Account

Set up single sign-on (SSO)

Last updated: December 3, 2018

Applies to:

Marketing Hub
marketing-enterprise
Enterprise
Sales Hub
sales-enterprise
Enterprise
Service Hub
service-enterprise
Enterprise

Single sign-on (SSO) allows you to give your team members one account for all of the systems your business uses. If you have a HubSpot Enterprise account and have SSO set up for your business, you can allow users to log in to HubSpot using their SSO credentials. 

Please note:
  • You cannot require single sign-on be enabled for all logins to your hub. All users are able to log in either with their SSO credentials, or with their HubSpot credentials.
  • The HubSpot mobile app currently does not support logging in with SSO. Users should log in with their HubSpot credentials on the HubSpot mobile app.
  • This setup process should be done by an IT administrator with experience creating applications in your identity provider account. 

Setup

To use SSO with HubSpot:

  • Log in to your identity provider account. 
  • Navigate to your applications. 
  • Create a new application for HubSpot. 
    • To get the Audience URI  and Sign on URL, ACS, Recipient, or Redirect values:
      • In your HubSpot account, click the settings icon settings in the main navigation bar.
      • In the Single sign-on (SSO) section, click Set up.
      • In the right pane, click Copy next to the values as needed. If you are using Microsoft AD FS, click the Microsoft AD FS tab to copy the values needed.
      • Paste them into your identity provider account where required. 
    •  If prompted, set the username format/name ID to Email
  • Copy the identifier or issuer URL, the single-sign on URL, and the certificate from your identity provider and paste them into the corresponding fields in the SSO setup pane in HubSpot.
  • Click Verify
The navigation instructions and field names above may differ across identity providers. You can find more specific instructions for setting up applications in commonly used identity providers below: 

If you are using Active Directory Federation Services, learn more about setting up single sign-on using ADFS

Okta

Please note: you need administrative access in your Okta instance. This process is only accessible in the Classic UI in Okta. 

  • Log into Okta. Make sure you are in the administrative instance of your Okta developer account.  
  • Click Applications in the top navigation bar.
  • Click Add application.
  • Search for HubSpot SAML, then click Add
  • On the General Settings screen, click Done
  • On the application's details page, click the Sign On tab. 
  • Under the "SAML 2.0 is not configured until you complete the setup instructions" message, click View Setup Instructions. This will open a new tab. Keep it open, then return to the original tab in Okta.
  • In the same tab, scroll down to Advanced Sign-on Settings and add your Hub ID in the Portal Id field. Learn how to access your Hub ID.
  • Navigate to your user settings. Assign the new app to any users that are also in your HubSpot account, including yourself. 
  • Return to the View Setup Instructions tab. Copy each of the URLs and the certificate and paste them in HubSpot in the Identity Provider Identifier or Issuer URL field, the Identity Provider Single Sign-On URL field, and the X.509 Certificate field. 
  • Click Verify. You’ll be prompted to log in with your Okta account to finish the configuration and save your settings.

Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account. 

OneLogin

Please note: you need administrative access in your OneLogin instance to create a new SAML 2.0 application in OneLogin, as required. 

  • Log into OneLogin

  • Navigate to Apps. 

  • Search for HubSpot.

  • Click the app that states "SAML2.0".

  • In the upper right, click Save.

  • Click on the Configuration tab.

  • In the HubSpot Account ID field, add your Hub ID. Learn how to access your Hub ID.
  • In the upper right, click Save.

Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.

Azure Active Directory

For Azure Active Directory users, install the HubSpot app in the Microsoft Azure Marketplace and follow the set up instructions. This will allow you to use Azure AD to manage user access and enable single sign-on with HubSpot.

Once your SSO setup has been verified, navigate to https://app.hubspot.com/login/sso and enter your email address. HubSpot will look up your portal's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button when visiting a direct link to your account.

 

FAQs

Which binding does HubSpot use as a SAML service provider?

HubSpot uses HTTP Post.

I’m using Active Directory Federation Services. What should I use as my relying party trust (RPT)?

Learn more about setting up single sign-on using ADFS
 

Which username format should I set in my SAML application?

HubSpot users are identified by email address. Ensure that your IDP is sending a nameID in email format that corresponds with their HubSpot user’s email address.

Which signing algorithm does HubSpot support?

HubSpot expects that your IdP signs requests with SHA-1. We may support other algorithms in the future.

Which format should I provide my x509 certificate in?

HubSpot requires a PEM format x509 certificate. You should copy the text contents of the PEM file into the x509 certificate field in HubSpot. The value should also include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.