubstaff plans?

No. SSO and SCIM are Enterprise plan features and are not available on Starter, Grow, or Team plans.

Can SCIM groups be mapped to Hubstaff teams?

Yes. SCIM groups can be mapped to Hubstaff teams, making it easier to organize access by department, function, or role.

SSO and SCIM Authentication for Enterprise Teams for Secure Identity Management

Hubstaff Enterprise plan includes SSO and SCIM to centralize authentication and automate user identity management to reduce compliance risks caused by inconsistent login and access controls.

Try Hubstaff for free

Schedule a demo

No credit card required.

Available for: Apple logo

SSO (Single Sign-On) Explained

Single Sign-On (SSO) is an authentication method that allows users to access a software platform with a single identifier, eliminating the need to recreate or re-enter passwords. SSO (backed by a two-factor authentication system) helps keep data secure across systems. Use it to automate Hubstaff logins across teams and prevent employees from maintaining multiple, inconsistent credentials that can create security risks.

What SSO does:

Eliminates the need for separate passwords and manual provisioning by allowing users to log in to Hubstaff using an existing identity provider.
Removes any workaround or compliance gap by allowing organization owners to implement SSO as the sole login method.

Why SSO matters:

Reduces the risk of compromised passwords and unauthorized access.
Streamlines onboarding and instantly cuts off access when someone leaves the team.
Creates a single, centralized point of control, making it easier for IT to manage and audit.
Integrates with popular identity providers like Azure, ADFS, Okta, OneLogin, Google Workspace, and Office 365.

Who can configure it: Organization owners with the managed IT permission can configure SSO directly in Hubstaff from the organization settings menus under security and login options.

SCIM (System for Cross-domain Identity Management)

SCIM (System for Cross-domain Identity Management) automates the addition and removal of employee identity data from company systems. For enterprise teams using automatic time tracking on company devices, Hubstaff supports automated member identity management with SCIM to simplify member provisioning and deprovisioning.

With SCIM, enterprise IT teams can save significant time, maintain security and compliance standards, and reduce administrative work when adding or removing member records in Hubstaff.

What SCIM does:

Helps automate member provisioning and de-provisioning with the company's identity provider.
Automatically grants Hubstaff access to new members as they join and revokes it when users leave.

Why it matters:

Reduces the time and effort IT teams spend on manual member management.
Eliminates the risk of orphaned accounts creating compliance issues for enterprises.
Establishes one destination to store member data in sync with the IdP’s source of truth.

Supported provider: Hubstaff currently supports Microsoft Azure, and providers are available on request; contact support@hubstaff.com

Here’s how it works:

Member identity data syncs automatically every 40 minutes. You can also try Microsoft Azure for immediate, on-demand provisioning and map SCIM groups to Hubstaff teams for organized access.
The following user fields are synced: display name, first/last name, email, job title, department, and OS username (the last one requires custom mapping).

Why SSO and SCIM work together for ultimate security

Single Sign-On (SSO) makes logging in simpler and more secure, but it doesn't solve what happens before or after login. That’s where SCIM comes in to automate who gets access, when they get it, and whether that access is removed when they leave.

This way, IT teams can automate member provisioning to reduce errors and wasted time in manual processes.

Here’s how SSO and SCIM solve different parts of the identity management process:

Automatically creates Hubstaff accounts for new employees.
Updates user access when roles or departments change.
Removes access when employees leave the organization.
Removes security risks stemming from unauthorized access.
Eliminates manual user profile updates and repetitive admin tasks.
Maintains consistent identity policies across your tech stack.

*Note that SSO and SCIM are available exclusively on Hubstaff's Enterprise plan.

Role-based permission to prevent unauthorized access

Hubstaff's role-based access controls are designed to help ensure data is protected by providing access for Organization Owners, Organization Managers, and users with the Manage IT custom permission.

Setting strict roles and permissions allows organizations to delegate identity management responsibilities without inviting the added risk of granting admin access to everyone.

By limiting who can modify authentication and provisioning settings, Hubstaff helps support internal security policies and governance requirements.

Frequently Asked Questions

SSO/SCIM FAQs

Try Hubstaff free for 14 days for automated, secure enterprise account provisioning.

Try a demo