SAML is an acronym for Security Assertion Markup Language, an XML-based communication standard used to authenticate and authorize users between a particular identity provider and a service provider. SAML helps to increase security and enables single sign on (SSO). When enabled with Campaign Studio, this integration offers enhanced security and streamlined user management for your IT department while reducing your users’ requirements for usernames and passwords.
Click the settings wheel in the top right corner to open the Settings menu.
Navigate to Configuration > User/Authentication Settings.
Within your IDentity Provider (IDP), you may need to add the instance URL
for your Campaign Studio instance as the entity ID. Be sure to use the
URL with your custom domain, not yourcompany.mautic.net
.
Enter the following data from your IDP in Campaign Studio:
IDP Metadata file: To enable SAML support in Campaign Studio, you need the IDP’s metadata xml. The IDP provides this to you.
If it is a URL:
.xml
file.Default role for created users: When new users sign in using SSO, they are assigned a default role with set permissions. Acquia recommends creating a default non-administrative role for users, so new users signing in with SAML SSO won’t have administrator access. See more about users and roles.
Email: Enter the field alias your IDP uses for users’ email addresses.
Username (optional): Enter the field alias your IDP uses for users’ usernames. If the username field is empty, Campaign Studio sets usernames as the user’s email address.
First name: Enter the field alias your IDP uses for users’ first names.
Last name: Enter the field alias your IDP uses for users’ last names.
X.509 certificate and Private key: If the IDP supports encrypting and validating request signatures from Campaign Studio to the IDP, generate a self signed SSL certificate. Upload the certificate and private key here, then upload the certificate to your IDP.
Once you’ve configured Campaign Studio with your IDP, Campaign Studio will by
default redirect sign in attempts to the IDP’s login page. You can sign into
the instance directly by adding /s/login
to the end of your instance URL
(like: https://subdomain.yourcompany.com/s/login
). Sign in to the IDP,
which redirects you back to Campaign Studio. If successful, the IDP will create
the user in Campaign Studio (if the user doesn’t exist) and sign the user in.