After migrating our partner portal to a cloud-hosted environment, SSO authentication is completely broken. Partners are stuck in an infinite login loop - they enter credentials on our identity provider, get redirected back to HubSpot, but then immediately get sent back to the login page again.
I’ve checked the SAML configuration and the ACS URL looks correct, but I’m not confident about whether the identity provider metadata needs to be updated after cloud migration. I’m also concerned about potential time synchronization issues between our cloud infrastructure and the identity provider, since SAML assertions are time-sensitive.
The SSO setup worked perfectly before migration. Has anyone successfully resolved SSO authentication issues after moving to cloud infrastructure? Not sure if this is a SAML configuration problem, metadata issue, or time sync problem.
I’ve seen login loops caused by session cookie domain mismatches. If your cloud migration changed your domain or subdomain structure, browser security policies might be blocking session cookies from being set correctly. Check your browser’s developer console for cookie-related errors during the login process.
Don’t forget to update your identity provider metadata in HubSpot after cloud migration. If your identity provider’s entity ID or certificate changed during migration, HubSpot won’t be able to validate SAML responses. Go to Settings > Account Defaults > Security > Single Sign-On and re-upload your IdP metadata XML file.
Time synchronization is critical for SAML - assertions have a validity window of typically 5 minutes. If your cloud servers or identity provider have time drift greater than 5 minutes, SAML assertions will be rejected as expired. Run NTP sync on all your cloud infrastructure and verify clocks are accurate.
Also verify that your cloud load balancer or reverse proxy isn’t interfering with SAML redirects. Some cloud load balancers modify HTTP headers or URLs in ways that break SAML flows. Check if the load balancer is preserving the original Host header and not modifying redirect URLs.