This guide explains how to set up SSO in HubSpot, enforce it for all users, and optionally exempt specific users who need direct login access.
Single Sign-On (SSO) provides a secure way for users to access HubSpot with the same credentials they use for other company systems.
To configure it, you’ll need Super Admin permissions in HubSpot. The setup process is best handled by an IT administrator familiar with creating apps in your identity provider account (IdP).
General Setup
-
Step 1: Log in to your identity provider (such as Okta, OneLogin, Azure AD, or Google).
-
Step 2: Create a new application specifically for HubSpot.
-
Step 3: In HubSpot, navigate to:
-
Settings → Security → Login tab → Single Sign-On (SSO) setup.
-
-
Step 4: Choose one of the configuration methods:
-
Upload XML metadata directly from your IdP.
-
Manually copy/paste values (like Audience URI, Sign-on URL, ACS, Recipient, Redirect, etc.) from HubSpot into your IdP and vice versa.
-
Microsoft AD FS users: follow the dedicated AD FS option in HubSpot.
-
-
Step 5: Click Verify to complete the connection.
Require SSO for All Users
-
Once SSO is connected, you can enforce it as the only login option for every user.
-
In HubSpot, go to:
-
Settings → Security → Login tab.
-
-
Check the “Require single sign-on” option.
-
From now on, all users must authenticate using SSO credentials instead of standard HubSpot login details.
Exclude Specific Users from SSO Requirement
-
In some cases, certain people (e.g., contractors, partners, or temporary users) may not have access to your IdP.
-
HubSpot allows you to exempt users so they can log in with their HubSpot account instead.
-
To set this up:
-
Go to Settings → Security → Login tab.
-
Under the SSO section, click Manage exempted users.
-
Use the dropdown to select users who should bypass SSO.
-
Click Save to confirm.
-