SSO for Memberships
- Professional or Enterprise
Manage all of your businesses access permission and authentication needs in a single system with single sign-on (SSO) for memberships. This system allows you to manage access to your company’s applications across your stack, giving your end-users a single username and password combo for all of the applications and content they should have access to.
Note: This setup process must be done by an IT administrator with experience creating applications in your identity provider account.
Follow the steps below to begin setting up your SSO for memberships.
The navigation instructions and field names described below may differ across identity providers. You can find more specific instructions for setting up applications in commonly used identity providers below:
If you're using Active Directory Federation Services, learn more about setting up single sign-on using ADFS.
To get the Audience URI and Sign on URL, ACS, Recipient, or Redirect values:
- In your HubSpot account, click the settings icon settings in the main navigation bar.
- In the left sidebar menu, select Private Content.
- Select a domain from the “choose a domain to edit” picklist to open the settings for that domain. Note* SSO must be enabled on a per-subdomain basis at this time.
- In the Single sign-on (SSO) section, click Set up.
- In the right pane, click Copy next to the values as needed. If you are using Microsoft AD FS, click the Microsoft AD FS tab to copy the values needed.
- Paste them into your identity provider account where required.
Once verification is complete, a “single sign on is enabled” notification will appear at the top of the General & Templates tabs for that domain and all template and email settings options that are no longer managed through HubSpot (because they are now managed through your IaP) will be disabled.
These options are also available in the page and landing page editor > settings tab.
Note: Articles must be set at the article level at this time. We will address global SSO settings options for the knowledge base at a later time.
Note: These options are also available in the article editor > settings tab.
If you would like all users in your IaP that have HubSpot as an assigned app to be able to see your private content, select the Private - Single sign on(SSO) required option.
If you would like to segment users with the assigned HubSpot app in your IaP into smaller tiered groups, select the Private - Single sign on (SSO) required with list filtering option.
- This option requires users to be both a member of your IaP with the assigned app AND a member of a contact list within HubSpot in order to view pages. The benefit of this option is that it allows you to further refine access if your business operates on a tiered subscription model, for example members get access to different content materials depending on their bronze, gold, or platinum subscription levels.
- Note: This is also the default option for content previously marked as “Private - registration required”. If you have content previously marked as "Private - registration required" and would like to transition fully to SSO, please verify that all contacts currently in those assigned lists are added to your IaP before switching over to unfiltered SSO management. Failure to do so will result in contacts losing access to that content.
If you disable SSO for a domain that has published private content on it today, any Private - Single sign on (SSO) required pages will become fully public. Any content marked Private - Single sign on (SSO) required with list filtering will remain private and will be inaccessible to all users.
To go back to simple registration through HubSpot, our recommendation is to first change all sensitive content over to Private - Single sign on (SSO) required with list filtering, then disable SSO for that domain, and then to change all private content over to Private - registration required. During this switch we recommend reviewing any lists or workflows used to populate lists for registration purposes to ensure things are correct before saving the changes.