SAML Single Sign On (SSO)

SAML is an acronym for Security Assertion Markup Language, an XML-based communication standard used to authenticate and authorize users between a particular identity provider and a service provider. SAML helps to increase security and enables single sign on (SSO). When enabled with Campaign Studio, this integration offers enhanced security and streamlined user management for your IT department while reducing your users’ requirements for usernames and passwords.

Setting up SAML

  1. Click the settings wheel in the top right corner to open the Settings menu.

  2. Navigate to Configuration > User/Authentication Settings.

    SSO User Credentials

  3. Within your IDentity Provider (IDP), you may need to add the instance URL for your Campaign Studio instance as the entity ID. Be sure to use the URL with your custom domain, not

  4. Enter the following data from your IDP in Campaign Studio:

    • IDP Metadata file: To enable SAML support in Campaign Studio, you need the IDP’s metadata xml. The IDP provides this to you. If it is a URL:
      1. Browse to the URL.
      2. Save the content as an .xml file.
      3. Upload the file to the field in the Campaign Studio configuration.
    • Default role for created users: When new users sign in using SSO, they are assigned a default role with set permissions. Acquia recommends creating a default non-administrative role for users, so new users signing in with SAML SSO do not have administrator access. For User Permissions, in Users - User has Access to and Roles - User has access to, only select the View checkbox to prevent new users from accessing these permissions as well. For more information, see Users and Roles.

    SSO user permissions

    • Email: Enter the field alias your IDP uses for users’ email addresses.
    • Username (optional): Enter the field alias your IDP uses for users’ usernames. If the username field is empty, Campaign Studio sets usernames as the user’s email address.
    • First name: Enter the field alias your IDP uses for users’ first names.
    • Last name: Enter the field alias your IDP uses for users’ last names.
    • X.509 certificate and Private key: If the IDP supports encrypting and validating request signatures from Campaign Studio to the IDP, generate a self signed SSL certificate. Upload the certificate and private key here, then upload the certificate to your IDP.

Signing in

Once you’ve configured Campaign Studio with your IDP, Campaign Studio will by default redirect sign in attempts to the IDP’s login page. You can sign into the instance directly by adding /s/login to the end of your instance URL (like: Sign in to the IDP, which redirects you back to Campaign Studio. If successful, the IDP will create the user in Campaign Studio (if the user doesn’t exist) and sign the user in.


For users who have SAML/SSO enabled and configured:

  • SSO logged in users cannot change their password.
  • SSO logged in users cannot change passwords of other users.

If a user forgets or needs to change the password for SSO, the SSO admin is responsible for resetting the password in the SSO admin settings.


If you see the following notification on the Campaign Studio login page, retry logging in before contacting the administrator. If the issue persists, the administrator must verify that the SSO configuration is correct as this can occur due to invalid certificate, invalid metadata, or both.

SSO login page error