HubSpot Ideas

Chad

SAML authentication

Please add support for SAML authentication. Currently your account security seems to be subpar compared to the rest of the industry. From what I can tell there's no two-factor support, no ability to set minimum password requirements nor support to just force the use of Google login. With SAML support we can manage our entire login security stack (user account verification, two-factor decision, password requirements). With HubSpot containing high sensative information I can't believe this hasn't come up before.

 

At the very least just let us force users to have to use Google to login, then we can mandate some requirements through that.

HubSpotからのアップデート
June 07, 2021 02:57 PM

@Beefy80a we're definitely interested in making SSO available to more of our users. You're absolutely correct that it is not just a concern for larger enterprises, & we want to make options for using it easier to access & improve our SSO system as a whole. I don't have concrete news to share there just yet, but when I do I'll be sure to update this thread!

April 04, 2019 02:29 PM

Hey @ssoadmin I haven't been able to reproduce this on my side just yet. If you're working with our support team, providing them with a Safari version number & that web archive would be helpful. I think I'm on the latest Safari version myself, but I did run into some trouble with a beta branch of Safari a while back because it was defaulting to not allowing third-party cookies to be set in my browser, which made logging into some tools fail.

February 21, 2019 07:10 AM

@ssoadmin great to hear! Glad you're getting value out of the new features.

February 19, 2019 11:40 AM

Hey all,

 

Wanted to drop into this thread to announce some good news you may have already seen in your HubSpot accounts: we've officially got the require SSO functionality delivered to all Enterprise HubSpot accounts, as well as officially supporting SSO for login on our mobile apps. If you want to know more about the functionality & how it works, check out this post on our product blog!

January 04, 2019 07:59 AM

Hey @ssoadmin, that's actually the beta I mentioned above for requiring SSO. It does indeed require it for login.

 

The caveat there is that the mobile app is currently working to add SSO login support, so if you have mobile users who need to access the app after you require SSO, you can add them to the excluded users list (by clicking the link under the require SSO checkbox.) That'll allow them to bypass the requirement & log in with HubSpot credentials; we built this feature with contractors or partners who don't have credentials on your SSO provider in mind. Our mobile team is working quickly to get the SSO login flow into the mobile app, so that necessity will be temporary.

 

cc @vishnu

November 08, 2018 06:30 AM

That's a fair point--we definitely want to allow folks to force SSO as quickly as we can. We currently have that feature in a limited beta. If anyone in this thread is interested in learning more about that beta, please reach out to me via private message & I'm happy to chat more about it & get more accounts involved!

Re: SAML authentication - changed to: Delivered
October 15, 2018 08:50 AM

Just wanted to drop by and formally mark this one delivered! We're hard at work making improvements to SAML support (like the ability to force all logins to your account to happen via single sign-on), but it's available now to all Enterprise customers in HubSpot.

September 14, 2018 07:12 AM

@tspringer there aren't imminent plans to bring this to the Professional level at this point. Currently it's a cross-hub feature, meaning that if you have one Enterprise product, you'll get access, no matter which of our tools you're using (Sales Enterprise, Service Enterprise, or Marketing Enterprise.)

Re: SAML authentication - changed to: In Beta
September 12, 2018 03:41 PM

Hey everyone! Me again. Got some good news, which you might've seen at Inbound, or on our Product Updates: SAML 2.0 is available in HubSpot Enterprise! We're still refining the functionality, but currently, that means that all Enterprise customers can enable single sign-on as an additional login method available for the HubSpot account. There are additional features coming down the pipe very quickly, but we're glad to be able to offer the ability to support SSO for login right now.

 

If you already have a HubSpot Enterprise account, you should see the option to set up SSO in your Account Defaults settings menu. As long as your IDP supports creating a SAML 2.0 app with HTTP POST bindings, your SSO should easily integrate with HubSpot. Detailed setup guides will be coming for more providers soon, but right now we offer steps for both Okta & OneLogin. Hope you're as excited to see this functionality in HubSpot as we are!

Re: SAML authentication - changed to: In Planning
August 10, 2018 03:05 PM

Hey everyone, just wanted to swing back through to say we're officially doing the planning for SAML 2.0 with HubSpot now. This thread will be updated as soon as we've got more info to share. Thanks for your feedback, & for pushing us to build the best possible product!

May 29, 2018 12:06 PM

Hey folks! I work with the product team responsible for our login and account security efforts, so I wanted to jump into this thread and let you know that this is definitely a request that is on our radar. We get the request for SAML and more full-featured SSO support often enough that we recognize it's a big draw for our customers, especially those juggling multiple software solutions where those features are already in use in other parts of the organization. It's definitely something we'd like to solve for you.

 

Since this thread was created, we have added support for two-factor authentication via SMS and Google Authenticator on a per-user basis. If you haven't already activated that feature on your HubSpot account, it's worth doing; SAML is a diffent project, but one we'd like to tackle.

35件のコメント
rad
HubSpot製品開発チーム
HubSpot製品開発チーム

@ssoadmin great to hear! Glad you're getting value out of the new features.

ssoadmin
メンバー

 

Is it possible that SSO is broken when the browser is Safari?  I've been going back and forth with Support about one user who can't log in, they want videos, screen shots, a browser webdev tool recording, etc..  I decided to recreate most of the screen shots using my own computer and Safari, knowing the user in question was using Safari, and what do you know, I get the same SSO failure as shown below.  However, flip back to Firefox, log out, clear cookies, start fresh, and it works fine.  Seems weird that it would be browser specific but now I can reproduce it.

Screen Shot 2019-04-03 at 3.46.25 PM.png

 

 

rad
HubSpot製品開発チーム
HubSpot製品開発チーム

Hey @ssoadmin I haven't been able to reproduce this on my side just yet. If you're working with our support team, providing them with a Safari version number & that web archive would be helpful. I think I'm on the latest Safari version myself, but I did run into some trouble with a beta branch of Safari a while back because it was defaulting to not allowing third-party cookies to be set in my browser, which made logging into some tools fail.

ssoadmin
メンバー

Yep, I have a ticket going.  I updated them with the Safari version (Mojave / MacOS latest).  Chrome & FF on the same computer work fine.

Beefy80a
メンバー

Hi rad 

 

We have recently joined hubspot I have seen that SSO is available for Enterprise customers however we only have marketing pro and would not benefit from any of the other enterprise features, the additional cost of enterprise to simply have SSO is prohibitive to us. 

 

Are there plans to make this available to Pro users or as a possible add on to pro users. Sadly I was not involved in the procurement process and by the time I’ve got involved it’s purchased and I’m asked to sort users out and get domains configured. If not are hubspot considering to add a Microsoft account button like you have already for google?

 

In my opinion if a product can support SSO it should be available to all as we all know passwords are weak and by using SSO additional checks can be done along with actually dropping passwords altogether. In the past it was only enterprise businesses who implemented SSO due to the additional management but now with the likes of okta, azure ad, g suite more business small and large can protect themselves but that’s only achievable if the Service Providers allow us to use SSO in more than just their enterprise plans. 

BethanyPester
メンバー

Good afternoon all,

 

This idea is great!

 

However as an administrator when logging onto other users to make changes to their profiles - add e-mail signatures, connect phone numbers, update views etc the system does not allow me to do this requiring verification number sent by e-mail. Obviously the system sends this to the user e-mail rather than my own. It would be even better if the admin user could be exempt from this and able to log in to any user? -  most of our users are salesmen and they do not want to have anything to do with the admin side of things!

 

Perhaps the admin could log into their own account and the in settings>users and teams>actions (the little grey dropdown) have a option to "access user's account" to edit their profile/system defaults and settings/ table views/ dashboard defaults/ signatures/ connect phone/email etc

lfrancis1
参加者

Whould be good to see SSO and SAML incliuded across all packages. In 2020 this is a basic security feature that all SaaS providers should offer.

Beefy80a
メンバー

@rad are Hubspot going to make SSO available to the professional plan?  In 2021 its not only Enterprises that use SSO smaller businesses are now using SSO as both Google and Microsoft Include SSO capable directories as part of their offering along with many other platforms now being available.  As a smaller business we cannot justify the cost of Enterprise to enable SSO (and before its said we do not need any of the other enterprise features) but enable SSO everywhere as the security benifits outweight the setup and maintenance required to run this.  Hubspot are also featured on https://sso.tax as the worst offender to offer SSO as a feature in comparison to cost.  As everyone is moving to a cloud first approach SSO should be available on at least a mid tier not just Enterprise tiers.

rad
HubSpot製品開発チーム
HubSpot製品開発チーム

@Beefy80a we're definitely interested in making SSO available to more of our users. You're absolutely correct that it is not just a concern for larger enterprises, & we want to make options for using it easier to access & improve our SSO system as a whole. I don't have concrete news to share there just yet, but when I do I'll be sure to update this thread!

Beefy80a
メンバー

@radGreat I look forward to hear what's coming up. 

kol
メンバー

@rad Are there any updates to allowing Starter and Professional plans to have access to SSO? HubSpot is still the worst offender on https://sso.tax/ by a longshot. Sell it as an Add-on, perhaps?

AQT_MKr
メンバー

+1 Upvote // @rad Any way to get an official update on this? Can you at least offer some kind of "work-around" or possibility to license this feature separately?

This is clearly a customer need and there a several threads here where people ask for this!

DJourdan5
メンバー

Can you share with us if the SSO feature is in your roadmap, irrespective of the subscription?

 

If yes, please provide an expected release in production.

 

 

 

KGhoshHS
HubSpot Employee

Hi All
I am a Product Manager in HubSpot and doing research on our customer needs for SAML-based SSO. I appreciate your feedback on the topic of Single Sign-on.
In HubSpot, we do offer social logins like Login with Google and Microsoft for all tiers. I am wondering why this will not work for you?

Why do you need to use SAML SSO in other tiers? Please let us know the reason:
1. It is the enterprise standard for SSO and you have other applications connecting using the same SAML protocol. You have a working SSO architecture laid down using SCIM based user provisioning and SAML SSO authentication with appropiate relayState and don’t want to deviate from the standard model.
2. You have a mix of on-prem, legacy and cloud applications which necessities SAML as OIDC will not work for on-prem and legacy applications
3. Your current IdP may only support SAML for SSO (e.g. older version of Microsoft ADFS) or your IdP only provides SSO based application connectors
4. You want your users to connect to a specific IdP instance for your company’s specific business domains
5. You have external users/contractors whose email may not be that of Google or Microsoft. In this case they cannot use Login with Google or Login with Microsoft
6. Today, you cannot explicitly specify what social login providers are trusted in their portals. There will be issues in enforcement as a user from social login may have identity with different policies. These issues can only be solved using SAML SSO integration.
7. Any other reason?


Thanks,
Kaushik

ssoadmin
メンバー

Why?  Because SAML is a standard, easy to implement, and allows your customers to handle their own authentication in the way they want.  It doesn't get much more simple then that.  Not every business entity feels comfortable with trusting their authentication, or data, to two mega entities known for not exactly doing things that are in the best interests of their customers.  Of course, that's also how people often walk away feeling about providers who refuse to allow SSO, or only offer it with a heavy tax.

 

As easy as SSO is, and the fact that, with proper logging, it takes the liability of fraudulent authentication off the plate of the service provider and puts it solely on the customer, it's still mind boggling that every company doesn't offer it as a default.