Account

Set up single sign-on (SSO)

Last updated: October 3, 2018

Applies to:

Marketing Hub
marketing-enterprise
Enterprise
Sales Hub
sales-enterprise
Enterprise
Service Hub
service-enterprise
Enterprise

Single sign-on (SSO) allows you to give your team members one account for all of the systems your business uses. If you have a HubSpot Enterprise account and have SSO set up for your business, you can allow users to log in to HubSpot using their SSO credentials. 

Please note:
  • You cannot require single sign-on be enabled for all logins to your hub. All users are able to log in either with their SSO credentials, or with their HubSpot credentials.
  • This setup process should be done by an IT administrator with experience creating applications in your identity provider account. 
To use SSO with HubSpot:
  • Log in to your identity provider account. 
  • Navigate to your applications. 
  • Create a new application for HubSpot. 
    • To get the Audience URI  and Sign on URL, ACS, Recipient, or Redirect values:
      • In your HubSpot account, click the settings icon settings in the main navigation bar.
      • In the Single sign-on (SSO) section, click Set up.
      • In the right pane, click Copy next to the values as needed. 
      • Paste them into your identity provider account where required. 
    •  If prompted, set the username format/name ID to Email
  • Copy the identifier or issuer URL, the single-sign on URL, and the certificate from your identity provider and paste them into the corresponding fields in the SSO setup pane in HubSpot.
  • Click Verify
The navigation instructions and field names above may differ across identity providers. You can find more specific instructions for setting up applications in commonly used identity providers below: 

Okta

Please note: you need administrative access in your Okta instance. This process is only accessible in the Classic UI in Okta. 

  • Log into Okta. Make sure you are in the administrative instance of your Okta developer account.  
  • Click Applications in the top navigation bar.
  • Click Add application.
  • Search for HubSpot SAML, then click Add
  • On the General Settings screen, click Done
  • On the application's details page, click the Sign On tab. 
  • Here you'll see a "SAML 2.0 is not configured until you complete the setup instructions" message. Click View Setup Instructions. This will open a new tab; keep it open, then return to the original tab in Okta.
  • Navigate to your user settings. Assign the new app to any users that are also in your HubSpot account, including yourself. 
  • Return to the View Setup Instructions tab. Copy each of the URLs and the certificate and paste them in HubSpot in the Identity Provider Identifier or Issuer URL field, the Identity Provider Single Sign-On URL field, and the X.509 Certificate field. 
  • Click Verify. You’ll be prompted to log in with your Okta account to finish the configuration and save your settings.

Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.

OneLogin

Please note: you need administrative access in your OneLogin instance to create a new SAML 2.0 application in OneLogin, as required. 

  • Log into OneLogin

  • Navigate to Apps. 

  • Click Add App.

  • Search for SAML Test Connector (ldP) and select it from the results.

  • Enter HubSpot as a name for the application, then click Save

  • On the Configuration tab, RelayState should remain blank.

  • For the ACS (Consumer) URL Validator field, enter the following value, inserting your own Hub ID after "portalId=”: ^https:\/\/api\.hubspot\.com\/login-api\/v1\/saml\/acs\?portalId=[your Hub ID]?.
  • For the ACS (Consumer) URL and Recipient fields, you'll need to copy and paste the values from HubSpot:
    • In your HubSpot account, click the settings icon settings in the main navigation bar.
    • In the Single sign-on (SSO) section, click Set up.
    • In the right pane, click Copy to the right of the Sign on URL, ACS, Recipient, or Redirect field. Paste this value into the ACS (Consumer) URL and Recipient fields in OneLogin.
    • Return to the HubSpot pane and click Copy to the right of the Audience URI field. Paste this value into the Audience field in OneLogin. 
    • Keep this tab open.
  • Return to OneLogin. Click the Parameters tab, set the NameID field is set to Email.

  • Click the SSO tab. Copy the Issuer URL value. Return to HubSpot and paste this value into the Identity Provider Identifier or Issuer URL field.

  • Return to OneLogin. Copy the SAML 2.0 Endpoint valuePaste this value into the Identity Provider Single Sign-On URL field in HubSpot.
  • In OneLogin, ensure that Standard Strength Certificate is selected in the X509 Certificate section. Click View Details.

  • Copy the certificate value. Paste it into the X509 certificate field in HubSpot.

  • In OneLogin, assign your new HubSpot application to all the users who you’d like to be able to log into HubSpot with OneLogin, including yourself.

  • Return to HubSpot and click Verify. Log in with your OneLogin account to finish the configuration and save your settings.

Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.

 

FAQs

Which binding does HubSpot use as a SAML service provider?

HubSpot uses HTTP Post.

I’m using Active Directory Federation Services. What should I use as my relying party trust (RPT)?


Your RPT should be set as api.hubspot.com. Setup in ADFS can be more complex than in other platforms and should be undertaken by an experienced administrator.
 

Which username format should I set in my SAML application?

HubSpot users are identified by email address. Ensure that your IDP is sending a nameID in email format that corresponds with their HubSpot user’s email address.

Which signing algorithm does HubSpot support?

HubSpot expects that your IdP signs requests with SHA-1. We may support other algorithms in the future.

Which format should I provide my x509 certificate in?

HubSpot requires a PEM format x509 certificate. You should copy the text contents of the PEM file into the x509 certificate field in HubSpot. The value should also include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

 

Was this article helpful?

If you still need help you can get answers from the , or to contact support.