Campaign Studio

SAML Single Sign On (SSO)

SAML is an acronym for Security Assertion Markup Language, an XML-based communication standard used to authenticate and authorize users between a particular identity provider and a service provider. SAML helps to increase security and enables single sign on (SSO). When enabled with Campaign Studio, this integration offers enhanced security and streamlined user management for your IT department while reducing your users’ requirements for usernames and passwords.

Setting up SAML

  1. Click the settings wheel in the top right corner to open the Settings menu.

  2. Navigate to Configuration > User/Authentication Settings.

  3. Enter the following data from your IDP in Campaign Studio:

    • Entity ID for the IDP: Select the custom domain or the sender domain of your instance from the dropdown.

    • IDP Metadata file: To enable SAML support in Campaign Studio, you need the IDP’s metadata xml. The IDP provides this to you. If it is a URL:

      1. Browse to the URL.

      2. Save the content as an .xml file.

      3. Upload the file to the field in the Campaign Studio configuration.

    • Default role for created users: When new users sign in using SSO, they are assigned a default role with set permissions. Acquia recommends creating a default non-administrative role for users, so new users signing in with SAML SSO do not have administrator access. For User Permissions, in Users - User has Access to and Roles - User has access to, only select the View checkbox to prevent new users from accessing these permissions as well. For more information, see Roles.

    • Email: Enter the field alias your IDP uses for users’ email addresses.

    • Username (Optional): Enter the field alias your IDP uses for users’ usernames. If the username field is empty, Campaign Studio sets usernames as the user’s email address.

    • First name: Enter the field alias your IDP uses for users’ first names.

    • Last name: Enter the field alias your IDP uses for users’ last names.

    • X.509 certificate and Private key: If the IDP supports encrypting and validating request signatures from Campaign Studio to the IDP, generate a self signed SSL certificate. Upload the certificate and private key here, then upload the certificate to your IDP.


    For SSOs that require an ACS URL (Assertion Consumer Service), you must set the ACS URL to <Instance URL>/s/saml/login_check when setting up SAML.

    If you change the ACS URL after setting up SAML, the SSO login will not function and you will have to set up SAML again.

Signing in

Once you’ve configured Campaign Studio with your IDP, Campaign Studio will by default redirect sign in attempts to the IDP’s login page. You can sign into the instance directly by adding /s/login to the end of your instance URL (like: Sign in to the IDP, which redirects you back to Campaign Studio. If successful, the IDP will create the user in Campaign Studio (if the user doesn’t exist) and sign the user in.


For users who have SAML/SSO enabled and configured:

  • SSO logged in users cannot change their password.

  • SSO logged in users cannot change passwords of other users.

If a user forgets or needs to change the password for SSO, the SSO admin is responsible for resetting the password in the SSO admin settings.


If you see the following notification on the Campaign Studio login page, retry logging in before contacting the administrator. If the issue persists, the administrator must verify that the SSO configuration is correct as this can occur due to invalid certificate, invalid metadata, or both.