Please add support for SAML authentication. Currently your account security seems to be subpar compared to the rest of the industry. From what I can tell there's no two-factor support, no ability to set minimum password requirements nor support to just force the use of Google login. With SAML support we can manage our entire login security stack (user account verification, two-factor decision, password requirements). With HubSpot containing high sensative information I can't believe this hasn't come up before.
At the very least just let us force users to have to use Google to login, then we can mandate some requirements through that.
@Beefy80a we're definitely interested in making SSO available to more of our users. You're absolutely correct that it is not just a concern for larger enterprises, & we want to make options for using it easier to access & improve our SSO system as a whole. I don't have concrete news to share there just yet, but when I do I'll be sure to update this thread!
Hey @ssoadmin I haven't been able to reproduce this on my side just yet. If you're working with our support team, providing them with a Safari version number & that web archive would be helpful. I think I'm on the latest Safari version myself, but I did run into some trouble with a beta branch of Safari a while back because it was defaulting to not allowing third-party cookies to be set in my browser, which made logging into some tools fail.
Wanted to drop into this thread to announce some good news you may have already seen in your HubSpot accounts: we've officially got the require SSO functionality delivered to all Enterprise HubSpot accounts, as well as officially supporting SSO for login on our mobile apps. If you want to know more about the functionality & how it works, check out this post on our product blog!
Hey @ssoadmin, that's actually the beta I mentioned above for requiring SSO. It does indeed require it for login.
The caveat there is that the mobile app is currently working to add SSO login support, so if you have mobile users who need to access the app after you require SSO, you can add them to the excluded users list (by clicking the link under the require SSO checkbox.) That'll allow them to bypass the requirement & log in with HubSpot credentials; we built this feature with contractors or partners who don't have credentials on your SSO provider in mind. Our mobile team is working quickly to get the SSO login flow into the mobile app, so that necessity will be temporary.
That's a fair point--we definitely want to allow folks to force SSO as quickly as we can. We currently have that feature in a limited beta. If anyone in this thread is interested in learning more about that beta, please reach out to me via private message & I'm happy to chat more about it & get more accounts involved!
Just wanted to drop by and formally mark this one delivered! We're hard at work making improvements to SAML support (like the ability to force all logins to your account to happen via single sign-on), but it's available now to all Enterprise customers in HubSpot.
@tspringer there aren't imminent plans to bring this to the Professional level at this point. Currently it's a cross-hub feature, meaning that if you have one Enterprise product, you'll get access, no matter which of our tools you're using (Sales Enterprise, Service Enterprise, or Marketing Enterprise.)
Hey everyone! Me again. Got some good news, which you might've seen at Inbound, or on our Product Updates: SAML 2.0 is available in HubSpot Enterprise! We're still refining the functionality, but currently, that means that all Enterprise customers can enable single sign-on as an additional login method available for the HubSpot account. There are additional features coming down the pipe very quickly, but we're glad to be able to offer the ability to support SSO for login right now.
If you already have a HubSpot Enterprise account, you should see the option to set up SSO in your Account Defaults settings menu. As long as your IDP supports creating a SAML 2.0 app with HTTP POST bindings, your SSO should easily integrate with HubSpot. Detailed setup guides will be coming for more providers soon, but right now we offer steps for both Okta & OneLogin. Hope you're as excited to see this functionality in HubSpot as we are!
Hey everyone, just wanted to swing back through to say we're officially doing the planning for SAML 2.0 with HubSpot now. This thread will be updated as soon as we've got more info to share. Thanks for your feedback, & for pushing us to build the best possible product!
Hey folks! I work with the product team responsible for our login and account security efforts, so I wanted to jump into this thread and let you know that this is definitely a request that is on our radar. We get the request for SAML and more full-featured SSO support often enough that we recognize it's a big draw for our customers, especially those juggling multiple software solutions where those features are already in use in other parts of the organization. It's definitely something we'd like to solve for you.
Since this thread was created, we have added support for two-factor authentication via SMS and Google Authenticator on a per-user basis. If you haven't already activated that feature on your HubSpot account, it's worth doing; SAML is a diffent project, but one we'd like to tackle.
Yes surprising this is not supported - it's really a standard feature on enterprise SAS providers. Just being able to enforce Google login would be a 90% solution for me, but SAML would be great.
Hey folks! I work with the product team responsible for our login and account security efforts, so I wanted to jump into this thread and let you know that this is definitely a request that is on our radar. We get the request for SAML and more full-featured SSO support often enough that we recognize it's a big draw for our customers, especially those juggling multiple software solutions where those features are already in use in other parts of the organization. It's definitely something we'd like to solve for you.
Since this thread was created, we have added support for two-factor authentication via SMS and Google Authenticator on a per-user basis. If you haven't already activated that feature on your HubSpot account, it's worth doing; SAML is a diffent project, but one we'd like to tackle.
This continues to be an issue for our long term relationship with HubSpot. Every year when we are up for renewal this is one of the functions HubSpot is lacking which triggers re-evaluation.
Hey everyone, just wanted to swing back through to say we're officially doing the planning for SAML 2.0 with HubSpot now. This thread will be updated as soon as we've got more info to share. Thanks for your feedback, & for pushing us to build the best possible product!
Hey everyone! Me again. Got some good news, which you might've seen at Inbound, or on our Product Updates: SAML 2.0 is available in HubSpot Enterprise! We're still refining the functionality, but currently, that means that all Enterprise customers can enable single sign-on as an additional login method available for the HubSpot account. There are additional features coming down the pipe very quickly, but we're glad to be able to offer the ability to support SSO for login right now.
If you already have a HubSpot Enterprise account, you should see the option to set up SSO in your Account Defaults settings menu. As long as your IDP supports creating a SAML 2.0 app with HTTP POST bindings, your SSO should easily integrate with HubSpot. Detailed setup guides will be coming for more providers soon, but right now we offer steps for both Okta & OneLogin. Hope you're as excited to see this functionality in HubSpot as we are!
@tspringer there aren't imminent plans to bring this to the Professional level at this point. Currently it's a cross-hub feature, meaning that if you have one Enterprise product, you'll get access, no matter which of our tools you're using (Sales Enterprise, Service Enterprise, or Marketing Enterprise.)
Just wanted to drop by and formally mark this one delivered! We're hard at work making improvements to SAML support (like the ability to force all logins to your account to happen via single sign-on), but it's available now to all Enterprise customers in HubSpot.
I'm unsure that this is actually delivered. I believe part of the original request was to not only add support for additional authentication systems but to force users to actually have to use them.
"You cannot require single sign-on be enabled for all logins to your hub. All users are able to log in either with their SSO credentials, or with their HubSpot credentials." per your set up page.
If users aren't required to authenticate using more secure means, they won't. They'll set a simple, easily guessable passwords and use that instead to login.
Maybe I'm missing it, but would you be able to at least point me to the spot we can set minimum password requirements on accounts?
That's a fair point--we definitely want to allow folks to force SSO as quickly as we can. We currently have that feature in a limited beta. If anyone in this thread is interested in learning more about that beta, please reach out to me via private message & I'm happy to chat more about it & get more accounts involved!
Has the forced SSO been resolved? I see this in the admin panel:
Or does it say require while not actually requiring?
I'm attempting a new enterprise deployment and just got SSO working, but I'd hate to find it is not actually going to force the use of SSO. Additionally, can't find how to get SSO working on mobile app; I assume the lack of mention on the mobile app login screen means it's missing, which would be hugely disappointing since what enterprise has no mobile users... it defeats the whole effort of attempting to force security best practices.
Hey @ssoadmin, that's actually the beta I mentioned above for requiring SSO. It does indeed require it for login.
The caveat there is that the mobile app is currently working to add SSO login support, so if you have mobile users who need to access the app after you require SSO, you can add them to the excluded users list (by clicking the link under the require SSO checkbox.) That'll allow them to bypass the requirement & log in with HubSpot credentials; we built this feature with contractors or partners who don't have credentials on your SSO provider in mind. Our mobile team is working quickly to get the SSO login flow into the mobile app, so that necessity will be temporary.
Wanted to drop into this thread to announce some good news you may have already seen in your HubSpot accounts: we've officially got the require SSO functionality delivered to all Enterprise HubSpot accounts, as well as officially supporting SSO for login on our mobile apps. If you want to know more about the functionality & how it works, check out this post on our product blog!