Configure your partner account to use Single Sign On (SSO).

Approved Constant Contact technology partners reselling Constant Contact accounts can integrate with Constant Contact’s Single Sign On (SSO) solution. SSO uses SAML 2.0 standards and allows a partner’s customers to access their integrated Constant Contact account without having to sign in with a separate username and password.

Please contact your Constant Contact partner account manager to start the process required for setting up and testing SSO. An API support engineer will assist you with setting up SSO.

Roles

  • Service Provider (SP) - Constant Contact provides access to the users Constant Contact account.

  • Identity Provider (IdP) - The Constant Contact Partner responsible for user authentication and authorization.

Types

  • Identity Provider Initiated SSO - also known as Unsolicited Web SSO, the Federation process is initiated by the IdP, sending an unsolicited SAML Response to the SP.

  • Service Provider Initiated SSO - the SP generates an AuthnRequest that is sent to the IdP as the first step in the Federation process, and the IdP then responds with a SAML Response.

Authentication

Constant Contact’s SSO implementation uses Identity Provider (IdP) initiated SSO, meaning the initial user interaction is performed by the IdP (the Partner) and not by the SP (Constant Contact).

The Constant Contact SSO authentication sequence of events is as follows:

  1. The user authenticates to the IdP.
  2. The IdP issues a response to Constant Contact with the required user attributes.
  3. Constant Contact processes the response from the IdP.
  4. Constant Contact grants or denies access appropriately.

sso_diagram

SAML Response Requirements

The IdP makes SAML posts to the following Constant Contact SP URL: https://identity.constantcontact.com/sso/saml2?RelayState=https://login.{env}.constantcontact.com/login/idp-redirect

Where {env} defines the environment to differentiate between pre-production testing and production environments. Constant Contact provides you with the complete URL.

The IdP identifies itself to the SP using a SAML2 response. The digitally signed XML response must include the following elements.

  • /Response:Destination - the Assertion Consumer Service URL that Constant Contact provides. For example: http://{env}.identity.constantcontact.com/sso/saml2

  • /Response/Issuer - the entity identifier of the IdP, a string that you (the IdP) provide to Constant Contact. This is usually the partner name.

  • /Response/Assertion/Issuer - The entity identifier of the IdP within the Assertion body.

  • /Response/Assertion/Subject/NameID - Identifier for the authenticated principal (external user id that was generated when you created the Constant Contact Technology Partner client account. Transient identifiers are not supported.

  • Signing certificates - The SAML2 response must be digitally signed using a private key. The partner IdP needs to provide Constant Contact with the digital certificate/public key of the private/public key pair used to sign the SAML response. The IdP needs to provide Base64 encoded X.509 certificates for pre-production and production environments, along with their expiration dates.

Sample Certificate

-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIJANw3KcuJ+4DrMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNzI4MTkwMjIzWhcNMTUwNzI4MTkwMjIzWjBF
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDHLZ0Gf1NxaQnxp/kSAEUtDbQH/BkhrJfC8B/bTFl2gN2BFqQjZ8Z5LnhLmmag
mHrCj8k20CtccCkUpL39cP6awEjDyGL5yFlbZl5wXiy9+Yjb5f/dDOvX7HM76LcK
GRbFzjkqujUL0Dmc8ObtmdlHmbGAbIUomkG0cqwOFavURwIDAQABo4GnMIGkMB0G
A1UdDgQWBBQby6btZXHRR057bHCvd9KLKFmu3jB1BgNVHSMEbjBsgBQby6btZXHR
R057bHCvd9KLKFmu3qFJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUt
U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJANw3KcuJ
+4DrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAVhTjM8MK+Qfe7LYj
483Io8YJl5AeFGFdAowiClcBGiUX7tya6q7c2it6hH4Hfiu7URwfoxil2S2WpmSO
46ZcgxV/7RJtWX7cEKSo5xXSrcm56XZZUbC3RXMuZXHKlE/DgtlzB17dwV/LrE28
TYGF9upaKjwK+Bdta4RiUh4KBQ0=
-----END CERTIFICATE-----