SAML authentication

Please add support for SAML authentication. Currently your account security seems to be subpar compared to the rest of the industry. From what I can tell there's no two-factor support, no ability to set minimum password requirements nor support to just force the use of Google login. With SAML support we can manage our entire login security stack (user account verification, two-factor decision, password requirements). With HubSpot containing high sensative information I can't believe this hasn't come up before.

 

At the very least just let us force users to have to use Google to login, then we can mandate some requirements through that.

HubSpot updates
26 Replies
New Contributor

Agree very surprised to see this wasn't supported yet

New Contributor

 Yes surprising this is not supported - it's really a standard feature on enterprise SAS providers. Just being able to enforce Google login would be a 90% solution for me, but SAML would be great.

New Contributor

Would really like to see support for this.

Occasional Contributor

Agreed - we NEED this. Pretty basic feature for any SaSS solution these days...

HubSpot Employee
HubSpot Employee

Hey folks! I work with the product team responsible for our login and account security efforts, so I wanted to jump into this thread and let you know that this is definitely a request that is on our radar. We get the request for SAML and more full-featured SSO support often enough that we recognize it's a big draw for our customers, especially those juggling multiple software solutions where those features are already in use in other parts of the organization. It's definitely something we'd like to solve for you.

 

Since this thread was created, we have added support for two-factor authentication via SMS and Google Authenticator on a per-user basis. If you haven't already activated that feature on your HubSpot account, it's worth doing; SAML is a diffent project, but one we'd like to tackle.

New Contributor

 Rad - any update on the roadmap for SAML?

New Contributor

This continues to be an issue for our long term relationship with HubSpot.  Every year when we are up for renewal this is one of the functions HubSpot is lacking which triggers re-evaluation. 

New Contributor

This is key for security and access controls at our company - can we please priotize this feature for the HS dev team? Thanks!

Status updated to: In Planning
HubSpot Employee
HubSpot Employee

Hey everyone, just wanted to swing back through to say we're officially doing the planning for SAML 2.0 with HubSpot now. This thread will be updated as soon as we've got more info to share. Thanks for your feedback, & for pushing us to build the best possible product!

New Contributor

This is great news! If possible documentation for Salesforce Identity would be appreciated.

Status updated to: In Beta
HubSpot Employee
HubSpot Employee

Hey everyone! Me again. Got some good news, which you might've seen at Inbound, or on our Product Updates: SAML 2.0 is available in HubSpot Enterprise! We're still refining the functionality, but currently, that means that all Enterprise customers can enable single sign-on as an additional login method available for the HubSpot account. There are additional features coming down the pipe very quickly, but we're glad to be able to offer the ability to support SSO for login right now.

 

If you already have a HubSpot Enterprise account, you should see the option to set up SSO in your Account Defaults settings menu. As long as your IDP supports creating a SAML 2.0 app with HTTP POST bindings, your SSO should easily integrate with HubSpot. Detailed setup guides will be coming for more providers soon, but right now we offer steps for both Okta & OneLogin. Hope you're as excited to see this functionality in HubSpot as we are!

Occasional Contributor

Will this eventually be available to Professional subscriptions as well?

HubSpot Employee
HubSpot Employee

@tspringer there aren't imminent plans to bring this to the Professional level at this point. Currently it's a cross-hub feature, meaning that if you have one Enterprise product, you'll get access, no matter which of our tools you're using (Sales Enterprise, Service Enterprise, or Marketing Enterprise.)

Status updated to: Delivered
HubSpot Employee
HubSpot Employee

Just wanted to drop by and formally mark this one delivered! We're hard at work making improvements to SAML support (like the ability to force all logins to your account to happen via single sign-on), but it's available now to all Enterprise customers in HubSpot.

Occasional Contributor

Hi Rad,

I'm unsure that this is actually delivered. I believe part of the original request was to not only add support for additional authentication systems but to force users to actually have to use them.

 

"You cannot require single sign-on be enabled for all logins to your hub. All users are able to log in either with their SSO credentials, or with their HubSpot credentials." per your set up page.

 

If users aren't required to authenticate using more secure means, they won't. They'll set a simple, easily guessable passwords and use that instead to login.

 

Maybe I'm missing it, but would you be able to at least point me to the spot we can set minimum password requirements on accounts?

HubSpot Employee
HubSpot Employee

That's a fair point--we definitely want to allow folks to force SSO as quickly as we can. We currently have that feature in a limited beta. If anyone in this thread is interested in learning more about that beta, please reach out to me via private message & I'm happy to chat more about it & get more accounts involved!

New Contributor

Has the forced SSO been resolved?  I see this in the admin panel:

 

Screen Shot 2019-01-03 at 8.48.42 PM.png

 

Or does it say require while not actually requiring?

 

I'm attempting a new enterprise deployment and just got SSO working, but I'd hate to find it is not actually going to force the use of SSO.  Additionally, can't find how to get SSO working on mobile app; I assume the lack of mention on the mobile app login screen means it's missing, which would be hugely disappointing since what enterprise has no mobile users...  it defeats the whole effort of attempting to force security best practices. 

HubSpot Employee
HubSpot Employee

Hey @ssoadmin, that's actually the beta I mentioned above for requiring SSO. It does indeed require it for login.

 

The caveat there is that the mobile app is currently working to add SSO login support, so if you have mobile users who need to access the app after you require SSO, you can add them to the excluded users list (by clicking the link under the require SSO checkbox.) That'll allow them to bypass the requirement & log in with HubSpot credentials; we built this feature with contractors or partners who don't have credentials on your SSO provider in mind. Our mobile team is working quickly to get the SSO login flow into the mobile app, so that necessity will be temporary.

 

cc @vishnu

HubSpot Employee
HubSpot Employee

Hey all,

 

Wanted to drop into this thread to announce some good news you may have already seen in your HubSpot accounts: we've officially got the require SSO functionality delivered to all Enterprise HubSpot accounts, as well as officially supporting SSO for login on our mobile apps. If you want to know more about the functionality & how it works, check out this post on our product blog!

New Contributor

Working fantastic; just tested logging into my account on iOS mobile app with Duo-based SAML + required MFA!!