Last updated: January 29, 2024
Available with any of the following subscriptions, except where noted:
Marketing Hub
Enterprise
|
Sales Hub
Enterprise
|
Service Hub
Enterprise
|
Content Hub
Enterprise
|
Provisioning users through SCIM (the System for Cross-domain Identity Management) provides a secure and automated way to create and manage HubSpot users through Google.
Below, learn how to set up user provisioning through Google.
Prerequisites
- Single sign-on (SSO) must be enabled in your HubSpot account.
- It's recommended to set up user permission sets in HubSpot based on your team's Google custom attribute mapping before setting up SCIM.
- To set user permissions, you must create permission sets in HubSpot. Google can then assign permissions to a user if their mapped custom attribute in Google matches the name of the HubSpot permission set. For example, the Google custom attribute named “HubSpot Roles” is configured to map to the "HubSpot Roles" attribute.
- To assign paid seats for users set up with SCIM, you must first purchase the seats in HubSpot, then create a permission set with a paid seat. In Google, set the user's custom attribute to be the same as the permission set.
- To verify your domain, you will need to update your DNS records. Ensure you have the login details for your DNS provider and have access to the TXT records.
Set up SCIM provisioning
To set up SCIM user provisioning through Google, follow Google's instructions for setting up auto-provisioning.
Verify your domain
After adding the HubSpot app through Google, you'll need to verify your domain in HubSpot by updating your DNS records.
- In your HubSpot account, click the settings icon in the top navigation bar.
- In the left sidebar menu, navigate to Integrations > Connected Apps.
- In the All apps tab, click Google SCIM.
- Enter your users’ email sending domain in the Domain field.
- Click Save.
- Click Verify it now.
- In the dialog box, click Next.
- Copy the value in the Value column. You’ll use this value when creating a new TXT record in your DNS provider
- Log in to your DNS provider account. Create a new TXT record for the domain you’re verifying. Paste the value copied from HubSpot into the Value/Points To/Target field.
- After you've created the TXT record, navigate back to HubSpot, then click Next. Once the DNS changes propagate, the domain will be verified.
Please note: it can take up to 48 hours for the DNS changes to propagate and reflect in HubSpot.
Disable SCIM provisioning
Follow Google’s instructions to disable auto-provisioning.
Frequently Asked Questions
Can users created through SCIM be edited in HubSpot?
No. A user created through SCIM can only be updated through your identity provider. This includes user permissions, user name, and email address.
Can Google assign users to teams?
No. However, after the user is added to HubSpot, you can update their team manually in HubSpot.
What happens if I delete a SCIM user in HubSpot or Google?
Deleting a user in HubSpot will not delete the user in Google. However, if you remove a user's access to HubSpot from Google, or deactivate their account in Google, the user will be deleted in HubSpot. Adding a user to HubSpot will not add the user to Google.
What happens to existing users in my HubSpot account when I connect Google?
After setting up SCIM through Google, any existing HubSpot users that match users in Google will automatically be converted to SCIM users. HubSpot will attempt to assign the user a permission set based on their custom attribute if the attribute is mapped to HubSpot Roles in Google. If the user does not have a role in Google that matches a permission set in HubSpot, the user will have only minimal permissions in HubSpot.
I'm seeing the error "This domain couldn't be verified". How do I fix this?
If you are seeing this error, ensure your domain has been entered correctly with no spelling mistakes. Also, check that you have copied the correct value for the TXT record from the Configuration step in HubSpot into your DNS provider.
