Skip to main content

How to secure HubSpot

License requirements

To configure HubSpot with XFA you need an Enterprise license for your HubSpot product that includes the Single Sign On feature. You can find more information about the different licenses here.

HubSpot has a SSO feature which uses SAMLv2 which can be used to chain XFA with your identity provider to check device security before allowing a user to login. This guide will describe all steps needed to link HubSpot to your identity provider with XFA.

Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at

Configure HubSpot in your identity provider

Use our specific identity provider guides to learn how to setup an application with the provided settings.

For most identity providers, there will be an pre-configured template for HubSpot that you can use. Make sure that you use the following settings:

SAML Application Settings in IDP

Entity ID:
(see the 'Configure HubSpot with XFA' step for the exact value)
ACS URL / Redirect URL:
Signed Response: false


The ACS URL / Redirect URL is different than the standard HubSpot configuration

Creating an application in XFA

A guide on how to create an application in XFA can be found here.

Settings to use in XFA

Assertion Consumer Service URL:
(see the 'Configure HubSpot with XFA' step for the exact value)
SSO URL: (provided by identity provider in previous step)
Entity ID: (provided by identity provider in previous step)
Certificate: (provided by identity provider in previous step)\

Configure HubSpot with XFA

1. Login to HubSpot

Navigate to your HubSpot account and login with your admin account.

2. Go to Settings > Security > Settings & Activity > Set up single sign-on (SSO)

You can find many of the settings you might need / correct in the previous steps here. Use the following settings to configure HubSpot with XFA:

Settings to use in HubSpot

Identity Provider Identifier or Issuer URL: (from XFA application in previous step)
Identity Provider single sign-on URL: (from XFA application in previous step)
X.509 Certificate: (from XFA application in previous step)\

3. Verify the configuration

Click on Verify to test the configuration. A popup should show up and redirect you to your identity provider to login, after which your device security will be checked by XFA before coming back to HubSpot. If everything is configured correctly, HubSpot will show a success message.

4. Require SSO / XFA for all users

You can continue to enable the option Require SSO for all users to enforce the use of SSO and make sure that only secure devices can access HubSpot. If you do not yet select this option, you can still use the SSO feature, but users will be able to login with their HubSpot credentials as well.

Your users will now be asked to verify their device security with XFA in addition to their identity before they can login to HubSpot.