Last updated: August 20, 2024
Single sign-on (SSO) allows you to give your team members one account for all of the systems your business uses. Security Assertion Markup Language, or SAML, is an open standard used for authentication. Based upon the Extensible Markup Language (XML) format, web applications use SAML to transfer authentication data between two parties - the identity provider (IdP) and the service provider (SP). If you have a HubSpot Enterprise account and have SAML-based SSO set up, you can require users to log in to HubSpot using their SSO credentials.
Please note: this setup process should be done by an IT administrator with experience creating applications in your identity provider account. Only super admins can set up SSO for your account.
General setup
- Log in to your identity provider account.
- Navigate to your applications.
- Create a new application for HubSpot. To get the Audience URI and Sign on URL, ACS, Recipient, or Redirect values:
- In your HubSpot account, click the settings settings icon in the top navigation bar.
- In the left sidebar menu, selectSecurity > Settings & Activity.
-
- UnderLogin, clickSet up Single Sign-on. In the right panel:
- If you'd like to manually input the data from your identity provider, under the Most Identity Providers tab, click Copy next to the values as needed. Then, paste the values from your identity provider below. Click Verify.
- If you are using Microsoft AD FS, under the Microsoft AD FS tab, click Copy next to the values as needed. Then, paste the values from your identity provider below. Click Verify.
- If you'd like to upload an XML file to automatically populate your identity provider values, under the Federation Metadata tab, drag and drop or clickChoose a file to upload your federation metadata. Then, click Verify.
The navigation instructions and field names above may differ across identity providers. You can find more specific instructions for setting up applications in commonly used identity providers below:
- Okta
- OneLogin
- Azure Active Directory
- Google
If you're using Active Directory Federation Services, learn more about setting up single sign-on using AD FS.
Require SSO for all users
After setting up SSO, you can require all users to use SSO to log in to HubSpot.
Please note: effective July 31st, 2024, this setting will be turned on by default.
- In your HubSpot account, click the settings settings icon in the top navigation bar.
- In the left sidebar menu, clickSecurity > Settings & Activity.
- Under Login, select theRequire Single Sign-on checkbox.
Exclude specific users from SSO requirement
After setting up SSO, you can exclude specific users from the SSO requirement to allow them to also log in with their HubSpot user account.
- In your HubSpot account, click the settings settings icon in the top navigation bar.
- In the left sidebar menu, click Security > Settings & Activity.
- Under Login, click Manage excluded users.
- In the dialog box, click the Choose users dropdown menu and select the users that will be able to log in with their HubSpot accounts. For example, you can select partners and contractors if they lack a SSO login.
- Click Save.
Please note: the user who selects the Require Single Sign-on checkbox will automatically be added to the excluded users. It is recommended to exclude at least one user with Super Admin permissions. In the event your identity provider is down, they can log in and clear the Require Single Sign-oncheckbox to allow all users to log in with their HubSpot accounts.
Instructions for specific identity providers
Okta
Please note: you need administrative access in your Okta instance. This process is only accessible in the Classic UI in Okta.
- Log in to Okta. Make sure you are in the administrative instance of your Okta developer account.
- Click Applications in the top navigation bar.
- Click Add application.
- Search for HubSpot SAML, then click Add.
- On the General Settings screen, click Done.
- On the application's details page, click the Sign On tab.
- Under the "SAML 2.0 is not configured until you complete the setup instructions" message, click View Setup Instructions. This will open a new tab. Keep it open, then return to the original tab in Okta.
- In the same tab, scroll down to Advanced Sign-on Settings and add your Hub ID in the Portal Id field. Learn how to access your Hub ID.
- Navigate to your user settings. Assign the new app to any users that are also in your HubSpot account, including yourself.
- Return to the View Setup Instructions tab. Copy each of the URLs and the certificate, and paste them in HubSpot in the Identity Provider Identifier or Issuer URL field, the Identity Provider Single Sign-On URL field, and the X.509 Certificate field.
- Click Verify. You’ll be prompted to log in with your Okta account to finish the configuration and save your settings.
Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your identity provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.
OneLogin
Please note: you need administrative access in your OneLogin instance to create a new SAML 2.0 application in OneLogin, as required.
-
Log in to OneLogin.
-
Navigate to Apps.
-
Search for HubSpot.
-
Click the app that states "SAML2.0".
-
In the upper right, click Save.
-
Click the Configuration tab.
-
In the HubSpot Account ID field, add your Hub ID. Learn how to access your Hub ID.
- Click theSSOtab.
- Copy the following fields from OneLogin and paste them into the corresponding fields of the SSO setup panel in HubSpot:
- Copy the value underIssuer URL and paste it into Identity Provider Identifier or Issuer URL.
- Copy the value underSAML 2.0 Endpoint (HTTP)and paste it into Identity Provider Single Sign-on URL.
- UnderX.509 Certificate, clickView Details, then copy the certificate and paste it into X.509 Certificate.
Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your identity provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.
Microsoft Entra ID
For Microsoft Entra ID (formerly Azure Active Directory) users, install the HubSpot app in the Microsoft Azure Marketplace and follow Microsoft's instructions to set up the integration. This will allow you to use Microsoft Entra ID to manage user access and turn on single sign-on with HubSpot.
Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.
Google
Check out Google's instructionson how you can set up HubSpot single sign-on with G-Suite as your identity provider.
Once your SSO setup has been verified, navigate tohttps://app.hubspot.com/login/ssoand enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see aLog in with SSO button when visiting a direct link to your account.
FAQs
Which binding does HubSpot use as a SAML service provider?
HubSpot uses HTTP Post.
I’m using Active Directory Federation Services. What should I use as my relying party trust (RPT)?
Learn more about setting up single sign-on using ADFS.
Which username format should I set in my SAML application?
HubSpot users are identified by email address. Ensure that your IDP is sending a nameID in email format that corresponds with their HubSpot user’s email address.
Which signing algorithm does HubSpot support?
Please note: After March 31, 2023, HubSpot will stop supporting SHA-1 for new SSO connections. Any existing SSO connections that use SHA-1 may still work until HubSpot stops supporting SHA-1 for all SSO connections on June 30, 2023. If you are using SHA-1, you will need to migrate to SHA-256 by June 30, 2023.
HubSpot supports only SHA-256 as signing algorithms. You need to sign your requests with SHA-256.
Which format should I provide my x509 certificate in?
HubSpot requires a PEM format x509 certificate. You should copy the text contents of the PEM file into the x509 certificate field in HubSpot. The value should also include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
Can I turn on two-factor authentication, required two-factor authentication, SSO, and required SSO at the same time?
Yes. When you have two-factor authentication turned on, it's active on any login with your HubSpot username and password. Enabling 2FA in HubSpot does not prevent you from logging in using Google's 2FA or SSO. Therefore, if users are excluded from the SSO requirement, you can require HubSpot's 2FA to ensure that any logins that bypass SSO go through 2FA or Google.
If you enable 2FA for your Google account, this is separate from your HubSpot setup. However, when you log into HubSpot with your Google account, Google's 2FA will protect your HubSpot account.
If you have two-factor authentication and SSO required or enabled in your account at the same time, the following will occur:
- If you're required to log into your account with SSO, your 2FA for HubSpot will not be prompted.
- If your account requires SSO, but you're excluded, you can log in with either 2FA or the Login with Google or Login with Microsoft options.
- If you're required to log in with 2FA and no SSO is set up, you can log in with either 2FA or the Login with Google or Login with Microsoft options.
- If your account has no requirements but has enabled SSO, you can log in with any method including SSO.
FAQs
If the Single Sign-On provider goes down, your entire company will lose access to connected apps and software. There are still some applications that do not support SSO. This results in employees needing additional login credentials, which defeats the point of simplifying the environment with SSO.
Is setting up SSO hard? ›
Connecting users to apps through legacy SSO solutions is difficult, requiring updated user stores, firewall changes, and additional hardware.
How to solve single sign-on error? ›
This error usually means that the SAML response provided by the IdP was missing the required FirstName (or equivalent) attribute, which should match the user's “First Name” field in both the IdP and their Uptime.com user account. Please confirm that the FirstName attribute is properly configured in the IdP.
Why is SAML so complicated? ›
Each layer has signatures that need verification, a process that can be like peeling an onion. A generalized SAML integration can be difficult to implement and check because it's not always hierarchical and requests between systems can be non-linear.
How long does it take to configure SSO? ›
A Premier site administrator starts the single sign-on setup in their Premier account. An identity or IT administrator in the organization registers and configures the identity provider (IdP). This process can take 30 to 45 minutes.
Why does SSO fail? ›
For security reasons, the SSO login flow must complete within a certain timeframe, or authentication fails. If the clock on your Identity Provider is incorrect, most or all login attempts will appear to be out of the acceptable timeframe, and authentication will fail with the above error message.
Is single sign-on worth it? ›
Security and compliance benefits of SSO
SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing login to one set of credentials improves enterprise security. When employees have to use separate passwords for each app, they usually don't.
What is most important to consider when implementing SSO? ›
Keep in mind, after an SSO system is implemented one password gives your employees access to all of the organization's most valuable applications. Therefore, it's important that your employees' passwords are secure.
When not to use SSO? ›
Creates a single point of failure
If the SSO system is not properly maintained, threat actors can potentially compromise it and gain access to multiple services at once. Additionally, if the SSO system experiences downtime, users may not be able to log into any dependent applications or services.
Should I build my own SSO? ›
In conclusion, while building an SSO solution in-house may offer some advantages in terms of customization and control, buying an SSO solution from a third-party vendor can offer several advantages, including faster time-to-market, lower costs, expertise, scalability, and integration.
To configure SSO, you need: A Microsoft Entra user account. If you don't already have one, you can Create an account for free. One of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal.
What is a single sign-on SSO solution? ›
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
What is SAML in SSO? ›
Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications.
Why is SSO not working in Chrome? ›
Try disabling any extensions and see if that resolves the issue. Clear cache: Clearing the cache and cookies of the browser can also help resolve the issue. To do this, go to the browser settings and select the option to clear browsing data. Update browser: Check if your browser is up-to-date.
How does Single Sign-On SSO work? ›
Single sign-on (SSO) is a technology which combines several different application login screens into one. With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.
How do you implement a single sign in Microsoft? ›
Enable single sign-on
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- Browse to Identity > Applications > Enterprise applications > All applications.
- Enter the name of the existing application in the search box, and then select the application from the search results.
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
