SAML Single Sign-On (SSO) adds an extra layer of security to your Brevo account. Instead of signing in with a password, users are authenticated by a trusted external service (called an identity provider, or IDP) and gain access to Brevo automatically.

About SAML Single Sign-On (SSO) in Brevo

Which identity providers does Brevo support?

Brevo supports the following identity providers for SAML Single Sign-On (SSO):

Microsoft Entra ID (formerly Azure AD)
Okta
Auth0

A detailed procedure is included in this article for each provider.

How does the SAML SSO login flow work?

When a user logs in with SAML SSO, Brevo redirects them to their identity provider's login page. Once the user has authenticated, the IDP sends a confirmation back to Brevo, which then grants access without requiring a separate Brevo password.

💡 Good to know

Technically, Brevo initiates the authentication request using HTTP-Redirect Binding, which redirects the user's browser to the IDP. After successful authentication, the IDP returns the SAML response to Brevo via HTTP-POST Binding.

Who can access Brevo via SAML SSO?

Different setup options are available depending on who should access Brevo via SAML SSO. Expand the following accordions to learn more:

Admin account only (Enterprise)

Only the admin user can log in via SAML SSO. Sub-organization users continue using their passwords.

This setup is done from the Admin account. Follow the setup procedure for your identity provider and do not select the option Force sub-organization users to log in with master IDP at the end of the process.

Admin account and all sub-organizations (Enterprise)

Both the admin user and sub-organization users can log in via SAML SSO.

This setup is done from the Admin account. Follow the setup procedure for your identity provider and select the option Force sub-organization users to log in with master IDP at the end of the process.

Specific sub-organization (Enterprise)

SAML SSO is activated for a specific sub-organization, while the admin and other sub-organizations continue using passwords.

This setup is done directly from the sub-organization. Follow the setup procedure for your identity provider.

❗️ Important

Enabling SSO for multiple specific sub-organizations requires repeating the setup and creating a separate application for each sub-organization in your IDP. Note that not all identity providers may support this setup.

Standard Brevo account (Professional and Enterprise)

SAML SSO is activated for a standard Brevo account, allowing all users of that account to log in via SAML SSO.

This setup is done directly from the Brevo account. Follow the setup procedure for your identity provider.

Good to know

We recommend asking an IT administrator familiar with your identity provider to handle the SAML SSO configuration.
Setting up SAML SSO requires some back-and-forth between Brevo and your identity provider. Keep both platforms open in separate tabs, as you will need to copy and paste values between them during the process.
The screenshots in this article show the New Admin account interface. If your interface looks different, the process stays the same.

Activate SAML SSO in Brevo

First, activate SAML SSO in Brevo:

In Brevo, access the SAML SSO page. The path differs depending on whether you are accessing it from an Admin account or from a sub-organization or standard Brevo account.
- From an Admin account, go to Security > SAML.
- From a sub-organization or standard Brevo account, click the account dropdown and select Security > SAML.
Activate the Allow SAML Authentication option.

Set up your identity provider

The next steps vary depending on your identity provider. Select your identity provider below to view the corresponding setup instructions:

Create the Brevo application in Microsoft Entra ID

Create a new application for Brevo in your Microsoft Entra admin center:

Open a new tab in your browser and log in to your Microsoft Entra admin center.
In the navigation menu, go to Identity > Applications > Enterprise applications.
Click + New application.
Click + Create your own application.
Name the application (e.g., "Brevo").
Select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.

Assign users to the Brevo application in Microsoft Entra ID

Allow users to sign in to Brevo using SAML SSO by assigning them to the Brevo application in Microsoft Entra ID:

If you haven't done so already, create the users who will log into Brevo using SAML SSO in Microsoft Entra ID. To learn more, check Microsoft Entra's dedicated documentation.
In the navigation menu, go to Identity > Applications > Enterprise applications.
Select the Brevo application.
Go to Users and groups.
Select Add user/group.
Under Users and groups, click None Selected.
Select the users you want to assign to the Brevo application and click Select.
Under Select a role, click None Selected.
Select the role you want to assign to the users and click Select.
Click Assign.

❗️ Important

To access your Brevo account via SAML SSO, ensure that the user's email address is both added to Brevo and configured in Microsoft Entra.

Configure SAML SSO in Microsoft Entra ID

Set up SAML SSO within your Microsoft Entra application:

Go to Single sign-on.
Select SAML as the single sign-on method.
In the 1. Basic SAML Configuration section, click Edit.
In the Identifier (Entity ID) field, click Add identifier and enter:
https://account-app.brevo.com/account/
In the Reply URL (Assertion Consumer Service URL) field, click Add reply URL.
Copy the value from the Callback URL field in Brevo and paste it into the Reply URL (Assertion Consumer Service URL) field in Microsoft Entra ID.
Copy the value from the Login URL field in Brevo and paste it into the Sign on URL field in Microsoft Entra ID.
Click Save.
Close the side panel.

(Optional) Add Brevo's certification for stronger encryption

✅ Plan availability

The option to generate and download Brevo's certificate for stronger encryption is available on demand for Enterprise plans only. Contact your dedicated Customer Success Manager to request activation.

By default, Brevo's basic SAML SSO configuration supports one-way encryption. You can download Brevo's certificate to configure two-way encryption and improve security:

In Brevo, select the Generate and download Brevo's certificate for stronger encryption option.
Click Download Brevo's certification. A file named "public.cer" is downloaded on your computer.
In Microsoft Entra ID, click Edit next to Verification certificates under the 3. SAML Certificates section.
Select the Require verification certificates option.
Click Upload certificate.
From your computer, select Brevo's certification named "public.cer" and click OK.
Click Save.

Configure SAML SSO in Brevo

Back in Brevo, fill in the remaining fields using values from Microsoft Entra ID:

In the 3. SAML Certificates section in Microsoft Entra ID, copy the value from the App Federation Metadata Url field and paste it into the Metadata address field in Brevo.
In the 4. Set up [Application Name] section in Microsoft Entra ID, copy the value from the Login URL field and paste it into the Sign-on URL field in Brevo.
In the Entity ID field in Brevo, enter:
https://account-app.brevo.com/account/
In the Email fieldname field in Brevo, enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
In the User ID field in Brevo, enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

(Optional) Download Brevo's certification for stronger encryption

✅ Plan availability

The option to generate and download Brevo's certification for stronger encryption is available on demand for Enterprise plans only. Contact your dedicated Customer Success Manager to request activation.

By default, Brevo's basic SAML SSO configuration supports one-way encryption. You can download Brevo's certificate to configure two-way encryption and improve security:

Select the Generate and download Brevo's certificate for stronger encryption option.
Click Download Brevo's certification. A file named "public.cer" will be downloaded.

You will upload this file to Okta in a later step.

Create the Brevo application in Okta

Create a new application for Brevo in your Okta account:

Open a new tab in your browser and log in to your Okta account.
Click Admin to access the admin dashboard.
In the navigation menu, go to Applications > Applications.
Click Create App Integration.
Select SAML 2.0.
Click Next.
Name the application (e.g., "Brevo").
Click Next.

Configure SAML SSO in Okta

Link your Brevo account to the Okta application by entering the required values:

Copy the value from the Callback URL field in Brevo and paste it into the Single sign-on URL field in Okta.
In the Audience URI (SP Entity ID) field, enter:
https://account-app.brevo.com/account/
From the Application username dropdown, select Email.
Click Show Advanced Settings.
(Optional) From the Signature Certificate field, click Browse files and select the "public.cer" file you previously downloaded.

Under Attribute Statements, enter the following values:

Name	Name format	Value
email	Basic	user.email
login	Basic	user.login

Click Next.
Select I'm an Okta customer adding an internal app.
Click Finish.

Configure SAML SSO in Brevo

Back in Brevo, fill in the remaining fields using values from Okta:

From the Metadata details section in Okta, copy the value from the Metadata URL field and paste it into the Metadata Address field in Brevo.
To retrieve the certificate value:
1. In a new tab, paste the Metadata URL into your browser's address bar. A page of XML code will appear.
2. Find and copy the entire section starting from <ds:X509Certificate> to </ds:X509Certificate>, including both tags.
3. Paste the value you just copied into the Certificate field in Brevo.
From the Metadata details section in Okta, click More details.
Copy the value from the Sign on URL field in Okta and paste it into the Sign-on URL field in Brevo.
In the Entity ID field in Brevo, enter:
Entity
In the Email fieldname field in Brevo, enter:
email
In the User ID field in Brevo, enter:
login

Assign users to the Brevo application in Okta

To allow users to log in to Brevo using SAML SSO, you need to assign them to the Brevo application in Okta:

If you haven't done so already, create the users who will log into Brevo using SAML SSO in Okta. To learn more, check Okta's dedicated documentation.
In Okta, go to the Assignments tab.
Click Assign > Assign to People or Assign to Groups.
Select the people or group you want to assign to the Brevo application.
Click Done.

❗️ Important

To access your Brevo account via SAML SSO, ensure that the user's email address is both added to Brevo and configured in Okta.

Create the Brevo application in Auth0

Create a new application for Brevo in your Auth0 account:

Open a new tab in your browser and log in to your Auth0 account.
In the navigation menu, go to Applications > Applications.
Click + Create Application.
Name the application (e.g., "Brevo").
Choose Regular Web Applications as the application type.
Click Create.

Configure SAML SSO in Auth0

Link your Brevo account to the Auth0 application by entering the required URLs:

Go to the Settings tab.
Copy the value from the Login URL field in Brevo and paste it into the Application Login URI field in Auth0.
Copy the value from the Callback URL field in Brevo and paste it into the Allowed Callback URLs field in Auth0.
Click Save Changes.

(Optional) Add Brevo's certification to Auth0 for stronger encryption

✅ Plan availability

By default, Brevo's basic SAML SSO configuration supports one-way encryption. You can download Brevo's metadata to configure two-way encryption and improve security:

In Brevo, select the Generate and download Brevo's certificate for stronger encryption option.
Click Download Brevo's Metadata. A file named "metadata.xml" is downloaded on your computer.
In Auth0, go to the Addons tab.
Activate the SAML2 WEB APP add-on. The Addon: SAML2 Web App popup window opens.
Go to the Settings tab.
Delete the content of the Settings field.

Copy the following JSON and paste it in the Settings field:

{
  "signatureAlgorithm": "rsa-sha256",
  "digestAlgorithm": "sha256",
  "signResponse": true,
  "signingCert": "YOUR_CERTIFICATE_CONTENT"
}

Open the "metadata.xml" file in a text editor. Find and copy the entire section starting from <ds:X509Certificate> to </ds:X509Certificate>, including both tags.
Replace YOUR_CERTIFICATE_CONTENT in the JSON with the value you just copied.
Click Activate.
Close the Addon: SAML2 Web App popup window.

Assign users to the Brevo application in Auth0

By default, all users created in an Auth0 tenant are automatically assigned to the tenant's applications. You don't need to take any additional steps to assign users to the Brevo application.

However, if you haven't done so already, make sure you create the users who will log in to Brevo using SAML SSO in Auth0. To learn more, check Auth0's dedicated documentation.

❗️ Important

To access your Brevo account via SAML SSO, ensure that the user's email address is both added to Brevo and configured in Auth0.

Configure SAML SSO in Brevo

Retrieve the required values from Auth0 and enter them in Brevo:

In Auth0, go to the Settings tab.
Scroll to the bottom of the page and expand the Advanced Settings section.
Go to the Endpoints tab.
Copy the value from the SAML Protocol URL field in Auth0 and paste it into the Sign-on URL field in Brevo.
Copy the value from the SAML Metadata URL field in Auth0 and paste it into the Metadata Address field in Brevo.
In the Entity ID field in Brevo, enter:
https://account-app.brevo.com/account/
In the Email fieldname field in Brevo, enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
In the User ID field in Brevo, enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

(Optional) Activate SAML SSO for sub-organization users

💡 Good to know

The option to activate SAML SSO for sub-organization users is available only from an Admin account.

By default, SAML SSO is activated only for Admin users. Sub-organization users need to log in to Brevo via the standard Brevo login page using their regular credentials.

To activate SAML SSO for sub-organization users as well, select the Force sub-organization users to login with master IDP option.

(Optional) Exempt specific users from using SAML SSO

💡 Good to know

The user who configured SAML SSO is automatically added to the Exempted users list. You can remove them by clicking the bin icon next to their name if needed.

Exempt specific users from the requirement to use SAML SSO to log in. Exempted users can log in with either SAML SSO or their email and password, which is useful as a safety net if your identity provider experiences an outage.

Under Fallback Access Control, click the Search and select users to exempt dropdown.
Find and select the user you want to exempt.
Click Add. The user appears in the Exempted users list.
Click Save the settings.

Verify your SAML configuration

After completing the setup, click Verify to check your configuration:

✅ If your SAML configuration works, click Save the settings.
❌ If your SAML configuration doesn't work, review each step of the configuration and re-verify.

SAML SSO is now active on your Brevo account. Users can log in via the SSO login page.

⏭️ What's next?

🤔 Have a question?

If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.

If you’re looking for help with a project using Brevo, we can match you with the right certified Brevo Agency partner.

Configure SAML Single Sign-On (SSO) with Brevo

About SAML Single Sign-On (SSO) in Brevo

Which identity providers does Brevo support?

How does the SAML SSO login flow work?

Who can access Brevo via SAML SSO?

Good to know

Activate SAML SSO in Brevo

Set up your identity provider

Create the Brevo application in Microsoft Entra ID

Assign users to the Brevo application in Microsoft Entra ID

Configure SAML SSO in Microsoft Entra ID

(Optional) Add Brevo's certification for stronger encryption

Configure SAML SSO in Brevo

(Optional) Download Brevo's certification for stronger encryption

Create the Brevo application in Okta

Configure SAML SSO in Okta

Configure SAML SSO in Brevo

Assign users to the Brevo application in Okta

Create the Brevo application in Auth0

Configure SAML SSO in Auth0

(Optional) Add Brevo's certification to Auth0 for stronger encryption

Assign users to the Brevo application in Auth0

Configure SAML SSO in Brevo

(Optional) Activate SAML SSO for sub-organization users

(Optional) Exempt specific users from using SAML SSO

Verify your SAML configuration

⏭️ What's next?

🤔 Have a question?

💬 Was this article helpful?

Search

Configure SAML Single Sign-On (SSO) with Brevo

About SAML Single Sign-On (SSO) in Brevo

Which identity providers does Brevo support?

How does the SAML SSO login flow work?

Who can access Brevo via SAML SSO?

Good to know

Activate SAML SSO in Brevo

Set up your identity provider

Create the Brevo application in Microsoft Entra ID

Assign users to the Brevo application in Microsoft Entra ID

Configure SAML SSO in Microsoft Entra ID

(Optional) Add Brevo's certification for stronger encryption

Configure SAML SSO in Brevo

(Optional) Download Brevo's certification for stronger encryption

Create the Brevo application in Okta

Configure SAML SSO in Okta

Configure SAML SSO in Brevo

Assign users to the Brevo application in Okta

Create the Brevo application in Auth0

Configure SAML SSO in Auth0

(Optional) Add Brevo's certification to Auth0 for stronger encryption

Assign users to the Brevo application in Auth0

Configure SAML SSO in Brevo

(Optional) Activate SAML SSO for sub-organization users

(Optional) Exempt specific users from using SAML SSO

Verify your SAML configuration

⏭️ What's next?

🤔 Have a question?

💬 Was this article helpful?