SSO OIDC Configuration Additions

What is it?

Adds OIDC logout functionality to HubSpot's private content SSO integration, enabling customers to fully terminate user sessions across both HubSpot and their identity provider. When users log out of password-protected content with SSO enabled, they're now logged out of the IdP and redirected back to HubSpot - preventing unintended access and improving security.

Why does it matter?

Previously, customers using OIDC SSO for private content could only log out of HubSpot—users remained authenticated in their IdP. This meant a logout from password-protected content didn't fully terminate the session, creating security and user experience gaps. End users could inadvertently access other IdP-protected resources, and customers lacked proper single sign-out functionality expected in enterprise SSO environments. This rollout completes the OIDC integration story by enabling proper synchronized logout across both HubSpot and the identity provider.

• Aligns with enterprise security standards for SSO implementations
• Reduces customer support burden from incomplete logout flows

How does it work?

When a customer enables OIDC SSO for a private content domain, they can now configure two additional fields:

1. Sign-out Redirect URI – HubSpot generates a unique URL that the customer adds to their IdP's logout configuration as the redirect destination. This URL can be found in Settings > Content > Private Content > Set up single sign-on.
2. End Session Endpoint – The customer pastes their OIDC provider's logout endpoint (e.g., from Okta, Auth0, Azure AD)

The logout flow initiates when a user logs out of HubSpot private content. HubSpot redirects the user to the IdP's End Session Endpoint, which terminates the IdP session and then redirects back to the specified Sign-out Redirect URI in HubSpot, completing the full sign-out cycle.

Who gets it?

Content Hub Professional, Content Hub Enterprise