Set up single sign-on (SSO) to access private content
Last updated: February 6, 2025
Available with any of the following subscriptions, except where noted:
|
|
Single sign-on (SSO) is a way to log into different applications securely with one username and password. Using SSO for private content streamlines private content access and ensures that your content can only be accessed by internal visitors.
Your IT administrator can set up a HubSpot application in your identity provider account, such as Google or Okta. Members of your organization with access to the HubSpot application within your identity provider account can log in with SSO to view private content.
You can further refine which individuals have access to specific content based on their list memberships in your HubSpot account. To access content by list membership, these members of your team must have contact records in your HubSpot account.
Please note: on February 5th, 2025, the ability to use SSO for new JWT applications was sunset. JWT-based applications configured for SSO prior to that date are not affected. Moving forward, it's recommended to use an Open ID Connect (OIDC) application instead.
Before you get started
Before you begin working with this feature, make sure to fully understand what steps should be taken ahead of time, as well as the limitations of the feature and potential consequences of using it.
Understand requirements
- This setup process must be done by an IT administrator with experience creating applications in your identity provider account and permission to edit website settings in HubSpot.
- SSO can be configured for one HubSpot-hosted subdomain per identity provider account. For best results, it's recommended to dedicate one subdomain for SSO membership only.
Understand limitations and considerations
- SSO for private content is available for the following types of content:
- Content Hub Professional and Enterprise accounts can set up SSO for blogs, landing pages, and website pages.
- Service Hub Professional and Enterprise accounts can set up SSO for knowledge base articles and customer portals.
- Notification emails and login pages for private content that requires SSO will be handled by your identity provider account, rather than your private content settings in HubSpot.
- Private content that requires SSO won't be crawled by search engines and can only be viewed by contacts who have access and are logged in.
- Any page assets such as images and forms will only require SSO to access as part of the page. If the URLs to the assets themselves are provided separately, they will not require SSO to access. Learn more about setting URL visibility for assets in the files tool.
- If you turn on SSO for a domain that previously required member registration, SSO will use your original membership lists. If you turn off SSO again, the content will revert to requiring member registration for the same lists.
Set up SSO for HubSpot private content in your identity provider account
To set up SSO for private content hosted in HubSpot, your IT administrator will create a new application for HubSpot content access. To complete this process, your IT administrator will reference values from your private content settings in HubSpot.
The steps and fields required to add a new application in your identity provider may vary. General instructions for setting up SSO for private content are outlined below.
Set up SSO for a SAML-based application
To create a new SAML application for HubSpot private content in your identity provider account:
- Log in to your identity provider account.
- Navigate to your applications within your identity provider account.
- In your HubSpot account, collect the required values for your new HubSpot application:
- In your HubSpot account, click the settings settings icon in the top navigation bar.
- In the left sidebar menu, navigate to Content > Private Content.
- At the top of the page, click the Choose a domain to edit dropdown menu and select a subdomain.
- In the Single sign-on (SSO) section, click Set up SSO.
- In the right panel, click the Authentication protocol dropdown menu and select SAML.
- Copy the Audience URL and Sign on URL.
- In your identity provider account:
- Paste the Audience URL and Sign on URL copied from HubSpot into the corresponding fields.
-
- Copy the identifiers for the Issuer URL, Single Sign-on URL, and Certificate.
- In your HubSpot account:
- Paste the Issuer URL, Single Sign-on URL, and Certificate values into the corresponding fields in the Set up Single Sign-on panel.
- Click Verify.
Once the verification process is complete, you'll see confirmation that Single sign-on is enabled for your domain in your private content settings.
Set up SSO for an OpenID Connect (OIDC) application
To create a new OpenID Connect (OIDC) application for HubSpot private content in your identity provider account:
- Log in to your identity provider account.
- Navigate to your applications within your identity provider account.
- In your HubSpot account, collect the required values for your new HubSpot application:
- In your HubSpot account, click the settings settings icon in the top navigation bar.
- In the left sidebar menu, navigate to Content > Private Content.
- At the top of the page, click the Choose a domain to edit dropdown menu and select a subdomain.
- In the Single sign-on (SSO) section, click Set up SSO.
- In the right panel, click the Authentication protocol dropdown menu and select OIDC.
- Click Copy next to Sign-on redirect URI to copy the value to your clipboard.
- In your identity provider account, add the value you copied from the Sign-on redirect URI field. Then collect values for the following fields:
-
- Client secret
- Client ID
- Provider authorization endpoint
- Provider token endpoint
-
- In your HubSpot account, enter the values you collected from your identity provider account. Then click Verify.
Once the verification process is complete, you'll see confirmation that Single sign-on is enabled for your domain in your private content settings.
Require SSO for your content
There are two options for requiring private content with SSO:
- Private - Single sign-on (SSO) required: everyone in your identity provider organization with access to the HubSpot application can log in with SSO to view the private content.
- Private - Single sign-on (SSO) required with list filtering: individuals in your identity provider organization who also have specific HubSpot list memberships can log in with SSO to view private content. These individuals must have access to the HubSpot application within your identity provider account (such as Okta or Google), but they don't need to be users in your HubSpot account.
Require SSO for a blog
You can require SSO for blogs hosted on the subdomain you've connected in your identity provider account. Turning on SSO for a specific blog will impact all blog posts published on that blog. It's not possible to require SSO for a specific blog post.
Please note: if you require SSO for a blog that already hosts private content with member registration, that blog will no longer be accessible to those contacts.
To set up SSO for a blog:
- In your HubSpot account, click the settings settings icon in the top navigation bar.
- In the left sidebar menu, navigate to Content > Blog.
- In the upper left, click the Select a blog to modify dropdown menu and select a blog hosted on the subdomain you've set up with your identity provider.
- In the Control audience access section, set up SSO:
- Select Private - Single sign-on (SSO) required to grant access to everyone in your identity provider organization with access to the HubSpot application.
- Select Private - Single sign-on required with list filtering to grant access to individuals in your identity provider account with access to the HubSpot application and specific list memberships. Then select the lists you want to have access to this content.
- In the lower left, click Save.
Require SSO for landing pages or website pages
You can require SSO for landing pages or website pages hosted on the subdomain you've connected in your identity provider account.
Please note: if you require SSO for a landing page or website page that is already set to private content with member registration, that page will no longer be accessible to those contacts.
To set up SSO for specific pages:-
Navigate to your content:
- Website Pages: In your HubSpot account, navigate to Content > Website Pages.
- Landing Pages: In your HubSpot account, navigate to Content > Landing Pages.
- Select the checkbox next to any page you want to require SSO.
- At the top of the table, click the More dropdown menu and select Control audience access.
- In the right panel, set up SSO for the pages you've selected, then click Save:
- Select Private - Single sign-on required to grant access to everyone in your identity provider organization with access to the HubSpot application.
- Select Private - Single sign-on required with list filtering to grant access to individuals in your identity provider account with access to the HubSpot application and specific list memberships. Then select the specific lists you want to have access to this content.
Require SSO for specific knowledge base articles
You can set up SSO for specific knowledge base articles hosted on the subdomain you've connected in your identity provider account.
Please note: if you require SSO for a knowledge base article that is already set to private content with member registration, that article will no longer be accessible to those contacts.
To set up SSO for specific knowledge base articles:
- In your HubSpot account, navigate to Content > Knowledge Base.
- Click the Articles tab.
- Select the checkbox next to any article you want to require SSO.
- At the top of the table, click Control audience access.
- In the right panel, set up SSO for these articles, then click Save:
- Select Private - Single sign-on required to grant access to everyone in your identity provider organization with access to the HubSpot application.
- Select Private - Single sign-on required with list filtering to grant access to individuals in your identity provider account with access to the HubSpot application and specific list memberships. Then select the specific lists you want to have access to this content.
You can also control audience access to a specific article in the Settings tab of the article editor.
Require SSO for all knowledge base articles
You can also set up SSO for all knowledge base articles for a particular knowledge base hosted on the subdomain you've connected in your identity provider account.
- In your HubSpot account, click the settings settings icon in the top navigation bar.
- In the left sidebar menu, navigate to Content > Knowledge Base.
- If you have multiple knowledge bases, click the first dropdown menu in the Current view section and select a knowledge base. This will be the second dropdown menu in accounts with the business units add-on.
- In the Access Control section, select Single sign on (SSO) required.
- In the bottom left, click Save.
Turn off SSO for private content
Turning off SSO for private content will impact your content different depending on the setting you've selected.
- Content that's set to Private - Single sign-on required will become public.
- Content that's set to Private - Single sign-on required with list filtering will become inaccessible.
To keep your private content private when you turn off SSO, HubSpot recommends changing audience access for your private content to Private - Single sign-on required with list filtering. You can then change audience access for this content to require CMS membership registration instead.
To turn off SSO for private content:
- In your HubSpot account, click the settings settings icon in the top navigation bar.
- In the left sidebar menu, navigate to Content > Private Content.
- At the top of your settings, click the Choose a domain to edit dropdown menu and select a domain.
- In the Single sign-on (SSO) section, click Manage SSO.
- At the bottom of the panel, click to toggle the SSO Enabled switch off.