miniOrange Hubspot OAuth Single Sign-On (SSO) application enables secure login into Hubspot CMS landing pages, blogs and other pages using AWS Cognito as OAuth provider. It supports advanced Single Sign-On (SSO) features such as user profile Attribute mapping, etc.

Here we will go through a guide to configure SSO between Hubspot and AWS Cognito. By the end of this guide, users should be able to login to Hubspot from AWS Cognito. To know more about miniOrange Hubspot OAuth Single Sign-On plugin and other Hubspot Integrations, you can click here.

Feel free to contact us at hubspotsupport@xecurify.com to know more about how to install the miniOrange Hubspot OAuth Single Sign-On app.

Download And Installation

• Log into your Hubspot account as an admin.
• Click here to install miniOrange Hubspot OAuth Single Sign-On (SSO) app.

Steps to configure Hubspot Single Sign-On (SSO) Login with AWS Cognito as Identity Provider

1. Setup AWS Cognito as OAuth Provider

• First of all, go to Amazon Console and sign up/login in your account to Configure AWS Cognito.

• Search for Cognito in the AWS Services search bar as shown below.

• Click on Mange User Pools button to see the list of your user pools.

• Click on Create a user pool to create a new user pool.

• Add a Pool Name and click on the Review Defaults button to continue.

• Scroll down and click on “Add app client” & then again click on Add an app client.

• Enter an App Client Name and click on Create app client to create an App client.

• Click on Return to Pool Details to come back to your configuration.

• Click on Create Pool button to save your settings and create a user pool.

• In the navigation bar present on the left side, click on the App Client Settings option under the App Integration menu.

• Enable Identity provider as Cognito user pool and enter your Callback/Redirect URL which you will get from your miniOrange plugin present on your Client side under the CallBack URLs text-field. Select Authorization code grant checkbox under the Allowed OAuth Flows and also select openid and profile checkboxes under the Allowed OAuth Scopes option (Please refer to the image below). Click on the Save Changes button to save your configurations.

• Click on Choose Domain Name option to set a domain name for your app.

• Go to domain name and enter a domain name for your app. After adding domain name you can check its availability by clicking on “Check availability” button. After entering valid domain name click ”Save changes” button.

• Complete domain name: Copy the complete domain name {your domain name}.auth.{region name}.amazoncognito.com. You need to enter this into the endpoints field under <cognito-app-domain> in the miniOrange Single Sign-On (SSO) app.

• Go to “App client” and click on “Show details” to get a client ID and client secret. (Keep client ID and client secret handy as you will need it later.)

• Click on Users and groups option under the General Settings menu in the left side navigation bar. Then, click on the Create user button to add a new user.

• Fill all the required details and click on Create user.

• You can see the new user created.

2. Setup Hubspot as OAuth Client

• Install the miniOrange Single Sign-On (SSO) app on your hubspot account and Click on Connect App.

• You will see the following screen where you need to fill in the endpoint details:


• Enter the Client ID, Client Secret scope and the Endpoint URLs in the plugin.(Refer to the below table)

  Client ID	Click Here
  Client Secret	Click Here
  Scope	openid
  Authorize Endpoint:	https://<cognito-app-domain>/oauth2/authorize
  Access Token Endpoint:	https://<cognito-app-domain>/oauth2/token
  Get User Info Endpoint:	https://<cognito-app-domain>/oauth2/userInfo
  Custom redirect URL after logout:[optional]	https://<cognito-app-domain>/logout?client_id=<Client-ID>&logout_uri=<Sign out URL configured in Cognito Portal>

• Click on Save button and then Test Configuration.

• After successful login, you will see all the values returned by your AWS Cognito to Hubspot in a table.


Restrict public access to Hubspot website/ pages/ content (Landing Page or Blog)

• Restricting access to your HubSpot website can help to protect your pages from unauthorized access. By restricting access, you can ensure that only authorized users can view and interact with your pages. This can be useful for protecting sensitive information. This will allow you to restrict access to your hubspot pages / content as visitors will be needed to login first and then they will be able to access the hubspot page. This will also help you to track your vistors and also generate potential leads.
• Now go to you Hubspot dashboard and Click on CMS HUB Free -> Marketing ->Website and choose Website Page or Blog. We have chosen Website Pages for this tutorial.

• Select the page on which you want to enable (Forced Authentication or SSO) and click the Edit button. Here we have seleceted and HomePage.

• Goto Settings tab and scroll down to Advanced Settings. Copy the script that you see in Step 6 and paste it inside the HTML section of Advanced Settings and click Publish button.

• Now, if you go to the page in which you included the script, you will see the following screen and required to put in Login Credentials of your Identity Provider.

• Fill in the login credentials and click Login, you will be redirected to the website page successfully.


Congratulations! You have successfully integrated AWS Cognito with Hubspot to enable AWS Cognito users to see your Hubspot content.

Track your visitors (Contact Sync)

• After a user logs in through the Single Sign-On feature, a contact will be created which includes his details that are received from the Cognito (Identity Provider).


• This can be very useful for generating leads, as it allows you to quickly and easily add new contacts to your HubSpot marketing and sales pipelines. By using contact sync, you can ensure that your HubSpot account is always up-to-date with the latest information about your leads and customers (site visitors), which can help you to more effectively target your marketing efforts and generate more qualified leads.

Additional Resources

• OAuth via AWS Cognito
• Hubspot Security and API Integration