With more businesses now moving to cloud apps and businesses looking to secure these SSO should be available on some of the lower tiers not just the Enterprise tier. With the likes of Azure Active Directory, G Suite, Okta etc more midsized businesses are also implementing SSO not just top tier enterprises. The price difference between professional and enterprise is to prohibitive for a SME to use enterprise with Hubspot. Hubspot also feature on https://sso.tax as one of the worst offenders for price to enable SSO.
Hi everyone! My name is Hallie, and I'm an Associate Program Manager on our CXM Team here at HubSpot. I'm excited to share that setting upSSO is now available for Professional plans! This is listed in our KB along with details of how to set it up. 🙂
The login process to HubSpot without SSO is annoying, so I use it way less than I would like to. The "remember this device" doesn't seem to work for me either, yet other sites are fine, so not just a matter of background deleting of cookies. Maybe it's because I jump between work and home networks, and it incorporates IP addresses or something?
Long story short, +1 to this idea for every minute I spend hunting for my phone, then my reading glasses, to get the 2FA code.
Shame, shame Hubspot - you are levying an SSO tax to an absurd degree - https://sso.tax - Please bring this to your Professional plans that are much more accessible to your user base.
Single sign-on (SSO) is a mechanism for outsourcing the authentication for your website (or other product) to a third party identity provider, such as Google, Azure AD, Okta, PingFederate, etc.
In this context, SSO refers to a SaaS or similar vendor allowing a business client to manage user accounts via the client’s own identity provider, without having to rely on the vendor to provide strong authentication with audit logs, and with the ability to create and delete user accounts centrally, for all users, across all software in use by that client.
For organizations with more than a handful of employees, this feature is critical for IT and Security teams to be able to effectively manage user accounts across dozens or hundreds of vendors, many of which don’t support features like TOTP 2FA or U2F. In the event that an employee leaves the company, it allows the IT team to immediately disable their access to all applications, rather than logging into 100 different user management portals.
In short: SSO is a core security requirement for any company with more than five employees.
SaaS vendors appear not to have received this message, however. SSO is often only available as part of “Enterprise” pricing, which assumes either a huge number of users (minimum seat count) or is force-bundled with other “Enterprise” features which may have no value to the company using the software.
If companies claim to “take your security seriously”, then SSO should be available as a feature that is either:
part of the core product, or
an optional paid extra for a reasonable delta, or
attached to a price tier, but with a reasonably small gap between the non-SSO tier and SSO tiers.
Many vendors charge 2x, 3x, or 4x the base product pricing for access to SSO, which disincentivizes its use and encourages poor security practices.
Another up-vote for Active Directory SSO for Professional plan-levels. This quote sums it up, perfectly: "The price difference between professional and enterprise is to prohibitive for a SME to use enterprise with Hubspot."
Are you crazing changing for what you call "SSO" and and stoping authenticaing against Google aacounts or MS O365 Identity managment which has been in place for 5+ years with 2FA for even the free tier.
Hi All I am a Product Manager in HubSpot and doing research on our customer needs for SAML-based SSO. I appreciate your feedback on the topic of Single Sign-on. In HubSpot, we do offer social logins like Login with Google and Microsoft for all tiers. I am wondering why this will not work for you?
Why do you need to use SAML SSO in other tiers? Please let us know the reason: 1. It is the enterprise standard for SSO and you have other applications connecting using the same SAML protocol. You have a working SSO architecture laid down using SCIM based user provisioning and SAML SSO authentication with appropiate relayState and don’t want to deviate from the standard model. 2. You have a mix of on-prem, legacy and cloud applications which necessities SAML as OIDC will not work for on-prem and legacy applications 3. Your current IdP may only support SAML for SSO (e.g. older version of Microsoft ADFS) or your IdP only provides SSO based application connectors 4. You want your users to connect to a specific IdP instance for your company’s specific business domains 5. You have external users/contractors whose email may not be that of Google or Microsoft. In this case they cannot use Login with Google or Login with Microsoft 6. Today, you cannot explicitly specify what social login providers are trusted in their portals. There will be issues in enforcement as a user from social login may have identity with different policies. These issues can only be solved using SAML SSO integration. 7. Any other reason?
For us, it is largely #1: 1. It is the enterprise standard for SSO and you have other applications connecting using the same SAML protocol. You have a working SSO architecture laid down using SCIM based user provisioning and SAML SSO authentication with appropiate relayState and don’t want to deviate from the standard model.
SAML is the standard and these days it is basically the standard across all SaaS apps, both big and small. It's no longer some premium, large enterprise thing like it used to be - the nature of identity management is shifting such that even small businesses are utilizing SAML-based SSO and SCIM provisioning, and that trend is only going to continue. I expect that SAML SSO and SCIM will become as ubiquitous as MFA which we've all seen become a mandatory piece of any serious SaaS application, not just a special feature only available to high-end plans.
As mentioned by many previously, SAML is the de-facto standard and with regulatory requirements mandating more stringent requirements, not having SAML support in lower tiers is a big problem these days.
SSO is a basic thing and great for user experience. It should not be limited to Enterprise. HubSpot talks about reducing friction in sales, and SSO would really help the users. And perhaps make the Outlook Add-in function better - it logs out all the time.
This thread seems to have died, but oh good lord, yes please!
As to why OIDC logins aren't equivalent to SAML SSO, the reason is that my users can bypass OIDC and sign into HubSpot directly. This prevents me from being able to fully enforce conditional access policies in Entra ID for authentication into our HubSpot tenant.
One of the other things that SAML SSO does is it allows me to put HubSpot a HubSpot tile into the user's application list in Office 365 for an IdP initiated login so that they don't have to worry about saving a bookmark. Could we push a bookmark to the user's browser? Sure, but allowing me to manage this all through an Entra ID enterprise app and SAML is a cleaner option.
I am the new product manager covering the customer login space. I'm looking to revive this conversation as we make decisions on our SSO strategy. If anyone is open to hop on a call and discuss it further, please message me back and I'll reach out to you with my HubSpot meeting link to book some time.
As the origional post owner I am happy to discuss SSO still. We now have SSO but thats only because we added CMS Enterprise as we needed the advanced features for our webhosting and that of course then enabled SSO for us. However the lack of SCIM or JiT adding of users makes the whole process clunky.
