If you are an Admin for your ActiveCampaign account, you can set up single sign-on (SSO) for your account users. Setting up SSO is one way for all your users to log in to a corporate server or third-party identity provider to access your ActiveCampaign account. A username and password combo may still be used for account access.
Take note
- Any user in the Admin group can set up SSO in ActiveCampaign
- You must have an identity provider set up for your business
- This version of SSO works with any SAML provider, including but not limited to: Okta, Auth0, Microsoft Entra ID (Azure AD)
- Activating SSO will not affect two-factor authentication for your account
- Once set up, test your single sign-on settings before logging out of ActiveCampaign. Incorrect settings can result in account lockout
- Security Warning: As the Identity Provider (OneLogin) maintains SSO user logins and passes the credentials to ActiveCampaign, your organization may also want to increase security and require re-authentication at each login
How it works
To set up SSO, connect your ActiveCampaign account to an external identity provider via the SAML protocol. This lets you use your existing user management or identity as a service (IDaaS) vendor to log in to your ActiveCampaign account. This step is completed in your ActiveCampaign account.
During setup in your ActiveCampaign account, you can further customize how your users sign in by choosing one of the following “Sign In Methods”:
-
Hybrid Log In
This option allows users to use SSO or Email and Password at login. Setting up SSO will not remove the option for users to log in with their Email and Password. Both options will remain in full effect at the time of login. -
Enforce Single Sign-on
This option requires users to use SSO at login. They will not have the option to use Email and Password to log in.
Once set up, there are two ways your account users can gain access to your business's ActiveCampaign account:
-
Identity provider initiated login
Users can log into your business's corporate server or third-party identity provider. Once there, they can click the ActiveCampaign tile. Once clicked, the user is redirected to the Marketing Dashboard page in their ActiveCampaign account. -
Service provider initiated login
The user can navigate to the login page for their ActiveCampaign account. Once there, the user can click a button that says, "Log in with [name of identity provider]." This action redirects the user to the login page for the business's corporate server or third-party identity provider. Once the user logs in, they are redirected to the Marketing Dashboard page in their ActiveCampaign account.
General Instructions for SAML-based identity provider
- Log in to your identity provider's account and create a new application.
- Open a new tab or window and log in to your ActiveCampaign account as Admin.
- In ActiveCampaign, click Settings (gear icon), then click Security.
- Find the Single Sign-On box and click the toggle to set it to the "On" position.
- Choose your “Sign In Method” (link back to How it Works section) by clicking the dropdown.
- Type the name of the identity provider into the "Name of Secure Login Provider" field.
- Copy the Sign-on URL and paste it to your identity provider's account where required.
- Copy the Audience URI (SP Entity ID) and paste it to your identity provider's account where required.
- In your identity provider's account, find the SAML metadata. Copy and paste the MMetadata to the "SAML metadata" field in ActiveCampaign.
- Click the "Save" button in ActiveCampaign.
SSO setup with Okta
This setup is completed in both your ActiveCampaign account and Okta.
- Log into your ActiveCampaign account.
- Click Settings, then click "Security."
- Click the "Single Sign-On" toggle to set it to the "On" position.
- Choose your “Sign In Method” (link back to How it Works section) by clicking the dropdown.
- There are two prepopulated values for "Sign-on URL" and "SP Entity ID" on this page. You need these values for the SSO setup in Okta.
- Open a new window or tab in your browser. Log into your Okta org. You may need to work with your IT administrator to complete this part of the setup.
-
Navigate to the Admin user interface. Follow Okta's instructions for setting up a SAML app in Okta.
- For "Single sign-on URL," paste the "Sign-on URL" value from ActiveCampaign
- For "Audience URI(SP Entity ID)," paste the "SP Entity ID" value from ActiveCampaign
- Required: Set Name ID format to "EmailAddress"
- Optional: Configure attribute statements. This allows SSO to automatically set up a user's first and last name when their account is dynamically created. These name fields are case sensitive
- Once you complete the Okta setup, click "View setup instructions."
- Under "Optional" is IDP metadata. Copy the Metadata.
- Go back to your ActiveCampaign account
- Paste the Metadata to the "SAML Metadata" box
- Update the "Name of Secure Login Provider." For example, "Okta Single Sign-On"
- Click "Save settings."
Your ActiveCampaign account login page will display an SSO hybrid login.
SSO setup with Auth0
This setup is completed in both your ActiveCampaign account and Auth0. An Auth0 Enterprise plan is required to complete this setup.
Follow Auth0's instructions for setting up a SAML app.
- Log into your ActiveCampaign account.
- Click Settings, then click "Security."
- Click the "Single Sign-On" toggle to set it to the "On" position.
- Choose your “Sign In Method” (link back to How it Works section) by clicking the dropdown.
- There are two prepopulated values for "Sign-on URL" and "SP Entity ID" on this page. You need these values for SSO setup in Auth0.
- Open a new window or tab in your browser. Log into your Auth0 org. You may need to work with your IT administrator to complete this part of the setup.
- In Auth0, create or modify an existing application. Verify that, under "Settings":
- "Application Type" is set to "Regular Web Application"
- "Token Endpoint Authentication Method" is set to "POST"
- You can also change the "Application Name" and Icon shown to users here under "Basic Information"
- Under Addon: SAML2 Web App, on the "Settings" tab:
- Set the appropriate "Application Callback URLs" from the "Sign-on URL" on the ActiveCampaign website
- Under Settings:
- Uncomment "audience" and change the default value from "urn:foo" to the "SP Entity ID" from the ActiveCampaign website
- Uncomment “logout” and set “callback to https://<your-account-name>.activehosted.com/admin/index.php?action=logout
- You can also do additional field mappings here. ActiveCampaign supports "email," "firstName," and "lastName"
- Click "Debug" to launch a new browser window to see an example of the login prompt
- On the "Usage" tab, click on "Download" after "Identity Provider Metadata." Save this file
- Open the XML file with your favorite text editor and copy the file's contents to your clipboard.
- In your ActiveCampaign account:
- Paste the XML file contents into the "SAML Metadata" field
- Update the "Name of Secure Login Provider." For example, you can use "Auth0."
- Click the "Save settings" button
SSO setup with Microsoft Entra ID (Azure AD)
This setup is completed in both your ActiveCampaign account and Microsoft Entra ID. A Microsoft Entra ID Enterprise plan is required to complete this setup.
- Log into your ActiveCampaign account.
- Click Settings, then click "Security."
- Click the "Single Sign-On" toggle to set it to the "On" position.
- Choose your “Sign In Method” (link back to How it Works section) by clicking the dropdown.
- There are two prepopulated values for "Sign-on URL" and "SP Entity ID" on this page. You need these values for SSO setup in Microsoft Entra ID.
- Open a new window or tab in your browser. Log into your Microsoft Entra ID tenant portal. You may need to work with your IT administrator to complete this part of the setup.
- Search for "Enterprise Application" and click the corresponding link.
- Click the "New application" option.
- Click "Create your own application."
- Complete the following fields when creating your application:
- Name the application <your-account-name>.activehosted.com
- Select the "Non-gallery" option
- Click the "Create" button
- From the "Users and groups" page for your Microsoft Entra ID portal, click the "Single sign-on" link. This is under "Manage."
- Click the "SAML" option.
- Click "Edit" for Basic SAML Configuration.
- Complete the following:
- Copy the "Single sign-on URL" value from ActiveCampaign and paste it into the "Reply URL (Assertion Consumer Service URL)" field in Microsoft Entra ID
- Copy the Audience URI (SP Entity ID) value from ActiveCampaign and paste it into the Identifier (Entity ID) field in Microsoft Entra ID
- In Microsoft Entra ID, set the Logout URL value to https://<your-account-name>.activehosted.com/admin/index.php?action=logout
-
Click "Save"
The field order is different in ActiveCampaign and Microsoft Entra ID.
- From the SAML-based Sign-on page in Microsoft Entra ID, click the "Download" link. This is next to "Federation Metadata XML" under "SAML Signing Certificate."
- Open the XML file with your favorite text editor and copy the file's contents to your clipboard.
- In your ActiveCampaign account:
- Paste the XML file contents into the "SAML Metadata" field.
- Update the "Name of Secure Login Provider." For example, you can use "Microsoft Entra ID Single Sign-On"
- Click the "Save settings" button.
Test your SSO settings
- Go to the "SAML-based Sign-on" page in your Microsoft Entra ID portal.
- Scroll to the bottom of the page and click the "Test" button.
If you encounter any errors, please go through these steps again. If you cannot resolve the errors, please contact our Customer Experience Team for future assistance.
SSO setup with OneLogin
This setup is completed in both your ActiveCampaign account and OneLogin.
- Log into your ActiveCampaign account.
- Click Settings, then click "Security."
- Click the "Single Sign-On" toggle to set it to the "On" position.
- Choose your “Sign In Method” (link back to How it Works section) by clicking the dropdown.
- There are two prepopulated values for "Sign-on URL" and "SP Entity ID" on this page. You need these values for SSO setup in OneLogin.
- Open a new window or tab in your browser. Log into your OneLogin org. You may need to work with your IT administrator to complete this setup.
- In OneLogin, create or modify an existing application.
- Under "Applications" (in the header), then "Applications":
- If you need to create an application (first time only):
- Click the "Add App" button on the top right
- Search for "SAML Custom Connector"
-
Click on "SAML Custom Connector (Advanced)" to create the new connector
- Set the "Display Name" for your application ex: "AC SAML2"
- Optional: Upload icons for your application
- Click "Save"
- In the "Configuration" section (on the left side):
- Paste value from ActiveCampaign into the "Audience (EntityID) field
- Paste value from ActiveCampaign into the "ACS (Consumer) URL" field
- Verify that "SAML initiator is "OneLogin"
- Verify that "SAML nameID format" is "Email"
- In the "Parameters" section (on the left side):
-
Map values to be sent to ActiveCampaign:
- Required: "NameID value" should be "Email"
- Optional: FirstName, LastName, Phone (added on 2/21/22)
-
Map values to be sent to ActiveCampaign:
- If you need to create an application (first time only):
- After setting the URLs and Parameters above, you need to download the Metadata. This is found under the dropdown in the upper-right corner of the page as "More Data":
- Click "SAML Metadata" to download the XML file
- Open the XML file with your favorite text editor and copy the contents of the file to your clipboard
- In your ActiveCampaign account:
- Paste the contents of the XML file into the "SAML Metadata" field
- Update the "Name of Secure Login Provider" - example: "OneLogin SAML" - this text is displayed in the button on the ActiveCampaign Login page
- Click the "Save settings" button
- Before users can log in, you must assign them to the OneLogin application.
- On the OneLogin website - Under "Users" (at the top left)
- To create a User - click the "New User" button (at the top right)
- Required (by OneLogin): Set the "First name" value
- Required (by OneLogin): Set the "Last name" value
- Required (by ActiveCampaign), Optional for OneLogin): set the "Email" value
- Recommended but not required: Set the "Username" and "Phone number"
- Click "Save User" (at the top right)
-
Click "Applications" on the left side
- Click “+” on the top right
- Choose the application name you previously created for "AC SAML OneLogin"
- Click the "Continue" button
-
Verify that the correct values are shown in the modal:
- "Allow the user to sign in" should be checked
- "NameID" value should be the user's email address
- Optional: "LastName" and "FirstName" are populated. Otherwise, ActiveCampaign will use default values
- Click the "Save" button
- To edit existing users, click their name and ensure they have the correct "Application" assigned for the "New User" setup
- Repeat for other users as required
- As ActiveCampaign does User Provisioning during the initial SSO login, the user data will be collected the first time the user attempts to log in.
- If their email address is already known to ActiveCampaign, existing group data and permissions will be used
- If their email address is not known to ActiveCampaign, the user will be added to an "SSO Users" group with permissions that account Admins can configure
SSO setup with Google
A Google Workspace account is required for this setup.
Read more details on setting up your custom SAML application with Google.
- Log into your ActiveCampaign account as an Admin user.
- Click Settings, then click "Security."
- Click the "Single Sign-On" toggle to set it to the "On" position.
- Choose your “Sign In Method” (link back to How it Works section) by clicking the dropdown.
- There are two prepopulated values for "Sign-on URL" and "SP Entity ID" on this page. You need these two values for SSO setup in Google.
- In a separate browser, go to https://admin.google.com.
- Login to your Google Workspace using the Super-Admin credentials. This username will not end with @gmail.com.
- From the Admin console, go to "Apps," then "Web and mobile apps."
-
Select "Add app," then "Add custom SAML app":
- Required: Enter a value for "App name"
- Optional: Enter a value for "Description"
- Optional: Select an "App" icon
- Click the "Continue" button
-
Select Option 1: Download IdP metadata
- Save the XML file to your desktop. You will need this later
- Click the "Continue" button
- Service provider details:
- For "ACS URL," paste the value from AC "Single Sign-On URL"
- For "Entity ID," paste the value from AC "Audience URI (SP Entity ID)"
- For "Name ID format," select "EMAIL" from the dropdown list.
- For "Name ID," verify that the value is "Basic Information > Primary email"
- Click the "Continue" button
- Attributes:
- While optional, the following are recommended, click "Add Mapping" to add each one:
- "First name" - FirstName
- "Last name" - LastName
- "Primary email" - Email
- "Phone number" - Phone
- Click the "Finish" button
- While optional, the following are recommended, click "Add Mapping" to add each one:
- Back in your ActiveCampaign account:
- Set "Name of Secure Login Provider" ex: "Google SAML SSO"
- Paste the "SAML Metadata" from the XML file downloaded from Google IdP
- Click "Save settings"
- Back in Google, ensure you've enabled users for the SAML app.
- As ActiveCampaign (currently) does User Provisioning during the initial SSO login, user data will be collected the first time a user attempts to log in.
- If their email address is already known to AC, existing group data and permissions will be used
- If their email address is not known to AC, the user will be added to an "SSO Users" group with permissions that account Admins can configure
- Google Error messages:
- "Error: app_not_configured_for_user" (HTTP 403)
- Problem: This has been seen during SSO Login if the user is using Google Chrome as a user other than one authorized to use SSO for the application
- Solution: Go to https://myaccount.google.com/, click on the icon in the upper-right corner, and add or select the correct user before trying to use SSO at ActiveCampaign again
- Verification: Use Incognito mode or a different browser
- See the SAML app error messages page for more information on errors
- "Error: app_not_configured_for_user" (HTTP 403)
SSO setup with JumpCloud
This setup is completed in both your ActiveCampaign and JumpCloud accounts.
- Login to your ActiveCampaign account as an Admin.
- Click Settings, then click "Security."
- Click the "Single Sign-On" toggle to set it to the "On" position.
- Choose your “Sign In Method” (link back to How it Works section) by clicking the dropdown.
- There are two prepopulated values for "Sign-on URL" and "SP Entity ID" on this page. You need to copy these values for SSO setup in JumpCloud.
- Initially, it is recommended to leave the other settings at their default values until your initial SSO connection is verified:
- "Sign In Method":
- "Hybrid" - this allows users to use a username and password or SSO to log in
- "Enforce Single Sign-On" - requires SSO and does not provide a username or password option to log in
- "User Provisioning":
- "Automatic" - creates users in the ActiveCampaign account if the SSO-provided email does not already exist in the system
- "Manual" - will not allow users to log in if their email is not already known to ActiveCampaign
- "Designated User Group for Auto-provisioning":
- This is the ActiveCampaign user group that new users will be added to if "Automatic" provisioning is enabled
- "Sign In Method":
- Open a new window or tab in your browser. Log into your JumpCloud account. You may need to work with your IT administrator to complete this part of the setup.
- In JumpCloud, create or modify an existing application.
- Click "SSO" on the left navigation
- Click the "Add New Application" button at the page's top.
- Click the "Custom SAML Application" button at the page's bottom.
- On the "General Info" tab:
- For "Display Label," use "ActiveCampaign" (or something similar to identify the application). This can be changed later
- Optional: Choose a logo or color if desired
- Make sure that "Show this application in User Portal" is checked
- On the "SSO" tab:
- Copy the "Audience URI (SP Entity ID)" value from the Settings > Security page in ActiveCampaign to the "SP Entity ID field in JumpCloud. This should start with https://XXX.activehosted.com/auth/saml2/service-provider-metadata/ZZZ (where XXX is their account name and ZZZ is a registrationId)
- Copy the '"Single Sign-On URL" value from the Settings > Security page in ActiveCampaign to the "ACS URL:" field in JumpCloud. This should start with https://XXX.activehosted.com/auth/saml2/ZZZ (where XXX is their account name and ZZZ is a registrationId)
- "SAML Subject NameID" value should be default "email"
- SAML Subject NameID Format: Use default
- Signature Algorithm: Use default "RSA-SHA256"
- Sign Assertion - Leave unchecked
- Default RelayState - Leave empty
- Login URL - Leave empty
- Declare Redirect Endpoint - Leave unchecked
- IDP URL: - this is for your use only and cannot be changed after initial setup - recommend https://sso.jumpcloud.com/saml2/activecampaign
- Use the "Export Metadata" button at the top of the page in the JumpCloud SSO setup. Download the XML contents and paste them into the "SAML Metadata" field on the Settings > Security page in your ActiveCampaign account
- Attributes: (recommended, but not required):
- email → email
- FirstName → firstname
- LastName → lastname
- Phone → phoneNumbers.mobile
- Click “Save.”
- Verify that appropriate Users and Groups are assigned to the application.