Set up single sign-on (SSO) for your ActiveCampaign account

Available on Enterprise plans.

If you are an Admin for your ActiveCampaign account, you can set up single sign-on (SSO) for your account users. Setting up SSO is one way for all of your users to log in to a corporate server or third-party identity provider to access your ActiveCampaign account. A username and password combo may still be used for account access.

Take note

  • Any user in the Admin group can set up SSO in ActiveCampaign
  • You must have an identity provider set up for your business
  • This version of SSO works with any SAML provider, including but not limited to: Okta, Auth0, Azure AD
  • Activating SSO will not affect two-factor authentication for your account

How it works

To set up SSO, you need to connect your ActiveCampaign account to an external identity provider via the SAML protocol. This lets you use your existing user management or identity as a service (IDaaS) vendor to log in to your ActiveCampaign account. This step is completed in your ActiveCampaign account.

Once set up, there are two ways your account users can gain access to your business's ActiveCampaign account:

  1. Identity provider initiated login
    Users can log into your business's corporate server or third-party identity provider. Once there, they can click the ActiveCampaign tile. Once clicked, the user is redirected to the Marketing Dashboard page in their ActiveCampaign account.
  2. Service provider initiated login
    The user can navigate to the login page for their ActiveCampaign account. Once there, the user can click a button that says, "Login with [name of identity provider]." This action redirects the user to the login page for the business's corporate server or third-party identity provider. Once the user logs in, they are redirected to the Marketing Dashboard page in their ActiveCampaign account.

General Instructions for SAML-based identity provider

  1. Log in to your identity provider's account and create a new application.
  2. Open a new tab or window and log in to your ActiveCampaign account as an Admin user.
  3. In ActiveCampaign, click Settings (gear icon), then click Security.
  4. Find the Single Sign-On box and click the toggle to set it to the "On" position
  5. Type the name of the identity provider into the "Name of Secure Login Provider" field.
  6. Copy the Sign-on URL and paste it to your identity provider's account where required.
  7. Copy the Audience URI (SP Entity ID) and paste it to your identity provider's account where required.
  8. In your identity provider's account, find the SAML metadata. Copy the metadata and paste it to the "SAML metadata" field in ActiveCampaign.
  9. Click the "Save" button in ActiveCampaign.

SSO setup with Okta

This setup is completed in both your ActiveCampaign account and Okta.

  1. Log into your ActiveCampaign account.
  2. Click "Settings" then click "Security."
  3. Click the "Single Sign-On" toggle to set it to the "On" position.
  4. There are two prepopulated values for "Sign-on URL" and "SP Entity ID" on this page. You need these values for SSO setup in Okta.
  5. Open a new window or tab in your browser. Log into your Okta org. Note that you may work with your IT administrator to complete this part of the setup.
  6. Navigate to the Admin user interface. Follow Okta's instructions for setting up a SAML app in Okta.
    • For "Single sign-on URL" paste the "Sign-on URL" value from ActiveCampaign
    • For "Audience URI(SP Entity ID)," paste the "SP Entity ID" value from ActiveCampaign
    • Required: Set Name ID format to "EmailAddress"
    • Optional: Configure attribute statements. This allows SSO to automatically set up a user's first and last name when their account is dynamically created. These name fields are case sensitive
  7. Once you complete the Okta setup, click "View setup instructions."
  8. Under "Optional" is IDP metadata. Copy the metadata.
  9. Go back to your ActiveCampaign account
    • Paste the metadata to the "SAML Metadata" box
    • Update the "Name of Secure Login Provider." For example, "Okta Single Sign-On"
  10. Click "Save settings."

  Make sure to test your single sign-on settings before logging out of ActiveCampaign. Incorrect settings can result in account lockout.

Your ActiveCampaign account login page will display an SSO hybrid login.

SSO setup with Auth0

This setup is completed in both your ActiveCampaign account and Auth0. An Auth0 Enterprise plan is required to complete this setup.

Follow Auth0's instructions for setting up a SAML app.

  1. Log into your ActiveCampaign account.
  2. Click "Settings" then click "Security."
  3. Click the "Single Sign-On" toggle to set it to the "On" position.
  4. There are two prepopulated values for "Sign-on URL" and "SP Entity ID" on this page. You need these values for SSO setup in Auth0.
  5. Open a new window or tab in your browser. Log into your Auth0 org. Note that you may work with your IT administrator to complete this part of the setup.
  6. In Auth0, create or modify an existing application. Verify that, under "Settings":
    • "Application Type" is set to "Regular Web Application"
    • "Token Endpoint Authentication Method" is set to "POST"
    • You can also optionally change the "Application Name" and Icon shown to users here under "Basic Information"
  7. Under Addon: SAML2 Web App, on the "Settings" tab:
    • Set the appropriate "Application Callback URL's" from the "Sign-on URL" on the AC website
    • Under Settings:
      • Uncomment "audience" and change the default value from "urn:foo" to the "SP Entity ID" from the AC website
      • Uncomment “logout” and set “callback to “https://<your-account-name>.activehosted.com/admin/index.php?action=logout”
      • You can also do additional field mappings here. ActiveCampaign supports "email," "firstName," and "lastName"
      • Click "Debug" to launch a new browser window to see an example of the login prompt
    • On the "Usage" tab, click on "Download" after "Identity Provider Metadata." Save this file 
  8. Open the XML file with your favorite text editor and copy the file's contents to your clipboard.
  9. In your ActiveCampaign account:
    • Paste the XML file contents into the "SAML Metadata" field
    • Update the "Name of Secure Login Provider." For example, you can use "Auth0."
    • Click the "Save settings" button

  Test your SSO settings before logging out of ActiveCampaign. Incorrect settings can result in account lockout.

SSO setup with Azure AD

This setup is completed in both your ActiveCampaign account and Azure AD. An Azure AD Enterprise plan is required to complete this setup.

  1. Log into your ActiveCampaign account.
  2. Click "Settings" then click "Security."
  3. Click the "Single Sign-On" toggle to set it to the "On" position.
  4. There are two prepopulated values for "Sign-on URL" and "SP Entity ID" on this page. You need these values for SSO setup in Azure AD.
  5. Open a new window or tab in your browser. Log into your Azure AD tenant portal. Note that you may work with your IT administrator to complete this part of the setup.
  6. Search for "Enterprise Application" and click the corresponding link.
  7. Click the "New application" option.
  8. Click "Create your own application."
  9. Complete the following fields when creating your own application:
    • Name the application <your-account-name>.activehosted.com
    • Select the "Non-gallery" option
    • Click the "Create" button
  10. You should now be on the "Users and groups" page for your Azure AD portal. Click the "Single sign-on" link under "Manage."
  11. Click the "SAML" option.
  12. Click "Edit" for Basic SAML Configuration.
  13. Complete the following:
    • Copy the "Single sign-on URL" value from ActiveCampaign and paste it in the "Reply URL (Assertion Consumer Service URL)" field in Azure AD
    • Copy the Audience URI (SP Entity ID) value from ActiveCampaign and paste it in the Identifier (Entity ID) field in Azure AD
    • In Azure AD, set the Logout URL value to https://<your-account-name>.activehosted.com/admin/index.php?action=logout
    • Click "Save"

      The field order is different in ActiveCampaign and Azure.

  14. You should now be on the SAML-based Sign-on page in Azure AD. Click the "Download" link next to "Federation Metadata XML" under "SAML Signing Certificate."
  15. Open the XML file with your favorite text editor and copy the file's contents to your clipboard.
  16. In your ActiveCampaign account:
    • Paste the XML file contents into the "SAML Metadata" field.
    • Update the "Name of Secure Login Provider." For example, you can use "Azure AD Single Sign-On"
  17. Click the "Save settings" button.

  Make sure to test your single sign-on settings before logging out of ActiveCampaign. Incorrect settings can result in account lockout.

To test your SSO settings:

  1. Go to the "SAML-based Sign-on" page in your Azure AD portal.
  2. Scroll to the bottom of the page and click the "Test" button.

If you encounter any errors, please go through these steps again. If you cannot resolve the errors, please contact our Customer Support team for future assistance.

Was this article helpful?
0 out of 1 found this helpful

Have more questions? Submit a request

Start free trial