Information for: DEVELOPERS   PARTNERS

SAML Single Sign On (SSO)

SAML is an acronym for Security Assertion Markup Language, an XML-based communication standard used to authenticate and authorize users between a particular identity provider and a service provider. SAML helps to increase security and enables single sign on (SSO). When enabled with Campaign Studio, this integration offers enhanced security and streamlined user management for your IT department while reducing your users’ requirements for usernames and passwords.

Setting up SAML

  1. Click the settings wheel in the top right corner to open the Settings menu.

  2. Navigate to Configuration > User/Authentication Settings.

    SSO User Credentials

  3. Within your IDentity Provider (IDP), you may need to add the instance URL for your Campaign Studio instance as the entity ID. Be sure to use the URL with your custom domain, not yourcompany.mautic.net.

  4. Enter the following data from your IDP in Campaign Studio:

    • IDP Metadata file: To enable SAML support in Campaign Studio, you need the IDP’s metadata xml. The IDP provides this to you.

      If it is a URL:

      1. Browse to the URL.
      2. Save the content as an .xml file.
      3. Upload the file to the field in the Campaign Studio configuration.
    • Default role for created users: When new users sign in using SSO, they are assigned a default role with set permissions. Acquia recommends creating a default non-administrative role for users, so new users signing in with SAML SSO won’t have administrator access. See more about users and roles.

    • Email: Enter the field alias your IDP uses for users’ email addresses.

    • Username (optional): Enter the field alias your IDP uses for users’ usernames. If the username field is empty, Campaign Studio sets usernames as the user’s email address.

    • First name: Enter the field alias your IDP uses for users’ first names.

    • Last name: Enter the field alias your IDP uses for users’ last names.

    • X.509 certificate and Private key: If the IDP supports encrypting and validating request signatures from Campaign Studio to the IDP, generate a self signed SSL certificate. Upload the certificate and private key here, then upload the certificate to your IDP.

Signing in

Once you’ve configured Campaign Studio with your IDP, Campaign Studio will by default redirect sign in attempts to the IDP’s login page. You can sign into the instance directly by adding /s/login to the end of your instance URL (like: https://subdomain.yourcompany.com/s/login). Sign in to the IDP, which redirects you back to Campaign Studio. If successful, the IDP will create the user in Campaign Studio (if the user doesn’t exist) and sign the user in.