HubSpot Ideas

Chad

SAML authentication

Please add support for SAML authentication. Currently your account security seems to be subpar compared to the rest of the industry. From what I can tell there's no two-factor support, no ability to set minimum password requirements nor support to just force the use of Google login. With SAML support we can manage our entire login security stack (user account verification, two-factor decision, password requirements). With HubSpot containing high sensative information I can't believe this hasn't come up before.

 

At the very least just let us force users to have to use Google to login, then we can mandate some requirements through that.

35 Replies
rad
HubSpot Product Team
HubSpot Product Team

@ssoadmin great to hear! Glad you're getting value out of the new features.

ssoadmin
Member

 

Is it possible that SSO is broken when the browser is Safari?  I've been going back and forth with Support about one user who can't log in, they want videos, screen shots, a browser webdev tool recording, etc..  I decided to recreate most of the screen shots using my own computer and Safari, knowing the user in question was using Safari, and what do you know, I get the same SSO failure as shown below.  However, flip back to Firefox, log out, clear cookies, start fresh, and it works fine.  Seems weird that it would be browser specific but now I can reproduce it.

Screen Shot 2019-04-03 at 3.46.25 PM.png

 

 

rad
HubSpot Product Team
HubSpot Product Team

Hey @ssoadmin I haven't been able to reproduce this on my side just yet. If you're working with our support team, providing them with a Safari version number & that web archive would be helpful. I think I'm on the latest Safari version myself, but I did run into some trouble with a beta branch of Safari a while back because it was defaulting to not allowing third-party cookies to be set in my browser, which made logging into some tools fail.

ssoadmin
Member

Yep, I have a ticket going.  I updated them with the Safari version (Mojave / MacOS latest).  Chrome & FF on the same computer work fine.

Beefy80a
Member

Hi rad 

 

We have recently joined hubspot I have seen that SSO is available for Enterprise customers however we only have marketing pro and would not benefit from any of the other enterprise features, the additional cost of enterprise to simply have SSO is prohibitive to us. 

 

Are there plans to make this available to Pro users or as a possible add on to pro users. Sadly I was not involved in the procurement process and by the time I’ve got involved it’s purchased and I’m asked to sort users out and get domains configured. If not are hubspot considering to add a Microsoft account button like you have already for google?

 

In my opinion if a product can support SSO it should be available to all as we all know passwords are weak and by using SSO additional checks can be done along with actually dropping passwords altogether. In the past it was only enterprise businesses who implemented SSO due to the additional management but now with the likes of okta, azure ad, g suite more business small and large can protect themselves but that’s only achievable if the Service Providers allow us to use SSO in more than just their enterprise plans. 

BethanyPester
Member

Good afternoon all,

 

This idea is great!

 

However as an administrator when logging onto other users to make changes to their profiles - add e-mail signatures, connect phone numbers, update views etc the system does not allow me to do this requiring verification number sent by e-mail. Obviously the system sends this to the user e-mail rather than my own. It would be even better if the admin user could be exempt from this and able to log in to any user? -  most of our users are salesmen and they do not want to have anything to do with the admin side of things!

 

Perhaps the admin could log into their own account and the in settings>users and teams>actions (the little grey dropdown) have a option to "access user's account" to edit their profile/system defaults and settings/ table views/ dashboard defaults/ signatures/ connect phone/email etc

lfrancis1
Participant

Whould be good to see SSO and SAML incliuded across all packages. In 2020 this is a basic security feature that all SaaS providers should offer.

Beefy80a
Member

@rad are Hubspot going to make SSO available to the professional plan?  In 2021 its not only Enterprises that use SSO smaller businesses are now using SSO as both Google and Microsoft Include SSO capable directories as part of their offering along with many other platforms now being available.  As a smaller business we cannot justify the cost of Enterprise to enable SSO (and before its said we do not need any of the other enterprise features) but enable SSO everywhere as the security benifits outweight the setup and maintenance required to run this.  Hubspot are also featured on https://sso.tax as the worst offender to offer SSO as a feature in comparison to cost.  As everyone is moving to a cloud first approach SSO should be available on at least a mid tier not just Enterprise tiers.

rad
HubSpot Product Team
HubSpot Product Team

@Beefy80a we're definitely interested in making SSO available to more of our users. You're absolutely correct that it is not just a concern for larger enterprises, & we want to make options for using it easier to access & improve our SSO system as a whole. I don't have concrete news to share there just yet, but when I do I'll be sure to update this thread!

Beefy80a
Member

@radGreat I look forward to hear what's coming up. 

kol
Member

@rad Are there any updates to allowing Starter and Professional plans to have access to SSO? HubSpot is still the worst offender on https://sso.tax/ by a longshot. Sell it as an Add-on, perhaps?

AQT_MKr
Member

+1 Upvote // @rad Any way to get an official update on this? Can you at least offer some kind of "work-around" or possibility to license this feature separately?

This is clearly a customer need and there a several threads here where people ask for this!

DJourdan5
Member

Can you share with us if the SSO feature is in your roadmap, irrespective of the subscription?

 

If yes, please provide an expected release in production.

 

 

 

KGhoshHS
HubSpot Employee

Hi All
I am a Product Manager in HubSpot and doing research on our customer needs for SAML-based SSO. I appreciate your feedback on the topic of Single Sign-on.
In HubSpot, we do offer social logins like Login with Google and Microsoft for all tiers. I am wondering why this will not work for you?

Why do you need to use SAML SSO in other tiers? Please let us know the reason:
1. It is the enterprise standard for SSO and you have other applications connecting using the same SAML protocol. You have a working SSO architecture laid down using SCIM based user provisioning and SAML SSO authentication with appropiate relayState and don’t want to deviate from the standard model.
2. You have a mix of on-prem, legacy and cloud applications which necessities SAML as OIDC will not work for on-prem and legacy applications
3. Your current IdP may only support SAML for SSO (e.g. older version of Microsoft ADFS) or your IdP only provides SSO based application connectors
4. You want your users to connect to a specific IdP instance for your company’s specific business domains
5. You have external users/contractors whose email may not be that of Google or Microsoft. In this case they cannot use Login with Google or Login with Microsoft
6. Today, you cannot explicitly specify what social login providers are trusted in their portals. There will be issues in enforcement as a user from social login may have identity with different policies. These issues can only be solved using SAML SSO integration.
7. Any other reason?


Thanks,
Kaushik

ssoadmin
Member

Why?  Because SAML is a standard, easy to implement, and allows your customers to handle their own authentication in the way they want.  It doesn't get much more simple then that.  Not every business entity feels comfortable with trusting their authentication, or data, to two mega entities known for not exactly doing things that are in the best interests of their customers.  Of course, that's also how people often walk away feeling about providers who refuse to allow SSO, or only offer it with a heavy tax.

 

As easy as SSO is, and the fact that, with proper logging, it takes the liability of fraudulent authentication off the plate of the service provider and puts it solely on the customer, it's still mind boggling that every company doesn't offer it as a default.