Configuring Single Sign On

Approved Constant Contact technology partners selling Toolkit can integrate with Constant Contact's Single Sign On (SSO) solution that uses SAML 2.0 standards. This allows their customers to access their integrated Constant Contact account without having to sign in with a separate username and password. 

Please contact your Constant Contact partner account manager to start the process required for setting up and testing SSO. 

SSO terms and roles

  • Service Provider (SP) - Constant Contact, providing access to the users Constant Contact account.
  • Identity Provider (IdP) - The Constant Contact Partner, who is responsible for user authentication and authorization

The Constant Contact SSO authentication sequence of events is as follows:

  1. User Attempts to access their Constant Contact account.
  2. CTCT determines who the Identity Provider (IdP) is, and issues an authentication request, redirecting the users browser to the IdP, our partner that has implemented SSO with us.
  3. User authenticates to the IdP.
  4. The IdP issues a response to Constant Contact with the required user attributes.
  5. Constant Contact processes the response from the IdP.
  6. Constant Contact grants or denies access appropriately.

Identity Provider initiated SSO

The authentication sequence used in the Identity Provider initiated SSO is illustrated in the following diagram:

Service Provider initiated SSO

Constant Contact's SSO implementation currently only supports Identity Provider (IdP) initiated SSO, meaning the initial user authentication is performed by the Identity Provider (IdP) and not by the Service Provider (SP). 

SAML response requirements

The IdP makes SAML posts  to the following Constant Contact SP URL: https://idfed.<env>.constantcontact.com/sp/ACS.saml2, where <env> defines the environment to differentiate between pre-production testing and production environments. We will provide you with the complete URL.

The IdP identifies itself to the SP using a SAML2 response. The digitally signed response must include the following parameters.

  • /Response/Issuer - the entity identifier of the IdP, a string that you, the IdP, provides to Constant Contact.
  • /Response/Assertion/Issuer - The entity identifier of the IdP within the Assertion body

  • /Response/Assertion/Subject/NameID - Identifier for the authenticated principal (external user id that was generated when you created the Constant Contact Toolkit account.

    NOTE:
    We do not support transient identifiers
  • Signing certificates - The SAML2 response must be digitally signed using a private key. The partner IdP needs to provide to Constant Contact the digital certificate/public key of the private/publicv key pair used to sign the SAML response. Identity providers must provide Base64 encoded X.509 certificates for both pre-production and production environments, along with their expiration dates.

Sample Certificate

-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIJANw3KcuJ+4DrMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNzI4MTkwMjIzWhcNMTUwNzI4MTkwMjIzWjBF
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDHLZ0Gf1NxaQnxp/kSAEUtDbQH/BkhrJfC8B/bTFl2gN2BFqQjZ8Z5LnhLmmag
mHrCj8k20CtccCkUpL39cP6awEjDyGL5yFlbZl5wXiy9+Yjb5f/dDOvX7HM76LcK
GRbFzjkqujUL0Dmc8ObtmdlHmbGAbIUomkG0cqwOFavURwIDAQABo4GnMIGkMB0G
A1UdDgQWBBQby6btZXHRR057bHCvd9KLKFmu3jB1BgNVHSMEbjBsgBQby6btZXHR
R057bHCvd9KLKFmu3qFJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUt
U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJANw3KcuJ
+4DrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAVhTjM8MK+Qfe7LYj
483Io8YJl5AeFGFdAowiClcBGiUX7tya6q7c2it6hH4Hfiu7URwfoxil2S2WpmSO
46ZcgxV/7RJtWX7cEKSo5xXSrcm56XZZUbC3RXMuZXHKlE/DgtlzB17dwV/LrE28
TYGF9upaKjwK+Bdta4RiUh4KBQ0=
-----END CERTIFICATE-----