×

Set Up HubSpot SSO with ADFS

/ CRM, Hubspot / By

Set Up HubSpot Single Sign-On with ADFS

Configuring single sign-on (SSO) for your Hubspot account using Active Directory Federation Services (ADFS) helps centralize authentication, improve security, and simplify access for your users. This guide walks you through every step, from prerequisites to testing and troubleshooting.

This article is based on the official instructions from HubSpot's ADFS SSO setup documentation, reorganized into a clear, SEO-friendly how‑to format.

Why Configure HubSpot SSO with ADFS?

Integrating your identity provider with your CRM offers several benefits:

  • Centralized user management through Active Directory.
  • Improved security with corporate authentication policies.
  • Streamlined user access to the HubSpot portal.
  • Reduced password fatigue and fewer login-related tickets.

Before starting, make sure your IT and security teams approve and support this configuration.

Prerequisites for HubSpot and ADFS Integration

Prepare the following items before you configure the integration between your identity provider and the portal:

  • A HubSpot account with permissions to manage account security and SSO settings.
  • Access to a Windows Server running Active Directory Federation Services.
  • Administrative rights on the ADFS server to create and edit relying party trusts.
  • SSL certificates properly configured on your ADFS endpoint.
  • Your organization's internal policies for SSO and user lifecycle management.

Once these prerequisites are met, you can move into the configuration steps.

Step 1: Collect HubSpot SSO Details

To start, gather the information that ADFS will use when validating authentication requests from your portal. You will copy these values from the security settings screen.

  1. Sign in to your account as a super admin or user with security permissions.
  2. Navigate to your account security or SSO configuration area.
  3. Locate the SSO configuration section dedicated to integration with external identity providers.
  4. Note the following values presented in the configuration screen:
    • Audience URI or Entity ID associated with your portal.
    • ACS URL or Reply URL for the SAML assertion.
    • Any additional identifier or domain details used during SAML authentication.

These fields will be required when defining the relying party trust inside Active Directory Federation Services.

Step 2: Configure the Relying Party Trust for HubSpot in ADFS

The core of the integration is a correctly configured relying party trust. This is where ADFS learns how to communicate with your portal, what URLs to trust, and how to issue tokens.

  1. Open the ADFS Management console on your Windows Server.
  2. In the left pane, expand ADFS and select Relying Party Trusts.
  3. In the right pane, choose Add Relying Party Trust to launch the wizard.
  4. Select the appropriate option to Enter data about the relying party manually.
  5. Provide a descriptive Display name, such as "HubSpot SSO".
  6. When prompted for identifiers, enter the Audience URI / Entity ID you collected from your portal.
  7. Add the ACS / Reply URL exactly as shown in the security settings.
  8. Finish the wizard, making sure access control settings match your organization's requirements.

At this point, the relying party trust is created but still needs claims rules and signature configuration.

Step 3: Add Claim Rules for HubSpot in ADFS

Claim rules determine which user attributes ADFS sends to your portal after authentication. These attributes must match what your SSO configuration expects.

  1. Right-click the HubSpot SSO relying party trust in the ADFS console.
  2. Select Edit Claim Issuance Policy.
  3. Click Add Rule and choose the template for sending LDAP attributes as claims.
  4. Map the following fields from your directory to the appropriate claim types, typically including:
    • User Identifier (often an email address or UPN).
    • Display name, if required.
    • Additional attributes mandated by your SSO policy.
  5. Ensure the primary identifier matches the format expected by your portal, usually the account email address.

If your security team requires specific attributes or groups, coordinate with them to finalize the rule set.

Step 4: Export the ADFS Token-Signing Certificate

Next, you must provide your portal with a certificate so it can verify tokens sent from ADFS. This is the token-signing certificate used by your identity provider.

  1. In the ADFS Management console, expand Service and click Certificates.
  2. Locate the Token-signing certificate.
  3. Right-click the certificate and select View Certificate.
  4. Open the Details tab and click Copy to File.
  5. Use the export wizard to save the certificate in a format supported by your portal, commonly .cer.
  6. Store the file securely, as you will upload it into your SSO configuration.

The exported certificate enables your portal to validate SAML assertions and prevent tampering.

Step 5: Complete the HubSpot SSO Configuration

Once ADFS is ready, return to your security settings and finish the configuration by uploading the certificate and defining provider details.

  1. Navigate back to your SSO setup screen.
  2. Upload the exported token-signing certificate.
  3. Confirm that the Entity ID and Reply URL fields match your ADFS configuration.
  4. Specify the appropriate Login URL for your ADFS instance if requested.
  5. Choose the default authentication method for your account, deciding how users are redirected to sign in.
  6. Save the configuration and enable SSO for your portal when prompted.

After saving, your account will start using SAML-based authentication through the identity provider when users access protected resources.

Step 6: Test and Validate HubSpot SSO

Thorough testing confirms that your configuration works as expected and aligns with your corporate security policies.

  1. Sign out of your portal completely or use an incognito browser window.
  2. Navigate to your usual login page or direct SSO URL.
  3. When redirected to ADFS, sign in with valid Active Directory user credentials.
  4. Confirm that you are returned to your account without additional prompts.
  5. Test several user accounts representing different roles or departments.

If any sign-in attempts fail, review your claim rules, identifiers, and entity settings to ensure they match the details documented earlier.

Common Issues When Linking HubSpot and ADFS

During deployment, you might encounter configuration issues. The following areas are frequent sources of problems:

  • Incorrect Reply URL: If the ACS or Reply URL differs from the one configured in your portal, ADFS will reject the request or your account will not accept the response.
  • Mismatched Entity ID: Make sure the relying party trust identifier matches the Audience URI exactly.
  • Certificate Mismatch: If the token-signing certificate used by ADFS does not match the file uploaded, SAML assertions will fail validation.
  • Claim Rule Errors: Missing or incorrect user attributes can prevent users from being mapped to accounts.

Always compare your current settings with your original configuration values and logs from both systems to isolate the root cause.

Best Practices for Maintaining HubSpot SSO via ADFS

Once SSO is working, ongoing maintenance ensures availability and compliance.

  • Monitor certificate expiration dates and rotate certificates before they expire.
  • Document all SSO settings and changes for internal audit purposes.
  • Coordinate with your identity and security teams before modifying claim rules.
  • Test major updates in a controlled environment when possible.
  • Review login reports to detect unusual patterns or failed attempts.

Learn More About HubSpot Security and Configuration

For deeper technical detail about Active Directory Federation Services integration, refer to the official HubSpot ADFS SSO setup guide. You can also explore broader CRM strategy, implementation tips, and optimization services at Consultevo, a consulting resource for businesses working to align their platforms with best practices.

By following the steps above, your organization can reliably connect the CRM portal to Active Directory Federation Services, giving users a secure and streamlined login experience backed by your existing identity infrastructure.

Need Help With Hubspot?

If you want expert help building, automating, or scaling your Hubspot , work with ConsultEvo, a team who has a decade of Hubspot experience.

Scale Hubspot

“`

Verified by MonsterInsights