Search Results :

×

HubSpot Single Sign-On (SSO) using AWS Cognito as Identity Provider

HubSpot Single Sign-On (SSO) using AWS Cognito as Identity Provider


miniOrange HubSpot OAuth Single Sign-On (SSO) application enables secure login into HubSpot CMS landing pages, blogs and other pages using AWS Cognito as OAuth provider. It supports advanced Single Sign-On (SSO) features such as user profile Attribute mapping, etc.

Here we will go through a guide to configure SSO between HubSpot and AWS Cognito. By the end of this guide, users should be able to login to HubSpot from AWS Cognito. To know more about miniOrange HubSpot OAuth Single Sign-On plugin and other HubSpot Integrations, you can click here.

Feel free to contact us at hubspotsupport@xecurify.com to know more about how to install the miniOrange HubSpot OAuth Single Sign-On app.


Pre-requisites : Download And Installation

  • Log into your HubSpot account as an admin.
  • Click here to install miniOrange HubSpot OAuth Single Sign-On (SSO) app. Or you can install our app from HubSpot Marketplace .

Steps to configure HubSpot Single Sign-On (SSO) Login with AWS Cognito as Identity Provider

1. Setup AWS Cognito as OAuth Provider

  • First of all, go to Amazon Console and sign up/login in your account to Configure AWS Cognito.

  • AWS Cognito Single Sign-On (SSO) - Login to Amazon Console
  • Search for Cognito in the AWS Services search bar as shown below.

  • AWS Cognito Single Sign-On (SSO) - Search for AWS Cognito
  • Click on Create a user pool to create a new user pool.

  • AWS Cognito Single Sign-On (SSO) - click on create user pool
  • Choose the attributes in your user pool to be used during the sign-in process

  • AWS Cognito Single Sign-On (SSO) - configure sign in experience
  • Set up a strong password to configure your security requirements. Go ahead with the ‘No MFA’ option if you want users to only sign in with a single authentication factor. If you wish to enable MFA (Multi-factor authentication) it will require SMS messages which are charged separately by Amazon SNS. Learn more about that here. Click Next.

  • AWS Cognito Single Sign-On (SSO) - set up a strong password AWS Cognito Single Sign-On (SSO) - sign in with a single authentication factor
  • Configure attributes that would be required during the user sign-up flow.

  • AWS Cognito Single Sign-On (SSO) - configure sign up experinece
  • Choose additional attributes if you wish to. Click Next.

  • AWS Cognito Single Sign-On (SSO) - configure attributes for user sign up flow
  • Configure how your user pool sends email messages to users.

  • AWS Cognito Single Sign-On (SSO) - configure message delivery
  • Enter a name for your user pool, Also Under Hosted authentication pages, check ‘Use the Cognito Hosted UI’.

  • AWS Cognito Single Sign-On (SSO) - enter a name for your user pool
  • Now, Under the Domain section choose the domain type as ‘Use a Cognito domain’. Enter a domain name for your Cognito app.

  • AWS Cognito Single Sign-On (SSO) -enter a domain name
  • Under the Initial app client section, Enter a name for your app client and check on Generate a client secret.

  • AWS Cognito Single Sign-On (SSO) - enter a name for your app client
  • Now enter your Callback/Redirect URL which you will get from your miniOrange plugin present on your Client side and paste it under the Allowed callback URLs text-field. Also refer the following image for choosing the authentication flows for your app.

  • AWS Cognito Single Sign-On (SSO) - enter your callback url
  • Now, Under Advanced app client settings. Select Identity provider as Cognito user pool & Select Authorization code grant under the OAuth 2.0 grant types and also select openid,email and profile checkboxes under the OpenID Connect scopes section (Please refer to the image below). Click on the Next button to save your configurations.

  • AWS Cognito Single Sign-On (SSO) - advanced app client settings
  • Now, Review your selection of requirements. Click Create user pool to confirm the selection and create a user pool.

  • AWS Cognito Single Sign-On (SSO) - review your selection of requirements AWS Cognito Single Sign-On (SSO) - main application client settings
  • After successfully creating your user pool, Select your pool name from the list of pools to start with user creation.

  • AWS Cognito Single Sign-On (SSO) - select your pool name
  • Go to the Users tab, and click Create user.

  • AWS Cognito Single Sign-On (SSO) - create user
  • Enter details such as username, email address & password. Click on Create user to save the details.

  • AWS Cognito Single Sign-On (SSO) - enter username email password
  • After the successful creation of the user, you will need a copy of the Cognito domain, Client ID, and Client Secret. Go to the 'App Integration' section and copy the complete domain name {your domain name}.auth.{region name}.amazoncognito.com. This should be entered into the endpoints field under in the miniOrange Single Sign-On (SSO) app.

  • AWS Cognito Single Sign-On (SSO) - app integration tab
  • To get the Client ID and Client Secret, stay on the same 'App Integration' tab and scroll down to the 'App clients and analytics' section. Click on your App client name to see the Client ID and Client Secret.

  • AWS Cognito Single Sign-On (SSO) - app clients and analytics AWS Cognito Single Sign-On (SSO) - client id client secret

2. Setup HubSpot as OAuth Client

  • Go to the miniOrange Single Sign-On (SSO) app and login with your credentials.
  • Choose your account by clicking on Choose Account button.
  • Enable  HubSpot Single Sign-On(SSO)  Login using AWS Cognito as Identity Provider
  • After that Click on the right icon for accessing the application.
  • Enable  HubSpot Single Sign-On(SSO)  Login using AWS Cognito as Identity Provider
  • You will see the following screen where you need to fill in the require details ( Refer the below table).Also select the Send in Body parameter option.
  • Click on Save button.
    • Client ID Click Here
      Client Secret Click Here
      Scope openid
      Header / Body Setting Enable the Send in Body parameter option
      Authorize Endpoint: https://<cognito-app-domain>/oauth2/authorize
      Access Token Endpoint: https://<cognito-app-domain>/oauth2/token
      Get User Info Endpoint: https://<cognito-app-domain>/oauth2/userInfo
    Enable  HubSpot Single Sign-On(SSO)  Login using AWS Cognito as Identity Provider
  • Click on Test Configuration button. You will get the page restriction script, Keep the script handy in case you need to restrict your HubSpot page manually.
  • Enable  HubSpot Single Sign-On(SSO)  Login using AWS Cognito as Identity Provider
  • After clicking on test configuration, you will see all the values returned by your AWS Cognito to HubSpot in a table.
  • Enable  HubSpot Single Sign-On(SSO)  Login using AWS Cognito as Identity Provider

3. Restrict public access to HubSpot website/ pages/ content (Landing Page or Blog)

Restricting access to your HubSpot website can help to protect your pages from unauthorized access. By restricting access, you can ensure that only authorized users can view and interact with your pages. This can be useful for protecting sensitive information. This will allow you to restrict access to your HubSpot pages / content as visitors will be needed to login first and then they will be able to access the HubSpot page. This will also help you to track your vistors and also generate potential leads.


  • Go to Page Restriction tab, and here you will see your HubSpot pages.
  • Enable  Hubspot Single Sign-On(SSO)  Login using AWS Cognito as Identity Provider
  • Select the checkbox next to the page you wish to protect from unauthorized users and click Save to save the information.
  • Enable  Hubspot Single Sign-On(SSO)  Login using AWS Cognito as Identity Provider
  • Once you go to the page URL that you restricted, you will see the following screen and required to put in Login Credentials of your Identity Provider.
  • Enable  Hubspot Single Sign-On(SSO)  Login using AWS Cognito as Identity Provider
  • Fill in the login credentials and click Login, you will be redirected to the website page successfully.
  • Enable  Hubspot Single Sign-On(SSO)  Login using AWS Cognito as Identity Provider

Congratulations! You have successfully integrated AWS Cognito with HubSpot to enable AWS Cognito users to see your HubSpot content.


4. Track your visitors (Contact Sync)

  • After a user logs in through the Single Sign-On feature, a contact will be created which includes his details that are received from the (Identity Provider) for the particular user.
  • If you would like to sync the contact details, go to the Contact Sync tab and ensure the Enable Sync option has been enabled. Then map the Attribute Names from the OAuth provider.
  • Hubspot Contacts Page
  • This can be very useful for generating leads, as it allows you to quickly and easily add new contacts to your HubSpot marketing and sales pipelines. By using contact sync, you can ensure that your HubSpot account is always up-to-date with the latest information about your leads and customers (site visitors), which can help you to more effectively target your marketing efforts and generate more qualified leads.
  • Hubspot Contacts Page

Troubleshooting / FAQs

I get the following: {"status":"failed","message":"Error in fetching the token from the OAuth provider."}

  • Make sure you have checked one or both of the following checkboxes in the “HubSpot App configuration” setting.
  • If your IdP needs the credentials in the header, you will need to check the Header checkbox.
  • Save the configuration and then click test configuration.
  • If this does not solve your problem, you can try selecting both the Header and Body checkboxes.
  • Likewise, if your IdP needs the credentials in the body, you have to select the Body checkbox.
  • Once you have checked the appropriate checkboxes, you will get the attributes table in the test configuration window.

My test configuration was successful but when I try to log in I am stuck in a redirect loop.

There are a couple of reasons why this can happen:

1. Caching is enabled on the website.

When auto-redirect is enabled, the user is redirected to IDP login page and after logging in back to the main site but as caching is enables it redirects to the IDP login page hence a loop.

2. HTTP/HTTPS discrepancy:

This happens when HTTPS is not enforced on the site but is configured on IDP side with HTTPS URL.This can be solved by enforcing HTTPS on the site by defining a redirect rule in the .htaccess file or at the Apache level.

3. Cookie adulteration:

The cookie created by the plugin after logging in the user is altered by another plugin which causes the user to not log in WordPress site but the session is created on IDP.

Getting Error : ‘Invalid Response’

There can be 2 possibilities:

  1. Either your App supports OAuth 2.0 protocol and you’ve configured with OpenID Connect protocol and vice-versa. In this case, if you’ve configured the App using Custom OAuth2.0 App, reconfigure it with Custom OpenID Connect App and if you’ve configured the App using Custom OpenID Connect App, reconfigure it with Custom OAuth 2.0 App. It should fix this issue for you.
  2. If the above solution doesn’t work then the other possibility is your app/provider doesn’t follow the standard OAuth 2.0/ OpenID Connect protocol. In this case, get in touch with hubspotsupport@xecurify.com with your app/provider request/response format documentation and technician will get back to you with a solution.

I am getting the error message "Invalid response received"

To fix this issue, please configure the correct Token and User info endpoint in the HubSpot SSO application endpoint table. You can confirm the correct format of the endponit from HERE.

Additional Resources


Need Help?

Mail us on hubspotsupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.




Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com