Configuring Single Sign On
Approved Constant Contact technology partners selling Toolkit can integrate with Constant Contact's Single Sign On (SSO) solution that uses SAML 2.0 standards. This allows their customers to access their integrated Constant Contact account without having to sign in with a separate username and password.
Please contact your Constant Contact partner account manager to start the process required for setting up and testing SSO.
SSO terms and roles
- Service Provider (SP) - Constant Contact, providing access to the users Constant Contact account.
- Identity Provider (IdP) - The Constant Contact Partner, who is responsible for user authentication and authorization
The Constant Contact SSO authentication sequence of events is as follows:
- User Attempts to access their Constant Contact account.
- CTCT determines who the Identity Provider (IdP) is, and issues an authentication request, redirecting the users browser to the IdP, our partner that has implemented SSO with us.
- User authenticates to the IdP.
- The IdP issues a response to Constant Contact with the required user attributes.
- Constant Contact processes the response from the IdP.
- Constant Contact grants or denies access appropriately.
Identity Provider initiated SSO
The authentication sequence used in the Identity Provider initiated SSO is illustrated in the following diagram:
Service Provider initiated SSO
Constant Contact's SSO implementation currently only supports Identity Provider (IdP) initiated SSO, meaning the initial user authentication is performed by the Identity Provider (IdP) and not by the Service Provider (SP).
SAML response requirements
The IdP makes SAML posts to the following Constant Contact SP URL: https://idfed.<env>.constantcontact.com/sp/ACS.saml2, where <env> defines the environment to differentiate between pre-production testing and production environments. We will provide you with the complete URL.
The IdP identifies itself to the SP using a SAML2 response. The digitally signed response must include the following parameters.
- /Response/Issuer - the entity identifier of the IdP, a string that you, the IdP, provides to Constant Contact.
- /Response/Assertion/Issuer - The entity identifier of the IdP within the Assertion body
- /Response/Assertion/Subject/NameID - Identifier for the authenticated principal (external user id that was generated when you created the Constant Contact Toolkit account.
NOTE: We do not support transient identifiers
- Signing certificates - The SAML2 response must be digitally signed using a private key. The partner IdP needs to provide to Constant Contact the digital certificate/public key of the private/publicv key pair used to sign the SAML response. Identity providers must provide Base64 encoded X.509 certificates for both pre-production and production environments, along with their expiration dates.
Sample Certificate
-----BEGIN CERTIFICATE-----MIICsDCCAhmgAwIBAgIJANw3KcuJ+4DrMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwNzI4MTkwMjIzWhcNMTUwNzI4MTkwMjIzWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHLZ0Gf1NxaQnxp/kSAEUtDbQH/BkhrJfC8B/bTFl2gN2BFqQjZ8Z5LnhLmmagmHrCj8k20CtccCkUpL39cP6awEjDyGL5yFlbZl5wXiy9+Yjb5f/dDOvX7HM76LcKGRbFzjkqujUL0Dmc8ObtmdlHmbGAbIUomkG0cqwOFavURwIDAQABo4GnMIGkMB0GA1UdDgQWBBQby6btZXHRR057bHCvd9KLKFmu3jB1BgNVHSMEbjBsgBQby6btZXHRR057bHCvd9KLKFmu3qFJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJANw3KcuJ+4DrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAVhTjM8MK+Qfe7LYj483Io8YJl5AeFGFdAowiClcBGiUX7tya6q7c2it6hH4Hfiu7URwfoxil2S2WpmSO46ZcgxV/7RJtWX7cEKSo5xXSrcm56XZZUbC3RXMuZXHKlE/DgtlzB17dwV/LrE28TYGF9upaKjwK+Bdta4RiUh4KBQ0=-----END CERTIFICATE----- |