How to Set Up SSO in HubSpot: A Complete Security Guide

To set up SSO in HubSpot, you'll need a HubSpot Enterprise subscription, an identity provider like Okta, Azure AD, or Google Workspace, and admin access to both platforms. The process involves configuring SAML 2.0 settings in your identity provider, then entering those credentials into HubSpot's security settings to establish the trust relationship between systems.

Picture this scenario. Your marketing director just pinged you on Slack - again - because she's locked out of HubSpot. This is the third time this month. Meanwhile, your sales team has sticky notes with passwords plastered to their monitors, and your IT security audit is coming up next quarter. Sound familiar?

Single Sign-On isn't just a nice-to-have anymore. It's the difference between your team actually using your CRM and them finding workarounds that make your security team lose sleep. Let's walk through exactly how to get SSO running in HubSpot so your team can log in once and get to work.

What is SSO and Why Does HubSpot Need It?

Single Sign-On (SSO) is an authentication method that lets users access multiple applications with one set of login credentials. Think of it like a master key for your entire office building. Instead of carrying 47 different keys for every door, conference room, and supply closet... you carry one. That one key proves who you are, and the building's system handles the rest.

In the HubSpot context, SSO means your team logs into their company identity provider once - whether that's Okta, Azure Active Directory, Google Workspace, or another solution - and they're automatically authenticated into HubSpot without entering separate credentials.

According to Okta's research, the average enterprise employee manages 191 passwords. That's not a typo. And each forgotten password costs IT teams approximately $70 in support time. When you multiply that across your organization, SSO stops looking like a luxury and starts looking like basic operational hygiene.

"Organizations using SSO report 50% fewer password-related IT tickets and significantly faster employee onboarding times."

HubSpot SSO Requirements: What You Need Before Starting

Before you dive into configuration screens, let's make sure you have everything lined up. Nothing's worse than getting halfway through a technical setup and realizing you're missing a critical piece.

HubSpot Subscription Requirements

Here's the thing nobody mentions upfront: SSO isn't available on every HubSpot plan. You need HubSpot Enterprise for any hub - Marketing Hub Enterprise, Sales Hub Enterprise, Service Hub Enterprise, CMS Hub Enterprise, or Operations Hub Enterprise. If you're on Professional or Starter plans, you'll need to upgrade before SSO becomes an option.

Not sure which hubs your organization has access to? Our knowledgebase article on HubSpot hubs breaks down what each one offers.

Identity Provider Compatibility

HubSpot supports SAML 2.0 based identity providers. The most common ones we see clients using include:

• Okta - The most popular choice for mid-market and enterprise companies
• Azure Active Directory - Natural fit if you're already a Microsoft shop
• Google Workspace - Works well for Google-centric organizations
• OneLogin - Strong option with competitive pricing
• Ping Identity - Enterprise-grade with extensive customization

If your identity provider supports SAML 2.0, it should work with HubSpot - even if it's not on this list.

Admin Access Checklist

You'll need admin-level access in two places simultaneously. Make sure you have:

• Super Admin permissions in HubSpot (or at minimum, access to Security settings)
• Administrator access to your identity provider to create new applications
• The ability to configure SAML settings and access certificate information

How to Set Up SSO in HubSpot: Step-by-Step Configuration

Alright, let's get into the actual setup. I'll walk you through this as if we're doing it together on a screen share - step by step, no skipping ahead.

Step 1: Gather Your HubSpot SAML Information

First, you need to grab the SAML details from HubSpot that your identity provider will need. Here's how:

1. Log into your HubSpot account as a Super Admin
2. Click the Settings gear icon in the main navigation
3. Navigate to Account Defaults in the left sidebar
4. Select the Security tab
5. Scroll to the Single Sign-On section and click Set up single sign-on

You'll see two critical pieces of information here:

• Audience URI (SP Entity ID) - This identifies HubSpot to your identity provider
• Sign on URL (ACS URL) - This is where your identity provider sends the authentication response

Copy both of these values. You'll paste them into your identity provider shortly.

Step 2: Create a HubSpot Application in Your Identity Provider

Now switch over to your identity provider. The exact steps vary slightly depending on which one you use, but the concept is identical: you're creating a new "application" that represents HubSpot.

In Okta, you'd go to Applications > Create App Integration > SAML 2.0. In Azure AD, you'd go to Enterprise Applications > New Application > Create your own application. Google Workspace users head to Admin Console > Apps > Web and mobile apps > Add app > Add custom SAML app.

When prompted for the SAML configuration, enter:

• Single Sign-On URL / ACS URL: Paste the Sign on URL from HubSpot
• Audience URI / Entity ID: Paste the Audience URI from HubSpot
• Name ID Format: Select EmailAddress
• Application username: Email

Step 3: Configure Attribute Statements

Attribute statements tell HubSpot additional information about the user logging in. At minimum, you need to map the email attribute. Some organizations also map first name and last name for cleaner user records.

Step 4: Download the Identity Provider Certificate

Your identity provider uses a certificate to sign the SAML assertions - basically proving that the authentication request actually came from them and wasn't intercepted or modified. You need to download this certificate and give it to HubSpot.

Look for options like "Download Certificate," "Download Metadata," or "SAML Signing Certificate" in your identity provider. You want the certificate in .cer or .pem format. Some providers also give you a metadata XML file, which contains the certificate along with other configuration details.

Step 5: Complete HubSpot SSO Configuration

Head back to HubSpot's SSO settings where you started. Now you'll enter the information from your identity provider:

1. In the Identity Provider Single Sign-On URL field, paste the SSO URL from your identity provider (sometimes called the Login URL or SAML Endpoint)
2. In the Identity Provider Identifier field, enter the Entity ID from your identity provider
3. Upload the certificate you downloaded, or paste the certificate contents if HubSpot gives you a text field option
4. Click Verify to test the connection

If verification succeeds, you'll see a green confirmation. If it fails... well, that's what the troubleshooting section below is for.

How Do You Assign Users to HubSpot SSO?

Setting up the SSO connection is only half the battle. You also need to control which users can actually access HubSpot through SSO. This happens in your identity provider, not in HubSpot.

In most identity providers, you'll assign users or groups to the HubSpot application you created. Only users who are assigned to that application will be able to log in. This gives you centralized control - when someone leaves the company, you remove them from your identity provider, and they automatically lose access to HubSpot along with every other application.

Here's the important nuance: the user must also exist in HubSpot. SSO handles authentication (proving who someone is), but it doesn't automatically create HubSpot user accounts. You have two options:

• Pre-provision users: Create HubSpot user accounts before they try to log in via SSO
• Enable Just-In-Time provisioning: HubSpot creates user accounts automatically on first SSO login (available in HubSpot's settings)

Just-In-Time provisioning is convenient, but make sure you understand what permissions new users get by default. You don't want someone's first login accidentally giving them Super Admin access.

What Happens When HubSpot SSO Fails?

SSO errors are frustrating because the error messages are often cryptic. Let's decode the most common ones.

"SAML Response Invalid" or Certificate Errors

This usually means one of three things: the certificate expired, you uploaded the wrong certificate, or there's a formatting issue. Certificates do expire - typically every 1-3 years depending on your identity provider's settings. Check the expiration date and renew if needed. Also verify you're using the correct certificate. Some identity providers have multiple certificates for different purposes.

"User Not Found" Errors

The email address in the SAML assertion doesn't match any user in HubSpot. Either create the user in HubSpot first, enable Just-In-Time provisioning, or check that the email addresses match exactly (including case in some configurations).

Redirect Loop or Blank Page

Usually a mismatch between the ACS URL configured in your identity provider and what HubSpot expects. Double-check that you copied the URLs exactly with no extra spaces or characters.

"Audience Restriction" Failures

The Entity ID / Audience URI in your identity provider doesn't match HubSpot's expected value. Copy it fresh from HubSpot's settings and re-enter it.

For complex SSO troubleshooting, sometimes you need someone who's seen these issues before. Our custom development team has configured SSO for dozens of HubSpot Enterprise clients and can usually diagnose issues quickly.

Can You Require SSO for All HubSpot Users?

Yes - and for security-conscious organizations, you probably should. Once SSO is configured and verified, you can enforce it as the only login method.

In HubSpot's SSO settings, you'll find an option to Require single sign-on for all users. When enabled, users can no longer log in with a HubSpot password. They must go through your identity provider.

There's one important exception to plan for: Super Admins can still log in with a password as a backup. This prevents a nightmare scenario where your identity provider goes down and absolutely nobody can access your CRM. Keep at least one Super Admin account with a strong, unique password stored securely as a break-glass option.

SSO and HubSpot Security Best Practices

Getting SSO running is just the starting point. Here's how to maximize the security benefits:

Enable Multi-Factor Authentication at the Identity Provider

SSO centralizes your authentication, which means you only need to enforce MFA in one place - your identity provider - and it automatically applies to HubSpot access. This is much easier to manage than configuring MFA in every individual application.

Audit Your User Assignments Quarterly

People change roles. They leave the company. They transfer departments. Set a quarterly reminder to review who has access to your HubSpot application in your identity provider and clean up stale assignments.

Document Your Configuration

When you set up SSO, document everything. Screenshot your identity provider configuration. Save the certificate expiration date in your calendar. Note which admin configured it and when. Future-you (or your successor) will be grateful when something needs to be updated three years from now.

Strong security foundations affect everything from your website performance to your SEO strategy with AI tools - you can't optimize what you can't reliably access.

How Long Does HubSpot SSO Setup Take?

For a straightforward setup with a common identity provider like Okta or Azure AD, expect 30-60 minutes if you have all the prerequisites ready. That includes time to test the connection and verify a few user logins.

Complex environments take longer. If you're dealing with multiple HubSpot portals, federated identity setups, or custom identity providers, budget a few hours. Factor in additional time for stakeholder communication and user training on the new login process.

The setup itself is usually the easy part. The harder part is often the organizational coordination - getting admin access, aligning with IT policies, and communicating the change to your team. Much like how your logo communicates your brand values, your security processes communicate how seriously you take protecting data.

Common SSO Mistakes to Avoid

After setting up SSO for numerous clients, we've seen patterns in what trips people up:

• Not testing with a non-admin user first: Super Admins have fallback login options. Test with a regular user to see the real experience.
• Forgetting about service accounts: If you have API integrations using HubSpot credentials, SSO enforcement might break them. Plan for service accounts or API keys.
• Skipping the communication plan: Users panic when their login suddenly changes. Send advance notice explaining what's changing and why.
• Not setting certificate expiration reminders: When certificates expire years later, nobody remembers how to renew them. Document and calendar it now.

Your login experience is part of your overall user experience. Just as color theory influences how users perceive your brand, a smooth authentication experience influences how your team perceives HubSpot. Clunky login equals resistance to adoption.

Does SSO Work with HubSpot Mobile App?

Yes, SSO works with the HubSpot mobile app. When users open the app and attempt to log in, they're redirected to your identity provider's mobile login experience. Once authenticated there, they're sent back to the HubSpot app and logged in.

The experience is slightly different than desktop - users see the identity provider's mobile web page or, if your identity provider has its own mobile app (like Okta Verify), they might authenticate there. Make sure your team knows what to expect so they're not confused by the redirect.

Getting Help with HubSpot SSO

SSO sits at the intersection of HubSpot expertise and IT security knowledge. If you're hitting roadblocks, you have a few paths:

HubSpot Support: Available for Enterprise customers. They can verify your HubSpot-side configuration but may have limited visibility into your identity provider setup.

Your Identity Provider Support: Okta, Microsoft, Google all have documentation and support for their SAML applications. They can help with the identity provider side.

HubSpot Solutions Partners: Agencies like ours that specialize in HubSpot implementations can handle the end-to-end setup, including bridging communication between HubSpot and IT teams. Our technical experts regularly handle enterprise HubSpot configurations.

For a deeper look at what a HubSpot implementation involves, our HubSpot onboarding process guide walks through what to expect.

Wrapping Up: SSO Is Worth the Setup Effort

Setting up SSO in HubSpot takes some upfront work, but the payoff is real. Your team logs in faster. Your IT team handles fewer password resets. Your security posture improves. And when someone leaves the company, you disable one account instead of hunting through a dozen applications.

The key is having your prerequisites lined up - Enterprise subscription, identity provider access, admin permissions - and following the SAML configuration carefully. When something goes wrong, it's almost always a mismatched URL, a wrong certificate, or an email address that doesn't match.

Take it step by step, test thoroughly before enforcing, and document everything. Your future self will thank you.