Ⓘ Available to HQ, Teams, and Corporate accounts
What is SSO?
Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials to access multiple applications. SSO can be used by enterprises, organizations, and individuals to mitigate the management of various usernames and passwords, which is why it is only available to tiered accounts.
Our SSO
Currently, we offer an IdP initiated SSO through SAML (security assertion markup language). Essentially, this means that the SSO will create a virtual handshake between our application and SAML that will allow the user to access multiple sign-on ports.
You can set this up for yourself in your email marketing account with the help of your SSO provider. To do so, you will need the information below about your IdP (identity provider). However, only the account Parent and some Managers will have access to the SSO portion of your account.
Once SSO is enabled on your account, new users will not receive the usual welcome email that asks them to set up a username and password, since those elements are already embedded in the SSO functionality.
Users who existed in your email marketing account prior to SSO setup will still have a password associated with their username, allowing them to bypass SSO. To prevent this, you’ll need to delete pre-SSO users and re-invite them once SSO is set up in your account. If this is not done, those users will be able to use the standard login process and they will be able to request password reset emails. Users who were created after SSO was set up cannot use the standard login process and they cannot request password reset emails.
IdP information to obtain from your SSO provider
You will need to obtain the following information from your SSO provider. Once obtained, you will enter this information into your email marketing account.
- Entity ID (must be a valid URN)
- Single sign-on URL
- Single logout URL (optional)
- Public X.509 certificate (text version will work)
Information from us to give your SSO provider
All of our metadata, including assertion URL, can be accessed here: https://app.e2ma.net/app2/sso/metadata/.
You must actually click on the link above in order to view the metadata. The metadata will not be typed out in this article to avoid inaccuracies or update delays – it must be viewed by clicking on the link above.
How to add SSO to your email marketing account
- Click on the gear in the upper right corner of your screen.
- Select Account from the dropdown menu. If you are currently working in a subaccount, be sure to click on the Account option in the Parent account settings section of the menu.
- Click on the SSO tab.
- Click on the Add SSO provider button.
- In the pop-up window that appears, enter the required information from your SSO provider. Do not put information from our metadata in this pop-up window.
- Click on the Save button.
Once these steps are complete, you will see your SSO details appear in the SSO tab. At this point, SSO setup is complete on our end. There may still be things that you need to configure with your SSO provider, but as far as your email marketing account is concerned, there is nothing else that you need to do.
Frequently asked questions about SSO
Does you support SAML 2.0?
Yes, we do.
What attributes are required to utilize SSO?
| Attribute | Details |
| Entity ID | Must be a valid URN, obtained from your IdP. |
| SSO URL | This should be obtained from your IdP. |
| x509 certificate | A digital cryptographic signature. This should be obtained from your IdP. |
| SLO URL (optional) | Where users will be redirected after they are logged out due to inactivity. If left blank, it will default to the standard login screen. |
How do you use the personally identifiable information (PII) related to the attributes that you receive?
The only PII attribute that we receive is the SAML NameID passed in the assertion that corresponds to the username (email address) of the user in your email marketing account. More information on how we protect this email address can be found in our Permission & Privacy Policy.
How is metadata shared to set up trust between your service provider (SP) and our identity provider (IdP)?
Our metadata is available here: https://app.e2ma.net/app2/sso/metadata/. You are responsible for configuring your IdP with that metadata, then you can set up a new SSO provider in your email marketing account following the instructions found above.
Are the links to your system IdP initiated or SP initiated?
They are IdP initiated.
After I add SSO to my account, will new users still receive an invitation email when they are added?
No, they will not. If SSO is enabled on your account, the email invitation will be suppressed and will not be delivered to the user.
What is the service provider (SP) URL needed to login / access the system?
The SP URL is https://app.e2ma.net/app2/sso/assert_identity/.
This is not the URL that SSO users will use to access the application. This URL is solely for your SSO provider. If a user attempts to access this URL, they will receive an error message.
How do SSO users access the email marketing account? Is there a special login screen for them?
No, there is not a special login screen for SSO users. Instead, they will need to log in through your SSO provider directly. How you choose to execute this depends entirely on your system and we cannot provide specific assistance or guidance.
Once SSO is set up, can anyone at my organization log in to the application?
No, users cannot log in to an email marketing account unless an existing user adds them through the application’s UI. This is true even when an account has SSO set up; SSO does not automatically create users in the application and it will not allow anyone to access the account unless they have been added as a user.
Do you require test accounts?
No, we do not.
Do you have a stage environment for testing?
No, we do not.
Do you support SHA256 hashing for the signed SSO request?
Yes, we do.
Do you require a separate SSO solution for admin logins?
No, we do not.
Do you support SCIM or JIT provisioning for SSO user creation?
No, we do not support SCIM or JIT provisioning for SSO user creation. Each user needs to be created in your SSO provider, as well as in the application directly.
If my account has SSO enabled, can users still sign in with their username and password?
It depends. If a user was created prior to SSO being implemented, then they could still technically log in with their password. In order to prevent this, you’ll need to delete the user and re-invite them post-SSO setup. Users who were created prior to SSO being implemented can also request password reset emails and can use the password reset link in that email to circumvent SSO. However, users who were created after SSO was implemented cannot request password reset emails. If they try to request one, our system will prevent the email from being sent.