Configuration Guides

Configuring SAML SSO with HubSpot and PingOne for Enterprise

Learn how to enable HubSpot sign-on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct HubSpot sign-on using PingOne for Enterprise (SP-initiated sign-on).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access.

  • Populate HubSpot with at least one user to test access.

  • You must have administrative access to PingOne for Enterprise and HubSpot.

Obtain the HubSpot SSO details

  1. Sign on to HubSpot, click the Gear icon (), and select Account Details in the Settings menu.

  2. In the Single Sign-on section, click Set up.

    The HubSpot Settings page with the Single Sign-on Set up button highlighted in red.
  3. Copy the Audience URI and Sign on URL, ACS, Recipient, or Redirect values.

Add the HubSpot application to PingOne for Enterprise

  1. Sign on to PingOne for Enterprise and go to Applications → My Applications.

  2. On the SAML tab, click Add Application.

    Screen capture of the PingOne for Enterprise My Applications page, the SAML tab is selected and New SAML Application is selected in the Add Application list.
  3. For the application name, enter HubSpot.

  4. Enter a suitable description.

  5. For the category, select CRM.

  6. Click Continue to Next Step.

  7. Set Assertion Consumer Service (ACS) to the HubSpot Sign on URL, ACS, Recipient, or Redirect value and Entity ID to the HubSpot Audience URI value.

  8. Click Continue to Next Step.

  9. HubSpot needs the email passed in.

    • If you use an email address to sign on using PingOne for Enterprise, click Continue to Next Step.

    • If you sign on with a username, enter your email attribute in the SAML_SUBJECT mapping, then click Continue to Next Step.

      Screen capture of the PingOne for Enterprise Attribute Mapping table. In the Identity Bridge Attribute or Literal Value column of the SAML_Subject row, the Email attribute has been entered and is highlighted in red.
  10. Click Add for all user groups that should have access to HubSpot.

    Screen capture of PingOne for Enterprise Group Access section showing a list of group names with Add and Remove buttons next to them.
  11. Click Continue to Next Step.

  12. Copy and save the Issuer and Initiate Single Sign-On (SSO) URL values.

    Screen capture of PingOne for Enterprise individual identifiers, with the Issuer and Initiate Single Sign-On (SSO) URL fields highlighted in red.
  13. Download the PingOne for Enterprise signing certificate.

    Screen capture of PingOne for Enterprise Signing Certificate Download link highlighted in red.
  14. Click Finish.

Add the PingOne for Enterprise connection to HubSpot

  1. Sign on to HubSpot, click the Gear icon (), select Account Details from the Settings menu, and open the Single Sign-on settings.

  2. In the Identity Provider Identifier or Issuer URL field, enter the PingOne for Enterprise Issuer value.

  3. In the Identity Provider Single Sign-on URL field, enter the PingOne for Enterprise Initiate Single Sign-On (SSO) URL value.

  4. Paste the PingOne for Enterprise signing certificate into the X.509 Certificate field.

    Screen capture of PingOne for Enterprise Identity Provider Identifier or Issuer URL, Identity Provider Single Sign-on URL, and X.509 Certificate fields.
  5. Click Verify.

  6. In the sidebar menu, click Account Defaults.

  7. In the Single Sign-on (SSO) section, select the Require Single Sign-on to log in check box.

    Screen capture of Security page, with Require Single Sign-on to log in check box checked and highlighted in red.

    The user setting this up is automatically excluded to ensure that their access is not lost in case of setup issues.

Test the PingOne for Enterprise IdP-initiated SSO integration

  1. Go to your PingOne for Enterprise desktop as a user with HubSpot access.

    To find the PingOne for Enterprise desktop URL in the Admin console, go to Setup → Dock → PingOne Dock URL.

  2. Complete PingOne for Enterprise authentication.

    You’re redirected to your HubSpot domain.

    Screencapture of PingOne for Enterprise Sign One page.
    Screen capture of HubSpot Contacts page.

Test the PingOne for Enterprise SP-initiated SSO integration

  1. Go to https://app.hubspot.com/login/sso.

    You’re redirected to PingOne for Enterprise.

  2. Enter your PingOne for Enterprise username and password.

    Screen capture of PingOne for Enterprise Sign On page.

    After successful authentication, you’re redirected back to HubSpot.

    Screen capture of HubSpot Contacts page.