SSO for Memberships

Last updated:

Note: SSO for Memberships is currently in open beta. By using this feature you are agreeing to our developer beta terms.

APPLICABLE PRODUCTS
  • Service Hub
    • Professional or Enterprise
  • CMS Hub
    • Enterprise

Manage all of your businesses access permission and authentication needs in a single system with single sign-on (SSO) for memberships. This system allows you to manage access to your company’s applications across your stack, giving your end-users a single username and password combo for all of the applications and content they should have access to.

Note: This setup process must be done by an IT administrator with experience creating applications in your identity provider account.

Initial Setup

Follow the steps below to begin setting up your SSO for memberships.

The navigation instructions and field names described below may differ across identity providers. You can find more specific instructions for setting up applications in commonly used identity providers below:

If you're using Active Directory Federation Services, learn more about setting up single sign-on using ADFS.

1. Login to your identity provider.

3. Create a new SAML application specifically for HubSpot content access.

To get the Audience URI and Sign on URL, ACS, Recipient, or Redirect values:

  • In your HubSpot account, click the settings icon settings in the main navigation bar.
  • In the left sidebar menu, select Private Content.
  • Select a domain from the “choose a domain to edit” picklist to open the settings for that domain.  Note* SSO must be enabled on a per-subdomain basis at this time.
Select a domain from the dropdown
  • In the Single sign-on (SSO) section, click Set up.
  • In the right pane, click Copy next to the values as needed. If you are using Microsoft AD FS, click the Microsoft AD FS tab to copy the values needed.
  • Paste them into your identity provider account where required.

4. Copy the identifier or issuer URL, the single-sign on URL, and the certificate from your identity provider, and paste them into the corresponding fields in the SSO setup panel in HubSpot.

5. Click Verify.

Once verification is complete, a “single sign on is enabled” notification will appear at the top of the General & Templates tabs for that domain and all template and email settings options that are no longer managed through HubSpot (because they are now managed through your IaP) will be disabled.

SSO Enablement for Blogs

2. Select a blog that is currently hosted on an SSO enabled subdomain from the “select a blog to modify” list.

3. Locate the control audience access settings at the bottom of your blog’s general tab.

Visit the control audience access option settings section for more information on these choices.

SSO Enablement for Pages / Landing Pages

2. Select a single page or landing page on an SSO enabled domain, or select multiple pages or landing pages on an SSO enabled domain using the checkbox option in the listing’s area, and click the “control audience access” option at the top of the table.

These options are also available in the page and landing page editor > settings tab.

Page and landing page listing in app

Visit the control audience access option settings section for more information on these choices.

SSO Enablement for Knowledge Articles

Note: Articles must be set at the article level at this time.  We will address global SSO settings options for the knowledge base at a later time.

2. Select a single article on an SSO enabled domain or select multiple articles on an SSO enabled domain using the checkbox option in the listing’s area, and click the “control audience access” option at the top of the table.

Note: These options are also available in the article editor > settings tab.

Knowledge base article listing in app

Visit the control audience access option settings section for more information on these choices.

Control Audience Access Option Settings

If you would like all users in your IaP that have HubSpot as an assigned app to be able to see your private content, select the Private - Single sign on(SSO) required option.

If you would like to segment users with the assigned HubSpot app in your IaP into smaller tiered groups, select the Private - Single sign on (SSO) required with list filtering option.

  • This option requires users to be both a member of your IaP with the assigned app AND a member of a contact list within HubSpot in order to view pages. The benefit of this option is that it allows you to further refine access if your business operates on a tiered subscription model, for example members get access to different content materials depending on their bronze, gold, or platinum subscription levels.
  • Note: This is also the default option for content previously marked as “Private - registration required”. If you have content previously marked as "Private - registration required" and would like to transition fully to SSO, please verify that all contacts currently in those assigned lists are added to your IaP before switching over to unfiltered SSO management. Failure to do so will result in contacts losing access to that content.

Frequently Asked Questions

What happens to my content if I disable SSO for a domain?

If you disable SSO for a domain that has published private content on it today, any Private - Single sign on (SSO) required pages will become fully public. Any content marked Private - Single sign on (SSO) required with list filtering will remain private and will be inaccessible to all users.

Can I go back to the old Private - registration required option? How

To go back to simple registration through HubSpot, our recommendation is to first change all sensitive content over to Private - Single sign on (SSO) required with list filtering, then disable SSO for that domain, and then to change all private content over to Private - registration required.  During this switch we recommend reviewing any lists or workflows used to populate lists for registration purposes to ensure things are correct before saving the changes.