Partners: Single Sign-on (SSO) (Beta) [INTERNAL ONLY]

Configure your Constant Contact partner account with Identity Provider (IdP) credentials to enable Single Sign-on for your Partner account

Internal Only: Do not send to customers.

In need of multiple accounts? Our multi-account solution is designed for organizations seeking unique accounts for their various locations, departments, or users. Take advantage of bulk pricing, product features for brand control, customized onboarding, and more!

Single Sign-on (SSO) makes logging into your third-party platforms, like Constant Contact, easier because you're able to authenticate your login credentials through a central domain, reducing the number of usernames and passwords needed to perform daily tasks. Partners who use SSO can enable their Constant Contact account to use existing user credentials to log into sub-accounts. 

• Understand the the SSO flow using OpenID Connect (OIDC)
• Find the Discovery URL for your IdP
• Enable and configure SSO
• View, edit, or disable your SSO configuration

Understand the the SSO flow using OpenID Connect (OIDC)

Constant Contact uses OpenID Connect (OIDC) as an identity authentication protocol to authenticate and authorize users for SSO. OIDC is built on top of the OAuth 2.0 framework and uses JSON-web based tokens (JWT) to transfer data between two parties. Here is the basic flow:

1. The user navigates to the login page for the application/Relying Party (RP), in this case Constant Contact.
2. Constant Contact requests the authorization code from the IdP.
3. Constant Contact redirects the user to the IdP to enter their login credentials.
4. The user enters their SSO login credentials and provides consent to the IdP.
5. The IdP provides an authorization code to Constant Contact.
6. Constant Contact makes a call to the IdP with the authorization code and the client secret.
7. The IdP validates the authorization code and application credentials.
8. The IdP issues an access token and identity token and it returns them to Constant Contact.
9. The user is allowed access to Constant Contact.
   
   
   
   

For more information on how OpenID Connect works, please see the OpenID developers site.

Common IdPs that support OpenID Connect (OIDC)

Each Identity Provider (IdP) that supports OIDC has a Discovery URL where their various OIDC URLs are stored and can be retrieved by an application for enabling SSO. When setting up SSO through Constant Contact, you need:

• The OIDC Discovery URL - When you configure OIDC within your Constant Contact account and enter this URL, the following URLs auto-populate for you.
• The Authorize URL
• The Token URL
• The Issuer URL
• The JWKS URL

Here is a list of the most common IdPs and their Discovery URLs. If you don't see your IdP listed, please contact them to obtain the Discovery URL. The Discovery URL is often customized with your unique domain.

Enable and configure SSO

An Identity Provider (IdP), like Auth0, Cisco Duo, Microsoft Entra, Okta, PingOne, etc., is needed in order to enable SSO.

1. In the MY ORGANIZATION menu on the left-hand side, click Accounts > Billing & settings.
2. In the Single sign-on section, click the Configure SSO button.
   
   
   
   
3. In the OIDC Connect Configuration overlay, enter your OIDC discovery URL into the field. This URL is provided by your IdP. Users are redirected to this URL to begin the SSO process. (See the list of IdPs above to find your Authorize URL.)
4. Click the Get Configuration button. Once the Authorize URL is added, the Authorize URL, Token URL, Issuer, and JWKS URL auto-populate for you.
5. Enter your Client ID into the field. Your ID is issued by your IdP to identify your organization.
6. Enter your Client secret into the field. This is a type of password that is shared with an authorized application, like Constant Contact, that proves to the IdP that it has permission to access the information for SSO.
7. Click the Configuration SSO button.
   
   
   
   

View, edit, or disable your SSO configuration

Once SSO is enabled for your Constant Contact account, you're able to edit your credentials if you switch to a different IdP, or disable SSO if you want to stop using it. SSO can always be re-enabled later. In addition, if you need a redirect URL to add to your IdP, or need to copy your Login URL or IdP name, you can do that too.

1. In the MY ORGANIZATION menu on the left-hand side, click Accounts. > Billing & Settings.
2. In the Single sign-on section, click the View & Mange button.
   
    
   
   
3. (Optional) Copy the Redirect URL to add it to your IdP's OAuth settings so that your IdP can communicate with Constant Contact during the authentication process. The need for the redirect URL depends on which authorization protocols your organization is using to verify the identity of another party.
4. In the OIDC IdP Configuration overlay, click one of the following options:

• The Edit button - This lets you enter a new OIDC discovery URL. The Authorize URL, Token URL, Issuer, and JWKS URL update automatically based on the discovery URL.
• The Close button - This closes the OIDC IdP Configuration overlay without making any changes.
• The Disable option - This doesn't delete the OIDC IdP Configuration options, but it prevents SSO; you can always enable it again later and make changes if you need to. You must type "confirm" into the field and then click the Disable SSO button to complete the action.
  
  
  
  

Any links we provide from non-Constant Contact sites or information about non-Constant Contact products or services are provided as a courtesy and should not be construed as an endorsement by Constant Contact.

Questions?