By using single sign-on (SSO), you can give your team members one account for all the systems your business uses. The Security Assertion Markup Language, or SAML, is an open standard for authentication. Based upon the Extensible Markup Language (XML) format, web applications use SAML to transfer authentication data between two parties - the identity provider (IdP) and the service provider (SP). You can require users to log in to HubSpot with their SSO credentials if you have a HubSpot Enterprise account with SAML-based SSO enabled.
Please note: this setup process should be done by an IT administrator with experience creating applications in your identity provider account. SSO can only be set up by super admins.
Log in to your identity provider account.
Navigate to your applications.
Create a new application for HubSpot.
To get the Audience URI and Sign on URL, ACS, Recipient, or Redirect values:
Click the settings icon in the main navigation bar of your HubSpot account.
Select Security > Login Settings from the left sidebar menu.
Under Login, click Set up Single Sign-on
In the right panel, click Copy next to the values as needed. If you are using Microsoft AD FS, click the Microsoft AD FS tab to copy the values needed.
If necessary, paste them into your identity provider account.
If prompted, set the username format/name ID to Email.
Copy the identifier or issuer URL, the single-sign on URL, and the certificate from your identity provider, and paste them into the corresponding fields in the SSO setup panel in HubSpot.
Click Verify.
There may be differences between identity providers in navigation instructions and field names. Below you will find instructions for setting up applications with commonly used identity providers:
If you're using Active Directory Federation Services, learn more about setting up single sign-on using AD FS.
After setting up SSO, you can require all users to use SSO to log in to HubSpot.
After setting up SSO, you can exclude specific users from the SSO requirement to allow them to also log in with their HubSpot user account.
Please note: you need administrative access in your Okta instance. This process is only accessible in the Classic UI in Okta.
Sign in to Okta. Make sure you are in the administrative instance of your Okta developer account.
In the top navigation bar, click Applications.
Click Add application.
Search for HubSpot SAML, then click Add.
Click Done on the General Settings screen.
On the application's details page, click the Sign On tab.
Under the "SAML 2.0 is not configured until you complete the setup instructions" message, click View Setup Instructions. You will be redirected to a new tab. Return to Okta's original tab after keeping it open.
In the same tab, scroll down to Advanced Sign-on Settings and add your Hub ID in the Portal Id field. Find out how to access your Hub ID.
Navigate to your user settings. You can also assign the new app to yourself if you are also a HubSpot user.
Go back to the View Setup Instructions tab. Copy each of the URLs and the certificate, and paste them in HubSpot in the Identity Provider Identifier or Issuer URL field, the Identity Provider Single Sign-On URL field, and the X.509 Certificate field.
Click Verify. In order to save your settings, you will need to log in with your Okta account.
Once your SSO setup has been verified, visit this link and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your identity provider for sign-in. When you visit a direct link to your account, you'll see a Log in with SSO button.
Log in to OneLogin.
Navigate to Apps.
Search for HubSpot.
Select the "SAML2.0" app.
Click Save in the upper right corner.
Click the Configuration tab.
Add your Hub ID to the HubSpot Account ID field. Find out how to access your Hub ID.
Click the SSO tab.
Copy the following fields from OneLogin and paste them into the corresponding fields of the SSO setup panel in HubSpot:
Copy the value under Issuer URL and paste it into Identity Provider Identifier or Issuer URL.
Copy the value under SAML 2.0 Endpoint (HTTP) and paste it into Identity Provider Single Sign-on URL.
Under X.509 Certificate, click View Details, then copy the certificate and paste it into X.509 Certificate.
In the upper right of your OneLogin account, click Save.
Once your SSO setup has been verified, visit this link and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your identity provider for sign-in. When you visit a direct link to your account, you'll see a Log in with SSO button.
To set up the integration, install the HubSpot app in the Microsoft Azure Marketplace and follow Microsoft's instructions. You can then use Azure AD to manage user access and enable single sign-on with HubSpot.
Once you have verified your SSO setup, navigate to this link and enter your email address. In order to sign in, HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider. When visiting a direct link to your account, you'll also see a Log in with SSO button.
You can set up HubSpot single sign-on with G-Suite as your identity provider by following Google's instructions.
Enter your email address at this link once your SSO setup has been verified. As soon as HubSpot finds your portal's single sign-on configuration, it will send you to your SSO provider so you can sign in. If you visit a direct link to your account, you'll also see a Log in with SSO button.
1. Which binding does HubSpot use as a SAML service provider?
HubSpot uses HTTP Post.
2. I’m using Active Directory Federation Services. As my relying party trust (RPT), what should I use?
Find out how to set up single sign-on with ADFS.
3. Which username format should I set in my SAML application?
HubSpot users are identified by their email addresses. Your IDP should send a nameID in email format that corresponds with the HubSpot user's email address.
4. Which signing algorithm does HubSpot support?
HubSpot only supports SHA-256 as a signing algorithm. SHA-256 must be used to sign your requests.
Please note: After March 31, 2023, HubSpot will stop supporting SHA-1 for new SSO connections. Any existing SSO connections that use SHA-1 may still work until HubSpot stops supporting SHA-1 for all SSO connections on June 30, 2023. SHA-1 users must migrate to SHA-256 by June 30, 2023.
5. Which format should I provide my x509 certificate in?
A PEM format x509 certificate is required by HubSpot. In HubSpot, you should paste the text contents of the PEM file into the x509 certificate field. The value should also include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
6. Is it possible to turn on two-factor authentication, required two-factor authentication, SSO, and required SSO at the same time?
Yes. Whenever you log in with your HubSpot username and password, two-factor authentication is active. HubSpot's 2FA doesn't prevent you from logging in with Google's 2FA or SSO. In this case, you can require HubSpot's 2FA to ensure that any logins that bypass SSO go through 2FA or Google.
You can enable 2FA for your Google account separately from HubSpot. However, when you log into HubSpot with your Google account, Google's 2FA protects your HubSpot account.
You will experience the following if you have two-factor authentication and SSO enabled in your account at the same time:
Only SSO can be used to log into your account if SSO is required. Even if you set up 2FA for HubSpot, you won't be prompted for it.
If your account requires SSO, but you're excluded, you can log in with either 2FA or the Login with Google or Login with Microsoft options.
You can use 2FA or the Login with Google or Login with Microsoft options if you're required to use 2FA and no SSO is set up.
If your account has no requirements but has enabled SSO, you can log in with any method including SSO.