HubSpot Knowledge Base

Set up single sign-on (SSO)

Written by HubSpot Support | Nov 20, 2019 5:00:00 AM

Single sign-on (SSO) allows you to give your team members one account for all of the systems your business uses. If you have a HubSpot Enterprise account and have SSO set up for your business, you can require users to log in to HubSpot using their SSO credentials.

Please note: this setup process should be done by an IT administrator with experience creating applications in your identity provider account.

General setup

Initial setup

  • Log in to your identity provider account.
  • Navigate to your applications.
  • Create a new application for HubSpot.
    • To get the Audience URI and Sign on URL, ACS, Recipient, or Redirect values:
      • In your HubSpot account, click the settings icon settings in the main navigation bar.
      • In the left sidebar menu, select Account Defaults.
      • In the Single sign-on (SSO) section, click Set up.
      • In the right pane, click Copy next to the values as needed. If you are using Microsoft AD FS, click the Microsoft AD FS tab to copy the values needed.
      • Paste them into your identity provider account where required.
    • If prompted, set the username format/name ID to Email.
  • Copy the identifier or issuer URL, the single-sign on URL, and the certificate from your identity provider, and paste them into the corresponding fields in the SSO setup panel in HubSpot.
  • Click Verify.
The navigation instructions and field names above may differ across identity providers. You can find more specific instructions for setting up applications in commonly used identity providers below:

If you're using Active Directory Federation Services, learn more about setting up single sign-on using ADFS.

Require SSO for all users

  • In your HubSpot account, click the settings icon settings in the main navigation bar.
  • In the left sidebar menu, click Account Defaults.
  • Under the Single Sign-on (SSO) section, select the Require Single Sign-on to log in checkbox.

Exclude certain users from SSO requirement

  • In your HubSpot account, click the settings icon settings in the main navigation bar.
  • In the left sidebar, click Account defaults.
  • To allow certain users to also log in with their HubSpot accounts, under the Single sign-on (SSO) section, click Exclude users.

  • In the dialog box, click the Choose users dropdown menu and select the users that will be able to log in with their HubSpot accounts. For example, you can select partners and contractors if they lack a SSO login.
  • Click Save.

Please note: the user who selects the Require Single Sign-on to log in checkbox will automatically be added to the excluded users. It is recommended to exclude at least one user with Super Admin permissions. In the event your identity provider is down, they can log in and clear the Require Single Sign-on to log in checkbox to allow all users to log in with their HubSpot accounts.

Instructions for specific identity providers

Okta

Please note: you need administrative access in your Okta instance. This process is only accessible in the Classic UI in Okta.

  • Log in to Okta. Make sure you are in the administrative instance of your Okta developer account.
  • Click Applications in the top navigation bar.
  • Click Add application.
  • Search for HubSpot SAML, then click Add.
  • On the General Settings screen, click Done.
  • On the application's details page, click the Sign On tab.
  • Under the "SAML 2.0 is not configured until you complete the setup instructions" message, click View Setup Instructions. This will open a new tab. Keep it open, then return to the original tab in Okta.
  • In the same tab, scroll down to Advanced Sign-on Settings and add your Hub ID in the Portal Id field. Learn how to access your Hub ID.
  • Navigate to your user settings. Assign the new app to any users that are also in your HubSpot account, including yourself.
  • Return to the View Setup Instructions tab. Copy each of the URLs and the certificate, and paste them in HubSpot in the Identity Provider Identifier or Issuer URL field, the Identity Provider Single Sign-On URL field, and the X.509 Certificate field.
  • Click Verify. You’ll be prompted to log in with your Okta account to finish the configuration and save your settings.

Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your identity provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.

OneLogin

Please note: you need administrative access in your OneLogin instance to create a new SAML 2.0 application in OneLogin, as required.

  • Log in to OneLogin.

  • Navigate to Apps.

  • Search for HubSpot.

  • Click the app that states "SAML2.0".

  • In the upper right, click Save.

  • Click the Configuration tab.

  • In the HubSpot Account ID field, add your Hub ID. Learn how to access your Hub ID.

  • Click the SSO tab.
  • Copy the following fields from OneLogin and paste them into the corresponding fields of the SSO setup panel in HubSpot:
    • Copy the value under Issuer URL and paste it into Identity Provider Identifier or Issuer URL.
    • Copy the value under SAML 2.0 Endpoint (HTTP) and paste it into Identity Provider Single Sign-on URL.
    • Under X.509 Certificate, click View Details, then copy the certificate and paste it into X.509 Certificate.

  • In the upper right of your OneLogin account, click Save.

Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your identity provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.

Azure Active Directory

For Azure Active Directory users, install the HubSpot app in the Microsoft Azure Marketplace and follow the set up instructions. This will allow you to use Azure AD to manage user access and enable single sign-on with HubSpot.

Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.

Google

Check out Google's instructions on how you can set up HubSpot single sign-on with G-Suite as your identity provider.

Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.

FAQs

Which binding does HubSpot use as a SAML service provider?

HubSpot uses HTTP Post.

I’m using Active Directory Federation Services. What should I use as my relying party trust (RPT)?

Learn more about setting up single sign-on using ADFS.
 
Which username format should I set in my SAML application?

HubSpot users are identified by email address. Ensure that your IDP is sending a nameID in email format that corresponds with their HubSpot user’s email address.

Which signing algorithm does HubSpot support?

HubSpot supports SHA-1 and SHA-256 as signing algorithms. It's recommended that you sign your requests with SHA-256.

Which format should I provide my x509 certificate in?

HubSpot requires a PEM format x509 certificate. You should copy the text contents of the PEM file into the x509 certificate field in HubSpot. The value should also include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Can I enable two-factor authentication, required two-factor authentication, SSO, and required SSO at the same time? 

Yes. When you have two-factor authentication enabled, it's active on any login with your HubSpot username and password. Enabling 2FA in HubSpot does not prevent you from logging in using Google's 2FA or SSO. Therefore, if users are excluded from the SSO requirement, you can require HubSpot's 2FA to ensure that any logins that bypass SSO go through 2FA or Google.

If you enable 2FA for your Google account, this is separate from your HubSpot setup. However, when you log into HubSpot with your Google account, Google's 2FA will protect your HubSpot account.

If you have two-factor authentication or SSO required or enabled in your account at the same time, the following will occur:

  • If you're required to log into your account with SSO, you can only log in with SSO.
  • If your account requires SSO, but you're excluded, you can log in with either 2FA or Google.
  • If you're required to log in with 2FA with no SSO set up, you can log in with either 2FA or Google.
  • If your account has no requirements, but has enabled SSO, you can log in with any method including SSO.
View full post