Single Sign-On for HubSpot using AWS Cognito as Identity Provider

Single Sign-On for HubSpot application enables secure login into HubSpot CMS landing pages, blogs and other pages using AWS Cognito as OAuth provider. It supports advanced Single Sign-On (SSO) features such as user profile Attribute mapping, etc.

Here we will go through a guide to configure SSO between HubSpot and AWS Cognito. By the end of this guide, users should be able to login to HubSpot from AWS Cognito. To know more about Single Sign-On for HubSpot and other HubSpot Integrations, you can click here.

Feel free to contact us at hubapps@xecurify.com to know more about how to install Single Sign-On for HubSpot.

Pre-requisites : Download And Installation

• Log into your HubSpot account as an admin.
• Click here to install Single Sign-On for HubSpot by miniOrange . Or you can install our app from HubSpot App Marketplace .

Steps to configure Single Sign-On for HubSpot Login with AWS Cognito as Identity Provider

Step 1: Setup AWS Cognito as OAuth Provider

• First of all, go to Amazon Console and sign up/login in your account to Configure AWS Cognito.


• Search for Cognito in the AWS Services search bar as shown below.


• Click on Create a user pool to create a new user pool.


• Choose the attributes in your user pool to be used during the sign-in process


• Set up a strong password to configure your security requirements. Go ahead with the ‘No MFA’ option if you want users to only sign in with a single authentication factor. If you wish to enable MFA (Multi-factor authentication) it will require SMS messages which are charged separately by Amazon SNS. Learn more about that here. Click Next.


• Configure attributes that would be required during the user sign-up flow.


• Choose additional attributes if you wish to. Click Next.


• Configure how your user pool sends email messages to users.


• Enter a name for your user pool, Also Under Hosted authentication pages, check ‘Use the Cognito Hosted UI’.


• Now, Under the Domain section choose the domain type as ‘Use a Cognito domain’. Enter a domain name for your Cognito app.


• Under the Initial app client section, Enter a name for your app client and check on Generate a client secret.


• Now enter your Callback/Redirect URL which you will get from your miniOrange plugin present on your Client side and paste it under the Allowed callback URLs text-field. Also refer the following image for choosing the authentication flows for your app.


• Now, Under Advanced app client settings. Select Identity provider as Cognito user pool & Select Authorization code grant under the OAuth 2.0 grant types and also select openid,email and profile checkboxes under the OpenID Connect scopes section (Please refer to the image below). Click on the Next button to save your configurations.


• Now, Review your selection of requirements. Click Create user pool to confirm the selection and create a user pool.


• After successfully creating your user pool, Select your pool name from the list of pools to start with user creation.


• Go to the Users tab, and click Create user.


• Enter details such as username, email address & password. Click on Create user to save the details.


• After the successful creation of the user, you will need a copy of the Cognito domain, Client ID, and Client Secret. Go to the 'App Integration' section and copy the complete domain name {your domain name}.auth.{region name}.amazoncognito.com. This should be entered into the endpoints field under in the miniOrange Single Sign-On (SSO) app.


• To get the Client ID and Client Secret, stay on the same 'App Integration' tab and scroll down to the 'App clients and analytics' section. Click on your App client name to see the Client ID and Client Secret.

Step 2: Setup HubSpot as OAuth Client

• Go to the miniOrange Single Sign-On (SSO) app and login with your credentials.
• Choose your account by clicking on Choose Account button.

• After that Click on the right icon for accessing the application.

• Go to the miniOrange’s Single Sign On app dashboard and click on App Configurations tab.

• Here, select your application (AWS Cognito) and click on it. If your app is not present here you can create a custom OAUTH 2.0 or OIDC (Open ID Connect protocol) app as per your provider's implementation.

• Enter the Login Button Text and copy the Callback URL to set up the AWS Cognito Identity Provider ( Third Party App).

• Now, to set up Single Sign-On ( OAuth SSO ), you will need to enter the Client ID, Client secret,and Scope, and enable Send in Header and Endpoints from AWS Cognito ( Refer the below table) .

Client ID	Click Here
Client Secret	Click Here
Scope	openid
Header / Body Setting	Enable the Send in Header parameter option
Authorize Endpoint:	https://<cognito-app-domain>/oauth2/authorize
Access Token Endpoint:	https://<cognito-app-domain>/oauth2/token
Get User Info Endpoint:	https://<cognito-app-domain>/oauth2/userInfo


• When you have filled out all the details, click the Save & Test Configuration button.

• After clicking on test configuration, you will see all the values returned by your AWS Cognito to HubSpot in a table.

Step 3: Configure Page Restriction into the HubSpot ( Website, Landing Pages, Blogs, Knowledge Base )

Our Page Restriction feature allows you to protect your HubSpot website from unauthorized access. It is useful for securing sensitive information. Using this method, you can restrict access to HubSpot pages/content. Visitors will need to sign in before accessing HubSpot pages.

• After you have received the test configuration result, click on the Page Restriction tab.

• Select the checkbox next to the page you wish to protect from unauthorized users and click Save to save the information.

• Once you go to the page URL that you restricted, you will see the login window of your identity provider where you'll enter your credentials.

• After logged in, you will be redirected successfully to the website page.

Congratulations! You have successfully integrated AWS Cognito with HubSpot to enable AWS Cognito users to see your HubSpot content.

Step 4: Configure Contact Sync in HubSpot

Contact synchronization is a powerful feature that enables seamless integration and synchronization of contact information between HubSpot and external platforms or applications. With Contact Sync, you can ensure that your customer data is up to date, accurate, and consistent across multiple systems, saving you time and eliminating manual data entry.

• To sync the contact details, go to the APP Configurations tab and choose the provider you created.
• Click on the Edit icon below the Contact Attribute Mapping option.

• You will see the HubSpot Contact Attributes and IDP Attributes option, Map your HubSpot contact attribute with a third-party application / IDP attribute received in the test configuration result. Additionally, if multiple attributes are required, you can add them using the Custom Attribute Mapping option.

• After adding all the attributes, make sure you have enabled the Contact sync option. Click on the Save button.

• You can now find the contact in HubSpot Contacts. This is a great way to generate leads, as it allows you to quickly and easily add new contacts to your HubSpot sales and marketing pipelines. Contact sync allows you to ensure that your HubSpot account is always updated with the latest information about your leads and customers (site visitors), which can help you generate more qualified leads.

Step 5: How to uninstall our app from a HubSpot account

• To uninstall our app, go to your HubSpot account and click on Settings icon.

• Go to Integrations and click on Connected Apps.

• You will see the list of app, select our app and click on Actions button. And then click on Unistall option.

• Type "uninstall" below to continue and click uninstall button.

Step 6: How to disconnect the app from HubSpot?

• Go to the Page Restriction tab.

• Deselect your HubSpot pages as shown in the screenshot below and click on the Save button. This will disconnect our app for SSO from your HubSpot portal.

Congratulations! You have successfully disconnected HubSpot Single Sign-On by miniOrange application.

Troubleshooting / FAQs

 

How disconnecting and uninstalling affects users' HubSpot accounts and data?

Uninstalling removes the app and its configurations, preventing users from Single Sign-On (SSO) access to HubSpot pages. Disconnecting only detaches pages from SSO, leaving the app settings intact, and allowing for pages to be reconfigured for SSO access again.

I get the following: {"status":"failed","message":"Error in fetching the token from the OAuth provider."}

• Make sure you have checked one or both of the following checkboxes in the “HubSpot App configuration” setting.

• If your IdP needs the credentials in the header, you will need to check the Header checkbox.
• Save the configuration and then click test configuration.
• If this does not solve your problem, you can try selecting both the Header and Body checkboxes.
• Likewise, if your IdP needs the credentials in the body, you have to select the Body checkbox.
• Once you have checked the appropriate checkboxes, you will get the attributes table in the test configuration window.

My test configuration was successful but when I try to log in I am stuck in a redirect loop.

There are a couple of reasons why this can happen:

1. Caching is enabled on the website.

When auto-redirect is enabled, the user is redirected to IDP login page and after logging in back to the main site but as caching is enables it redirects to the IDP login page hence a loop.

2. HTTP/HTTPS discrepancy:

This happens when HTTPS is not enforced on the site but is configured on IDP side with HTTPS URL.This can be solved by enforcing HTTPS on the site by defining a redirect rule in the .htaccess file or at the Apache level.

3. Cookie adulteration:

The cookie created by the plugin after logging in the user is altered by another plugin which causes the user to not log in WordPress site but the session is created on IDP.

Getting Error : ‘Invalid Response’

There can be 2 possibilities:

1. Either your App supports OAuth 2.0 protocol and you’ve configured with OpenID Connect protocol and vice-versa. In this case, if you’ve configured the App using Custom OAuth2.0 App, reconfigure it with Custom OpenID Connect App and if you’ve configured the App using Custom OpenID Connect App, reconfigure it with Custom OAuth 2.0 App. It should fix this issue for you.
2. If the above solution doesn’t work then the other possibility is your app/provider doesn’t follow the standard OAuth 2.0/ OpenID Connect protocol. In this case, get in touch with hubapps@xecurify.com with your app/provider request/response format documentation and technician will get back to you with a solution.

I am getting the error message "Invalid response received"

To fix this issue, please configure the correct Token and User info endpoint in the HubSpot SSO application endpoint table. You can confirm the correct format of the endponit from HERE.

Additional Resources

• Single Sign-On for HubSpot by miniOrange
• AWS Cognito HubSpot Single Sign-On(SSO)
• HubSpot Security and API Integration