miniOrange HubSpot OAuth Single Sign-On (SSO) application enables secure login into HubSpot CMS landing pages, blogs and other pages using OneLoginas OAuth provider. It supports advanced Single Sign-On (SSO) features such as user profile Attribute mapping, etc.

Here we will go through a guide to configure SSO between HubSpot and OneLogin. By the end of this guide, users should be able to login to HubSpot from OneLogin. To know more about miniOrange HubSpot OAuth Single Sign-On plugin and other HubSpot Integrations, you can click here.

Feel free to contact us at hubspotsupport@xecurify.com to know more about how to install the miniOrange HubSpot OAuth Single Sign-On app.

Pre-requisites : Download And Installation

• Log into your HubSpot account as an admin.
• Click here to install miniOrange HubSpot OAuth Single Sign-On (SSO) app. Or you can install our app from HubSpot Marketplace .

Steps to configure Hubspot Single Sign-On (SSO) Login with OneLogin as Identity Provider

1. Setup OneLogin as OAuth Provider

• First of all, go to https://app.onelogin.com/login and log into your Onelogin account.
• Click on the Administration.

• You will be presented with following screen. Hover on Applications and then click on Applications.

• Click on Add App Button.

• You will be shown a search list. Search for “OIDC” (OpenID Connect) and click on the search result as shown below.

• You will be shown a configuration screen. Fill the application name and other details as required, then click on Save.

• You will be redirected to the app details page. Go to Configuration tab and enter Redirect URI from miniOrange Single Sign-On (SSO ) app and click on Save.

• Go to SSO tab. There you will find the Client ID and Client Secret fields.Copy these credentials in miniOrange Single Sign-On (SSO ) app configuration on corresponding fields.

2. Setup Hubspot as OAuth Client

• Go to the miniOrange Single Sign-On (SSO) app and login with your credentials.
• Choose your account by clicking on Choose Account button.

• After that Click on the right icon for accessing the application.

• You will see the following screen where you need to fill in the Client ID, Client Secret scope and the Endpoint URLs in the (Refer to the below table). Also enable the Send in Header parameter option.

  Client ID	Click Here
  Client Secret	Click Here
  Scope	openid email profile
  Header / Body Setting	Enable the Send in Header parameter option
  Authorize Endpoint:	https://OneLogin-app-domain/oidc/2/auth
  Access Token Endpoint:	https://OneLogin-app-domain/oidc/2/token
  Get User Info Endpoint:	https://OneLogin-app-domain/oidc/2/me


• Click on Save button and then Test Configuration. You will get the page restriction script, Keep the script handy in case you need to restrict your HubSpot page manually.

• After successful login, you will see all the values returned by your OneLogin to Hubspot in a table.

3. Restrict public access to HubSpot website/ pages/ content (Landing Page or Blog)

Restricting access to your HubSpot website can help to protect your pages from unauthorized access. By restricting access, you can ensure that only authorized users can view and interact with your pages. This can be useful for protecting sensitive information. This will allow you to restrict access to your HubSpot pages / content as visitors will be needed to login first and then they will be able to access the HubSpot page. This will also help you to track your vistors and also generate potential leads.

Congratulations! You have successfully integrated OneLogin with HubSpot to enable OneLogin users to see your HubSpot content.

4. Track your visitors (Contact Sync)

• After a user logs in through the Single Sign-On feature, a contact will be created which includes his details that are received from the (Identity Provider) for the particular user.
• If you would like to sync the contact details, go to the Contact Sync tab and ensure the Enable Sync option has been enabled. Then map the Attribute Names from the OAuth provider.

• This can be very useful for generating leads, as it allows you to quickly and easily add new contacts to your HubSpot marketing and sales pipelines. By using contact sync, you can ensure that your HubSpot account is always up-to-date with the latest information about your leads and customers (site visitors), which can help you to more effectively target your marketing efforts and generate more qualified leads.

Troubleshooting / FAQs

I get the following: {"status":"failed","message":"Error in fetching the token from the OAuth provider."}

• Make sure you have checked one or both of the following checkboxes in the “HubSpot App configuration” setting.

• If your IdP needs the credentials in the header, you will need to check the Header checkbox.
• Save the configuration and then click test configuration.
• If this does not solve your problem, you can try selecting both the Header and Body checkboxes.
• Likewise, if your IdP needs the credentials in the body, you have to select the Body checkbox.
• Once you have checked the appropriate checkboxes, you will get the attributes table in the test configuration window.

My test configuration was successful but when I try to log in I am stuck in a redirect loop.

There are a couple of reasons why this can happen:

1. Caching is enabled on the website.

When auto-redirect is enabled, the user is redirected to IDP login page and after logging in back to the main site but as caching is enables it redirects to the IDP login page hence a loop.

2. HTTP/HTTPS discrepancy:

This happens when HTTPS is not enforced on the site but is configured on IDP side with HTTPS URL.This can be solved by enforcing HTTPS on the site by defining a redirect rule in the .htaccess file or at the Apache level.

3. Cookie adulteration:

The cookie created by the plugin after logging in the user is altered by another plugin which causes the user to not log in WordPress site but the session is created on IDP.

Getting Error : ‘Invalid Response’

There can be 2 possibilities:

1. Either your App supports OAuth 2.0 protocol and you’ve configured with OpenID Connect protocol and vice-versa. In this case, if you’ve configured the App using Custom OAuth2.0 App, reconfigure it with Custom OpenID Connect App and if you’ve configured the App using Custom OpenID Connect App, reconfigure it with Custom OAuth 2.0 App. It should fix this issue for you.
2. If the above solution doesn’t work then the other possibility is your app/provider doesn’t follow the standard OAuth 2.0/ OpenID Connect protocol. In this case, get in touch with hubspotsupport@xecurify.com with your app/provider request/response format documentation and technician will get back to you with a solution.

I am getting the error message "Invalid response received"

To fix this issue, please configure the correct Token and User info endpoint in the HubSpot SSO application endpoint table. You can confirm the correct format of the endponit from HERE.

Additional Resources

• Hubspot Single Sign-On (SSO)
• Wordpress Hubspot Single Sign-On(SSO)
• AWS Cognito Hubspot Single Sign-On(SSO)
• Hubspot Security and API Integration