×

Set Up Hupspot SSO Securely

/ CRM, Hubspot / By

How to Set Up Single Sign-On (SSO) in Hubspot

Configuring single sign-on (SSO) for Hubspot lets your team log in with one secure identity provider, simplifying access management while improving overall security.

This step-by-step guide explains the full SSO setup workflow, required permissions, and key settings you must review before enabling the feature for all users.

Hubspot SSO prerequisites and permissions

Before you configure SSO, make sure your account and users meet the necessary requirements. Without the correct subscription level and permissions, you will not see the SSO settings.

  • A Hubspot Enterprise subscription for any of the following: Marketing Hub, Sales Hub, Service Hub, Operations Hub, or CMS Hub.
  • Super admin permissions for the user performing the configuration.
  • Access to your identity provider (IdP) account such as Okta, Azure AD, Google Workspace, or a SAML 2.0 compliant provider.
  • Approved security policies from your IT or security team covering authentication and session management.

Confirm you can sign in to both Hubspot and your IdP with an administrator account before you continue.

Accessing Hubspot SSO settings

Once prerequisites are in place, open your account settings to start the configuration process.

  1. Log in to your Hubspot account as a super admin.
  2. Click the settings icon in the main navigation bar.
  3. In the left sidebar menu, navigate to security or authentication settings, depending on your portal layout.
  4. Locate the single sign-on or SAML configuration section.

You should now see options to configure SSO, upload IdP metadata, and set login enforcement rules.

Gather required data from your identity provider

Your identity provider supplies the metadata Hubspot needs to validate SSO logins. You will usually need the following information:

  • SAML 2.0 metadata XML file or metadata URL.
  • Identity provider (IdP) entity ID or issuer.
  • SAML single sign-on URL (login URL).
  • X.509 certificate used to sign SAML assertions.

Consult your IdP documentation to locate these values. Many providers can generate a downloadable metadata file, which is often the easiest method for configuration.

If you need additional guidance on SAML parameters, compare the fields exposed by your IdP with the required fields shown in the Hubspot SSO panel.

Configure SAML single sign-on in Hubspot

With the IdP data ready, you can configure SAML-based SSO directly in your account.

  1. Go back to the SSO section in your Hubspot settings.
  2. Choose the option to add or configure SAML single sign-on.
  3. Upload your IdP metadata file or paste the metadata URL if available.
  4. Alternatively, manually enter the IdP entity ID, SSO URL, and certificate if required.
  5. Review the fields for accuracy, then save your configuration.

After saving, Hubspot generates service provider (SP) details, such as the assertion consumer service (ACS) URL and SP entity ID. Provide these values to your identity provider so it can complete the trust relationship.

Hubspot SSO attribute mapping

Your IdP must send correct user attributes in each SAML response so Hubspot can identify and match users.

  • Primary identifier: email address must match the user record in your portal.
  • First and last name attributes: often optional, but useful for initial provisioning or profile updates.
  • Unique user ID: may be used by some IdPs for internal mapping.

Confirm your IdP sends an email claim or attribute that exactly matches the email used for each user in your account.

Testing Hubspot SSO before enforcement

Always test the configuration with a small group of users before you require everyone to sign in with SSO. This reduces the risk of lockouts or unexpected access issues.

  1. In the SSO settings, look for a test or preview login link.
  2. Open the test link in an incognito or private browser window.
  3. Sign in via your identity provider when prompted.
  4. Confirm that you are redirected back to Hubspot and logged into the correct account.

If the test fails, review the following common issues:

  • Email attribute mismatch between the IdP and the user record.
  • Incorrect entity ID, ACS URL, or certificate.
  • Clock skew between systems causing assertion expiration problems.
  • Missing group or access claims required by internal policies.

Only move to wide deployment once multiple test accounts can authenticate successfully.

Set Hubspot SSO enforcement policies

After testing, decide how strictly you want to enforce single sign-on in your portal.

Recommended Hubspot SSO enforcement options

  • Optional SSO: Users may sign in with either their standard credentials or your identity provider. Use this setting during initial rollout.
  • Required SSO: All users must authenticate via the IdP. This setting offers the highest security but must be deployed carefully.

To enable enforcement:

  1. Return to the Hubspot SSO settings page.
  2. Select the enforcement level that matches your security policy.
  3. Save changes and confirm the enforcement summary.

Coordinate with your IT and security team before you mandate SSO so they can support users during the transition.

Best practices for managing Hubspot SSO

Once SSO is active, ongoing maintenance and monitoring are essential. Follow these practices to keep your configuration secure and reliable.

  • Review user access regularly using both your IdP and Hubspot user management tools.
  • Rotate signing certificates before they expire and update metadata promptly.
  • Enable multi-factor authentication at the identity provider level for stronger protection.
  • Document your SSO configuration, including IdP details, contacts, and testing procedures.
  • Train admins on how to troubleshoot sign-in issues and verify SAML logs.

Consider partnering with an optimization and CRM consulting team, such as Consultevo, to review your account security, governance, and integration strategy.

Troubleshooting Hubspot SSO configuration issues

If users cannot sign in after enabling SSO, methodical troubleshooting will usually reveal the cause.

  • Check SAML response logs in your identity provider for errors or missing attributes.
  • Verify that user email addresses exactly match those stored in your account.
  • Confirm that the ACS URL and entity ID in your IdP match the values shown in the SSO settings panel.
  • Ensure that the signing certificate has not expired and is correctly imported.
  • Temporarily switch enforcement back to optional while you resolve problems.

For detailed, product-specific instructions on uploading metadata, validating certificates, and reviewing SAML errors, refer to the official documentation at Hubspot SSO setup.

Final checklist before rolling out Hubspot SSO

Use this checklist before you finalize your configuration and roll SSO out to all users.

  • Enterprise subscription verified and super admin access confirmed.
  • Identity provider metadata and attributes correctly configured.
  • At least a few test users can log in successfully through SSO.
  • Enforcement policy selected and documented.
  • Communication plan created for employees and admins.
  • Support procedures defined for lost access, role changes, and offboarding.

Once you have covered these items, your organization can rely on SSO to secure access to Hubspot while making sign-in faster and more consistent for your team.

Need Help With Hubspot?

If you want expert help building, automating, or scaling your Hubspot , work with ConsultEvo, a team who has a decade of Hubspot experience.

Scale Hubspot

“`

Verified by MonsterInsights