Skip to content
Insights
Request Services
HubSpot
All integration guidesIntegration · SAML · reviewed 2026-05-22

Microsoft Entra ID + HubSpot integration

Set up Microsoft Entra ID as the identity provider for HubSpot via SAML — via Entra ID gallery integration.

Share
Prerequisites
  • Entra Application Administrator
  • HubSpot Super Admin
Step-by-step setup

  1. 1. Create a new SAML 2.0 application in Entra ID

    In the Entra ID admin console, create a new SAML 2.0 application. Choose "Web Application" type. Note the placeholders for ACS URL + Entity ID — you'll get these from HubSpot in step 3.

  2. 2. Get the SAML metadata URL from Entra ID

    Entra ID exposes the IdP metadata at a stable URL. Copy this URL — you'll paste it into HubSpot's SSO configuration. Alternatively, download the metadata XML if HubSpot doesn't support URL-based metadata.

  3. 3. Configure SSO in HubSpot

    In HubSpot's admin → security → SSO settings, paste the Entra ID metadata URL (or upload the XML). HubSpot will display the ACS URL + Entity ID it expects — copy these.

  4. 4. Return to Entra ID + complete the SAML app config

    Paste HubSpot's ACS URL into the Entra ID app's Single Sign-On URL field. Paste the Entity ID into the Audience URI field. Set the NameID format to EmailAddress (or persistent if HubSpot expects that).

  5. 5. Configure attribute mapping

    Map the attributes the SP expects (see the Attribute Mapping section below). At minimum, email is required. Most apps also expect firstName + lastName.

  6. 6. Assign users + groups

    In Entra ID, assign the SAML app to users or groups that should have access. Test with a pilot group before broad rollout.

  7. 7. Test end-to-end

    Sign in to HubSpot via the IdP-initiated link (from Entra ID dashboard) AND via SP-initiated (direct HubSpot login URL). Both should work. Check the SAML Tracer browser extension or SAML decoder to inspect the assertion if anything fails.

Attribute mapping

What flows from where.

Source (Microsoft Entra ID)Target (HubSpot)Note
user.mailNameID—
user.mailemail—
user.givenNamefirstName—
user.surnamelastName—
Common gotchas
  • Clock skew: Entra ID and HubSpot clocks must be within ~5 minutes. NTP-sync both. SAML's NotBefore + NotOnOrAfter are strict.
  • NameID format mismatches are the most common failure. HubSpot typically wants EmailAddress; Entra ID defaults vary. Mismatch → cryptic "invalid assertion" errors.
  • Just-in-time (JIT) provisioning vs SCIM: many apps support both. SAML JIT creates the user on first SSO; SCIM creates them ahead of time. Pick one — both can cause attribute drift.
  • Audience restriction: HubSpot's expected Audience URI must match exactly what the IdP sends. Trailing slashes + protocol (http vs https) matter.
  • Signed Response vs signed Assertion: many SPs require the Assertion to be signed (not just the Response envelope). Check the SP's docs.
  • No SCIM — provisioning manual or scripted via HubSpot API.
  • Enterprise tier required for SSO.
Testing checklist
  • IdP-initiated SSO works (sign in from the IdP dashboard)
  • SP-initiated SSO works (visit HubSpot directly + get redirected to IdP)
  • User attributes flow through correctly (email, name, groups)
  • Logout (single logout if supported) works as expected
  • Step-up MFA fires when policy requires it
  • Unauthorized users (not assigned to the app) get a clean denied message
  • Capture a successful SAML response and inspect it (use the SAML decoder tool)
Vendor documentation

For the latest vendor-side configuration changes, refer to:

Entra + HubSpot →
Need help with this integration?

We staff + deliver IAM integrations.

Talk to an integration engineerMore integration guides

Identity, cybersecurity, and custom software for regulated enterprises. Audit-ready operations from advisory through audit.

Americas HQ

Wilmington, DE

America/New York

India HQ

Hyderabad, TG

Asia/Kolkata

Services
  • IAM Consulting
  • IAM Technologies
  • Custom Software & AI
  • IAM Staffing
  • Request Services
  • Case Studies
Resources
  • All Resources
  • Complete Guide to IAM
  • IAM Frameworks Compared
  • IAM Certification Roadmap
  • IAM API Hub
  • IAM Explainers
  • IAM Vendor Status
  • Release Notes
  • State of Identity
  • State of PAM
  • State of IGA
  • State of CIAM
  • State of AI Agent Identity
  • IAM Salary Benchmark
  • Vendor Pricing Index
  • Year in Review 2026
  • Acquisition Tracker
  • Outage Tracker
  • Identity Incidents
  • Vulnerability Tracker
  • Cheat Sheets
  • Standards Explainers
  • Migration Playbooks
  • Audit Checklists
  • Reference Architectures
  • RFP Templates
  • IAM Anti-Patterns
  • Compliance Crosswalk
  • Market Landscape
  • Awesome IAM
  • IAM Glossary
  • Compliance Frameworks
  • Integration Guides
  • Vendor Alternatives
  • IAM by Industry
  • Salary Lookup
  • Directory
Research & media
  • IAM Compensation 2026
  • Vendor Moves Q3 2026
  • Identity Incidents Q3 2026
  • Vendor Security Posture 2026
  • Vendor Pricing 2026
  • AI Citation Tracker
  • Top 50 IAM Tools 2026
  • Podcast
  • Videos
  • Newsletter
  • Newsletter Archive
  • Embed Widgets
Free tools
  • JWT Decoder
  • JWT Signer
  • SAML Decoder
  • SAML Metadata Diff
  • OAuth Flow Visualizer
  • OIDC Debugger
  • OIDC Discovery Validator
  • PKCE Generator
  • WebAuthn Tester
  • Bearer Token Inspector
  • SCIM Validator
  • Password Entropy
  • IAM RFP Template
  • PAM Vendor Selector
  • Maturity Assessment
  • ROI Calculator
  • TCO Calculator
  • MFA Bypass Risk
  • Audit-Prep Burden
  • Quizzes
Company
  • About
  • Leadership
  • Approach
  • Why Choose Us
  • Partners
  • Press Kit
  • Press Topics
  • Global Presence
  • Locations
  • Insights
  • Now
  • Community
  • Open Roles
  • Submit Resume
  • Training
  • Contact

© 2026 askmeidentity, Inc.. Safeguard your digital frontier.

  • Privacy Policy
  • Terms of Service
  • Accessibility