Enterprise Single Sign-On (SSO)


  • Enterprise single sign-on (SSO) is an easy and secure way for your team to access HydroForecast. With SSO enabled, users can use their corporate authentication credentials to get straight into HydroForecast. This means no more extra passwords to remember and a higher level of security. HydroForecast supports Security Assertion Markup Language (SAML), OpenID Connect Single Sign-On (OIDC), and Microsoft. 

How to get started

  • If you would like to set up SSO for your HydroForecast account, please contact our team at team@hydroforecast.com for next steps.
  • We’ll ask you to provide some additional information based on your provider and confirm whether you would like SSO to be optional or enforced for your organization. 
    • For SAML, please be ready to send along the following: Identity Provider ID, Identity Provider Certificate, and Identity Provider SSO URL.
    • For OIDC, we’ll need the following information: Client ID, Client secret, and Issuer URL.
    • For Microsoft, we’ll ask for the Client ID and Client secret.

Connecting your identity provider with HydroForecast

  • Once we have the information from you about your identity provider, we’ll confirm the service provider entity ID and the authentication redirect URL, which is currently https://login.upstream.tech/__/auth/handler, and any other information your IT team needs to configure the link between HydroForecast and your identity provider.
  • One other note is that any users in HydroForecast will need to be in your active directory, and you’ll need to use the same email address in HydroForecast and your identity provider. 

What to expect once SSO is set up

  • Once everything is set up, the next time you sign into HydroForecast you’ll notice an optional or required button to sign in using SSO, depending on whether you configured SSO as enforced or optional. 
  • You can use the same invite links from HydroForecast to add new users at different permissions levels, and they will have the ability to sign up using SSO. Below is an example of a new user signup page where SSO is enforced. 
  • And here is another example of a new user sign up page where SSO is optional.