How to Set Up HubSpot Single Sign-On for Private Content

Configuring single sign-on (SSO) in Hubspot lets you protect private content while giving visitors a seamless login experience through your existing identity provider. This guide walks you through the full setup, from requirements to testing and troubleshooting.

Use this step-by-step tutorial to connect your identity provider, configure SAML settings, and assign private content access to the right users in your account.

What Single Sign-On Does in HubSpot

Single sign-on lets your visitors log in once with their company or organization credentials and automatically access any gated pages or private content you host in your HubSpot tools.

When SSO is active:

• Visitors authenticate through your identity provider (IdP), not a separate site account.
• HubSpot validates the SAML assertion and grants access to protected pages.
• You control who can view private content from your IdP instead of managing separate passwords.

This is especially useful for:

• Customer portals and knowledge bases
• Partner or reseller resource centers
• Employee-only documentation and internal sites

Requirements Before Configuring HubSpot SSO

Before you set up SSO, confirm you meet all requirements in your HubSpot subscription and your identity provider setup.

• An account tier that supports private content and SSO.
• Access to your IdP configuration panel (e.g., Okta, Azure AD, Google Workspace, or another SAML 2.0 provider).
• Permissions in HubSpot to manage domains, website pages, and private content settings.
• The ability to copy metadata and URLs between HubSpot and your IdP.

If you need broader CRM and website strategy support while planning SSO, you can also consult a specialist team such as Consultevo for implementation guidance.

Step 1: Enable Private Content in HubSpot

Before single sign-on will be useful, you must enable private content on the domains and tools where your content lives.

1. Sign in to your HubSpot account as an administrator.

2. Open your settings and navigate to the website or content tools that support private content.

3. Review the available domains and subdomains you use for gated pages.

4. Confirm that the domains where you want SSO are connected and secured with SSL.

Once private content is available, you can begin linking it to your identity provider.

Step 2: Gather SAML Details from HubSpot

To connect SSO, you must exchange configuration values between your identity provider and HubSpot. Start from the HubSpot side and collect the values your IdP will need.

1. In your HubSpot settings, go to the private content or SSO configuration area.

2. Locate the SSO or SAML configuration section.

3. Copy the following details that HubSpot exposes for your account:

   • Assertion Consumer Service (ACS) URL or Reply URL
   • Entity ID or Audience URI
   • Any required recipient or destination URLs
   • Expected NameID format, if shown

4. Save these values in a secure document. You will paste them into your identity provider in the next step.

These URLs allow your provider to send signed SAML assertions back to your HubSpot environment after a successful sign-in.

Step 3: Configure Your Identity Provider for HubSpot

Next, switch to your identity provider and create or configure an application that connects to HubSpot as a SAML 2.0 service.

1. Create a new SAML application in your IdP.

2. Enter the ACS or Reply URL that HubSpot provided.

3. Set the Entity ID or Audience value from the HubSpot configuration.

4. Confirm the SAML version is SAML 2.0 and that the binding method matches the HubSpot instructions, typically HTTP-POST.

5. Map the NameID to the correct user identifier, usually the user email address.

6. Optional: configure additional attributes if your HubSpot documentation recommends any specific fields for private content access.

After saving, your IdP will usually provide metadata, certificates, and login URLs that you must copy back into your HubSpot SSO settings.

Step 4: Add Identity Provider Metadata to HubSpot

With your IdP application created, it is time to link everything back to your HubSpot configuration so your account can validate incoming SAML responses.

1. From your IdP, locate the SAML metadata details for the new application, such as:

   • Single Sign-On URL (IdP Initiated Login URL)
   • Entity ID for the identity provider
   • X.509 certificate used to sign assertions

2. Return to your HubSpot SSO settings.

3. Paste the IdP Single Sign-On URL into the appropriate field.

4. Enter the IdP Entity ID and upload or paste the X.509 certificate, according to the HubSpot SSO page instructions.

5. Save your configuration.

At this point, HubSpot and your identity provider share all required information to exchange secure SAML assertions.

Step 5: Configure Access Rules for Private Content

Once SSO communication is established, define which users can access which private pages and resources in HubSpot.

• Open your private page or content editor inside HubSpot.

• Locate the access settings for that specific piece of content.

• Choose the option to require SSO authentication rather than a separate password.

• If supported, select specific lists, roles, or groups that should be allowed or denied access.

Saved settings ensure that only authenticated users from your identity provider can see each protected asset in your HubSpot site.

Step 6: Test HubSpot SSO End-to-End

Before rolling out SSO to your full audience, you should test the sign-in journey thoroughly.

1. In a private or incognito browser window, navigate to a protected page hosted in your HubSpot content tools.

2. Confirm that you are redirected to your identity provider login screen.

3. Sign in using a test user that has access in your IdP.

4. Verify that you return to the HubSpot private page and that the content displays correctly.

5. Repeat the test with a user who should not have access to confirm they are blocked or redirected.

If any step fails, recheck URLs, certificates, and NameID mappings against the official product documentation.

Common HubSpot SSO Issues and Fixes

During setup, administrators sometimes encounter common configuration problems. Here are typical patterns and what to review:

HubSpot Page Not Loading After Login

If users authenticate but do not see the expected page:

• Confirm the ACS URL in your IdP exactly matches the value in HubSpot.
• Check for trailing slashes or typos in Entity IDs and URLs.
• Review browser console errors for blocked redirects or mixed-content issues.

Authentication Loop Between IdP and HubSpot

If visitors are redirected back and forth between your identity provider and the HubSpot page:

• Verify that SAML assertions are signed with the certificate configured in HubSpot.
• Ensure the NameID format and value match what HubSpot expects (often email).
• Check that the audience in the SAML response matches the HubSpot Audience or Entity ID.

Access Denied to Private Content

When users can log in but still cannot view specific HubSpot pages:

• Review the content access rules on the private page.
• Ensure the user is in the correct group, list, or role defined in your IdP and reflected in HubSpot.
• Confirm that the content is assigned to the correct private domain.

Where to Find the Official HubSpot SSO Documentation

For detailed field-by-field references, supported providers, and the latest interface updates, always review the official product documentation. You can find the current guide on configuring SSO for private content at this HubSpot knowledge base article.

Use this article together with the official knowledge base to successfully deploy single sign-on for private content across your HubSpot-powered sites while keeping the experience secure and user-friendly for your visitors.

Need Help With Hubspot?

If you want expert help building, automating, or scaling your Hubspot , work with ConsultEvo, a team who has a decade of Hubspot experience.

Scale Hubspot

“`