Enable Single Sign On using Active Directory Federation Services (integration with Office 365)

We would like to integrate Hubspot with our existing Microsoft based infrastructure by impellent Single Sign On (SSO) using Active Directory Federation Services (ADFS).

 

Use Case:

A Person has been given an account that is managed by our organisation’s Active Directory Service. This Person signs into one of our organisation’s PCs or Online Services (e.g. Microsoft’s Office 365) and an Authentication Token is generated.

Assuming a trust has been set-up between organisation’s Hubspot Service and our Federation Service; the User navigates to our Hubspot Portal and is granted access (authorised) based upon permissions set by Hubspot service.

 

Definitions & Descriptions:

Active Directory is used to manage account properties including Username and Passwords.

Authentication (SSO) is managed by ADFS which generates the Authentication Token.

Authorisation is managed by Hubspot – i.e. the access level permissions granted to an account.

18 Kommentare
Mitwirkender/ Mitwirkende

Hubspot, what is the status on SAML support for federation?

 

As per other people's threads and comments the ability to federate is a must in today's world. SAML support would allow SSO integration with most third party providers and most importantly should be arranged with Microsoft's Azure Active Directory.

 

Even using Azure AD's secure web authentication method of caching credentials with Hubspot does not work and users are redirected to the login page.

 

Mitwirkender/ Mitwirkende

We are also looking for a way to  integrate Hubspot with our existing Microsoft based infrastructure by impellent Single Sign On (SSO) using Active Directory Federation Services (ADFS).

The only practical sollution I found was in this post on the community:
https://community.hubspot.com/t5/Marketing-Integrations/Active-Directory-integration/td-p/397

So question to hubspot, are there any plans to implement SSO support?

Sachkundiger/ Sachkundige

This functionality is a nust for any serious enterprise deployments.

Mitwirkender/ Mitwirkende

I agree we are unable to use Hubspot to store anything remotely confidential as there is no real control for admin. We need SAML and federated login through OKTA.

 

Its a joke really Hubspot use OKTA internally (I wonder why?) but don not allow any access control for user of their product.

 

They have hobbled the Hubspot product by a clumsy implementation of GDPR but still security of acccess to data is open wide at the moment.

 

Even the implementation of 2FA is mickey mouse as there is no way of controlling user behaviour eg the user has the option of bypassing 2FA by clicking "dont ask me again on this device"

 

If this is not fixed then Hubspot may well have issues with ICO in the UK if there is a breach.

 

Hubspot please take this issue seriously!

Mitwirkender/ Mitwirkende

Wow, I went to set up SSO today for Hubspot and was shocked to find out it is not supported!  Can someone from Hubspot chime in here with some information on this?  Is it in development, or even in the queue?  

Sachkundiger/ Sachkundige

+1

Berater/-in

+1

Mitwirkender/ Mitwirkende

It is now possible to use SSO in hubspot:
https://www.hubspot.com/product-updates/now-live-single-sign-on
https://knowledge.hubspot.com/articles/kcs_article/account/can-i-use-single-sign-on-sso-with-hubspot

But only for enterprice accounts/licences.
Wich still is a no go for our company, the price difference between professional licence and enterprice is to high when we only need it for SSO.

Berater/-in

I agree HubSpot should have intergration with ADFS as standard it’s a necessity for organisations of all sizes.

Mitwirkender/ Mitwirkende

Completely agree.  SSO should be expected of any modern SaaS, not paid for.  The Hubspot marketing team have missed the mark here - by making the functionality available only on Enterprise agreements, they're saying that user authentication is only important to Hubspot if the customer pays it a lot of money.  

Berater/-in

The HubSpot SSO that is now available has very limited use.  It only enables users to remember one less password.  It is NOT SAML Federation as one would expect (although it does use SAML to login).  Instead, you must create all users in HubSpot before the users will have access to the tool.  That means authentication is not controlled by Azure AD or any other identity service.  

 

Unfortunately I just received this feedback from their support.  We need to provide access to our entire sales team and managing identity and access in yet another tool is a big task as well as a deterrant for anyone who expects enterprise capabilities from HubSpot.  

Berater/-in

I am astonished and greatly disappointed that Hubspot would take the position that you have to buy the enterprise edition in order to access SSO functonality.

We use the professional level product (as I suspect many customers do) and our need to have this function is just as important as any other larger firms.  Come on guys.  Wake up - please add this to the professional level product as well.  Thx

Mitwirkender/ Mitwirkende

Agreed, it is very disappointing this isn't included at the Pro level.  Especially since the price jump to Enterprise is extreme.   I was excited when I saw the announcement of SSO availability, only to be let down that our Pro license doesn't include it.  

Mitwirkender/ Mitwirkende

Well we have been campaigning for this for some time. The whole admin and security for Hubspot is suspect and leaves user companies open to GDPR questions. As a result we have decided to move BACK  to Salesforce. More expensive but a much better product from a security persepective, We can use SSO and OKTA to control and manage our users.

So whatever Hubspot do it's too late for us

HubSpot-Mitarbeiter/-in
HubSpot-Mitarbeiter/-in
Status aktualisiert zu: Delivered

I think this was left not updated, but our current SSO implementation allows folks with ADFS to set up SSO for login! If there are other questions about that functionality, I'm happy to answer them as well.

Mitwirkender/ Mitwirkende

ADFS is generally used for Enterprise deployments.  So it's either we implement an Enterprise solution that is overkill for our organization (and costs additional money to run if you implement it correctly), or pay Hubspot for Enterprise?  We tried ADFS at the beginning of our O365 implementation, and quickly realized it was overkill.  Hubspot needs to shift their thinking on this, or you will have more customers like @Richards jumping to other solutions.  

Mitwirkender/ Mitwirkende

I beleive that SSO is a must for any business as more business are now working more in the cloud, they have access to Azure AD, Google, Okta and many more platforms where in the past as a business you needed to have complex platforms to run SSO and therefore was used mainly by Large Enterprises who could support this... this is no longer the case.  SSO platforms are available for all to use.  Now I appreciate that companies that want to offer SSO integration in their products want to charge for it but as we are paying 7,800 gbp a year for pro already and I cannot justify 31,400 gbp a year to just turn on SSO (That is a 300% increase).  I have spoken with the teams here and we would NOT use any of the other features that are in enterprise.  Hubspot should really consider including this in Pro or they should make it available as an Addon.  I would also expect JiT user addition and role management and from what I have read in the previous comments it appears this is not available.

Mitwirkender/ Mitwirkende

@rad or anyone else at Hubspot no one has replied to the several comments about your pricing of SSO to your smaller customers who cannot afford to pay for Enterprise. SSO is used in both large and small organisations and while I agree it shouldn't be in free / basic tiers I do disagree that it's put into a tier which SME's can't touch. Come on team!  Your also listed in sso.tax which shows Hubspot has the largest % increase to enable SSO out of the listed services.