Landing Pages
Blog
Knowledge Base

Set up single sign-on (SSO) to access private content

Last updated: September 9, 2020

Applies to:

Service Hub  Professional, Enterprise
CMS Hub  Enterprise

Single sign-on (SSO) is a way to log into different applications securely with one username and password.

With SSO for private content, your IT administrator can set up a HubSpot application in your identity provider account, such as Google or Okta. Then members of your organization with access to this application can log in and view private content with the same login credentials they use to access other applications. You can further refine which individuals have access to specific content based on their list memberships in HubSpot.

CMS Hub Enterprise accounts can set up SSO for blogs, landing pages, and website pages. Service Hub Professional and Enterprise accounts can set up SSO for knowledge base articles.

Before you get started

  • The setup process for SSO should be completed by an IT administrator with experience creating applications in your identity provider account. Your IT administrator must have permission to edit website settings in HubSpot.
  • Any identity provider account that support SAML integrations is compatible with SSO for private content.
  • SSO can be configured for one HubSpot-hosted subdomain per identify provider account. For best results, it's recommended to dedicate one separate subdomain for SSO membership only.
  • Notification emails and login pages for private content that requires SSO will be handled by your identity provider account, instead of your Private content settings in HubSpot.
  • Private content that requires SSO won't be crawled by search engines, and can only be viewed by contacts who have access and are logged in.

Set up SSO for HubSpot private content in your identity provider account

To set up SSO for private content hosted in HubSpot, your IT administrator will create a new application for HubSpot content access. To complete this process, your IT administrator will reference values from your Private content settings in HubSpot. 

Please note: if you enable SSO for a subdomain that already hosts private content with member registration, that content will no longer be accessible to those contacts.

The steps and fields required to add a new application in your identity provider may vary. General instructions for setting up SSO for private content are outlined below. You can find more specific instructions on setting up a new application i your identity provider here:

To create a new SAML application for HubSpot private content in your identity provider account:

  • Log in to your identity provider account.
  • Navigate to your applications within your identity provider account.
  • In your HubSpot account, collect the required values for your new HubSpot application:
    • In your HubSpot account, click the settings icon settings in the main navigation bar.
    • In the left sidebar menu, navigate to CMS > Private content.
    • At the top of your settings, click the Choose a domain to edit dropdown menu to select a specific subdomain.
    • In the Single sign-on (SSO) section, click Set up SSO.
    • In the Set up Single Sign-on panel, copy the Audience URL and Sign on URL.
  • In your identity provider account:
    • Paste the Audience URL and Sign on URL copied from HubSpot into the corresponding fields.
    • Then copy the identifier for the issuer URL, the single-sign on URL, and the certificate field.
  • In your HubSpot account:
    • Paste the issuer URL, single-sign on URL, and certificate values into the corresponding fields in the Set up Single Sign-on panel.
    • Click Verify.

Once the verification process is complete, you'll see a confirmation that Single sign-on is enabled for your domain in your Private content settings.

Enable SSO for your content

There are two options for enabling private content with SSO:

  • Private - Single sign-on (SSO) required: everyone in your identity provider organization with access to the HubSpot application can log in with SSO to view the private content.
  • Private - Single sign-on (SSO) required with list filtering: individuals in your identity provider organization with access to the HubSpot application and specific HubSpot list memberships can log in with SSO to view private content.

Enable SSO for an entire blog

You can enable SSO for blogs hosted on the subdomain you've connected in your identity provider account. Enabling SSO for a specific blog will impact all blog posts published on that blog. It's not possible to enable SSO for a specific blog post.

Please note: if you enable SSO for a blog that already hosts private content with member registration, that blog will no longer be accessible to those contacts.

To set up SSO for a blog:

  • In your HubSpot account, click the settings icon settings in the main navigation bar.
  • In the left sidebar menu, navigate to CMS Blog.
  • In the upper left, click the Select a blog to modify dropdown menu and select a blog hosted on the subdomain you've set up with your identity provider.
  • On the General settings tab, scroll down to Control audience access settings to set up SSO:
    • Select Private - Single sign-on required to grant access to everyone in your identity provider organization with access to the HubSpot application.
    • Select Private - Single sign-on required with list filtering to grant access to individuals in your identity provider account with access to the HubSpot application and specific list memberships. Then select the specific lists you want to have access to this content.
  • In the lower left, click Save.

Enable SSO for specific landing pages or website pages

You can enable SSO for landing pages or website pages hosted on the subdomain you've connected in your identity provider account.

Please note: if you enable SSO for a landing page or website page that is already set to private content with member registration, that page will no longer be accessible to those contacts.

To set up SSO for specific pages:
  • In your HubSpot account, navigate to Marketing > Website > Landing pages or Website Pages.
  • Select the checkbox next to any page you want to require SSO.
  • At the top of the page dashboard, click Control audience access.
  • Set up SSO for these specific pages:
    • Select Private - Single sign-on required to grant access to everyone in your identity provider organization with access to the HubSpot application.
    • Select Private - Single sign-on required with list filtering to grant access to individuals in your identity provider account with access to the HubSpot application and specific list memberships. Then select the specific lists you want to have access to this content.
  • In the lower left, click Save.

You can also control audience access to a specific page in the Settings tab within the page editor.

Enable SSO for specific knowledge base articles

You can set up SSO for specific knowledge base articles hosted on the subdomain you've connected in your identity provider account. It's not possible to enable SSO for an entire knowledge base at this time.

Please note: if you enable SSO for a knowledge base article that is already set to private content with member registration, that article will no longer be accessible to those contacts.

To set up SSO for specific knowledge base articles:

  • In your HubSpot account, navigate to Service > Knowledge Base.
  • Click the Articles tab.
  • Select the checkbox next to any articles you want to require SSO.
  • At the top of the articles dashboard, click Control audience access.
  • Set up SSO for these specific articles:
    • Select Private - Single sign-on required to grant access to everyone in your identity provider organization with access to the HubSpot application.
    • Select Private - Single sign-on required with list filtering to grant access to individuals in your identity provider account with access to the HubSpot application and specific list memberships. Then select the specific lists you want to have access to this content.
  • In the lower left, click Save.

You can also control audience access to a specific article in the Settings tab within the article editor.

How to modify or disable SSO for private content

Disabling SSO for private content will impact your content different depending on the setting you've selected.

  • Content that's set to Private - Single sign-on required will become public.
  • Content that's set to Private - Single sign-on required with list filtering will become inaccessible.

It's recommended to review your content before disabling SSO in Private content settings to ensure the desired result.

To keep your private content private when you disable SSO, it's recommended to change audience access for your private content to Private - Single sign-on required with list filtering. Then you can change audience access for this content to require CMS membership registration instead.

To disable SSO for private content:

  • In your HubSpot account, click the settings icon settings in the main navigation bar.
  • In the left sidebar menu, navigate to CMS > Private content.
  • At the top of your settings, click the Choose a domain to edit dropdown menu to select a specific subdomain.
  • In the Single sign-on (SSO) section, click Manage SSO.
  • At the bottom of the panel, click to toggle the SSO Enabled switch off.
/account-settings/set-up-single-sign-on-sso-for-private-content