Brevo supports SAML (Security Assertion Markup Language), which allows you and your users to log into Brevo via SSO (Single Sign-On) and access your Admin account and sub-organizations using only one set of credentials.
Good to know
- We recommend you ask an IT administrator with experience with your identity provider to handle this configuration process.
- Enabling SAML SSO authentication requires some back-and-forth between Brevo and your identity provider. Make sure you keep both platforms open in separate tabs, as you'll be copying and pasting values between them at some point.
ℹ️ About SAML SSO with Brevo
SAML SSO improves security for you and your customers, adding an extra layer of protection to your Brevo account. Users are authenticated by a trusted third-party identity provider and Brevo is accessible to them with a secure token.
Brevo supports the configuration of SAML SSO with the following identity providers: Microsoft Entra ID (formerly known as Azure AD), Okta, and Auth0.
To log in to the IDPs, Brevo uses the HTTP-Redirect Binding method for the authentication request from Brevo to the IDP.
In response from the IDPs, Brevo supports only the HTTP-POST Binding method for the authentication response from the IDP to Brevo after authentication is complete.
In Brevo, SAML SSO configuration varies depending on the intended users:
- Enable it for Admins only or for both Admins and all sub-organizations from the Admin account, or
- Configure it individually for specific sub-organizations directly within each one.
🛠️ Configure SAML SSO with Brevo
The configuration for SAML SSO varies depending on your identity provider. Use the following tabs to view instructions for Microsoft Entra ID, Okta, or Auth0:
Step 1: Enable SAML SSO in Brevo
To enable SAML SSO in Brevo and retrieve the values needed to configure it:
- Log into the Brevo Admin account or sub-organization you want to configure SAML SSO for.
- Click your account name and go to Security > SAML.
- Enable the Allow SAML Authentification toggle.
Step 2: (Optional) Download Brevo's certificate for stronger encryption
By default, Brevo's basic SAML SSO configuration allows for one-way encryption. However, you can enhance security by enabling two-way encryption using Brevo's certificate:
- In Brevo, select the Generate and download Brevo's certificate for stronger encryption option.
- Click Download Brevo's certification. A file named "public.cer" is downloaded on your computer.
You will upload this file into Microsoft Entra ID during step 6.
Step 3: Create the Brevo application in Microsoft Entra ID
Start by creating a new application for Brevo in your Microsoft Entra admin center:
- Open a new tab in your browser and log into your Microsoft Entra admin center.
-
In the navigation menu, go to Identity > Applications > Enterprise applications.
-
Click + New application.
-
Click + Create your own application.
- Name the application (e.g., "Brevo").
- Select Integrate any other application you don't find in the gallery (Non-gallery).
- Click Create.
Step 4: Assign users to the Brevo application in Microsoft Entra ID
To allow users to log into Brevo using SAML SSO, you need assign them to the Brevo application in Microsoft Entra ID:
- If you haven't done so already, create the users who will log into Brevo using SAML SSO in Microsoft Entra ID. To learn more, check Microsoft Entra's dedicated documentation.
- In the navigation menu, go to Identity > Applications > Enterprise applications.
- Select the Brevo application.
- Go to Users and groups.
- Select Add user/group.
- Under Users and groups, click None Selected.
- Select the users that you want to assign to the Brevo application and click Select.
- Under Select a role, click None Selected.
- Select the role that you want to assign to the users and click Select.
- Click Assign to assign the users to the Brevo application.
Step 5: Configure SAML SSO in Microsoft Entra ID
Now, enable and configure SAML SSO in Microsoft Entra ID:
- Go to Single sign-on.
- Select SAML as the single sign-on method.
-
In the 1. Basic SAML Configuration section, click Edit.
- In the Identifier (Entity ID) field in Microsoft Entra ID, click Add identifier and enter:
https://account-app.brevo.com/account/
- In the Reply URL (Assertion Consumer Service URL) field in Microsoft Entra ID, click Add reply URL.
- Copy the value from the Callback URL field in Brevo and paste it into the Reply URL (Assertion Consumer Service URL) field in Microsoft Entra ID.
- Copy the value from the Login URL field in Brevo and paste it into the Sign on URL field in Microsoft Entra ID.
- Click Save.
- Close the side panel.
Step 6. (Optional) Upload Brevo's certificate into Microsoft Entra ID
If you have previously downloaded Brevo's certificate, you can upload it to Microsoft Entra ID:
- In the 3. SAML Certificates section, click Edit next to Verification certificates.
- Select the Require verification certificates option.
- Click Upload certificate.
- From your computer, select Brevo's certificate named "public.cer" and click OK.
- Click Save.
Step 7: Configure SAML SSO in Brevo
Now, enable and configure SAML SSO in Brevo:
- In the 3. SAML Certificates section in Microsoft Entra ID, copy the value from the App Federation Metadata Url field and paste it into the Metadata address field in Brevo.
- In the 4. Set up [Application Name] section in Microsoft Entra ID, copy the value from the Login URL field and paste it into the Sign-on URL field in Brevo.
- In the Entity ID field in Brevo, enter:
https://account-app.brevo.com/account/
- In the Email fieldname field in Brevo, enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- In the User ID field in Brevo, enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Step 8: (Optional) Enable SAML SSO for sub-organization users in Brevo
By default, SAML SSO is enabled only for Admin users while sub-organization users need to log into Brevo via the standard Brevo login page using their regular credentials.
To enable SAML SSO for sub-organization users as well, select the Force sub-organization users to login with master IDP option.
Step 9: Verify your SAML configuration
After configuring SAML SSO, click Verify to check your configuration:
- ✅ If your SAML configuration works, click Save the settings.
- ❌ If your SAML configuration doesn't work, review each step of the configuration and re-verify.
You've enabled SAML SSO authentication on your Brevo account. Now, users can log into the Admin account and sub-organizations from the SSO login page.
After logging in, they will be directed to the Switch to account page. Here, they can select an Admin account or sub-organization for which they are an owner or user. |
Step 1: Enable SAML SSO in Brevo
To enable SAML SSO in Brevo and retrieve the values needed to configure it:
- Log into the Brevo Admin account or sub-organization you want to configure SAML SSO for.
- Click your account name and go to Security > SAML.
- Enable the Allow SAML Authentification toggle.
Step 2: (Optional) Download Brevo's certificate for stronger encryption
By default, Brevo's basic SAML SSO configuration allows for one-way encryption. However, you can enhance security by enabling two-way encryption using Brevo's certificate:
- Check the Generate and download Brevo's certificate for stronger encryption box.
- Click Download Brevo's certification. A file named "public.cer" will be downloaded.
You will upload this file onto Okta during step 4.
Step 3: Create the Brevo application in Okta
Create a new application for Brevo in your Okta account:
- Open a new tab in your browser and log into your Okta account.
- Click Admin to access the admin dashboard.
-
In the navigation menu, go to Applications > Applications.
-
Click Create App Integration.
- Select SAML 2.0.
- Click Next.
- Name the application (e.g., "Brevo").
- Click Next.
Step 4: Configure SAML SSO in Okta
Now, configure SAML SSO in Okta:
- Copy the value from the Callback URL field in Brevo and paste it into the Single sign on URL field in Okta.
- In the Audience URI (SP Entity ID) field, enter:
https://account-app.brevo.com/account/
- From the Application username dropdown, select Email.
- Click Show Advanced Settings.
- (Optional) From the Signature Certificate field, click Browse files and select the "public.cer" file that corresponds to Brevo's certificate that you previously downloaded.
- Under Attribute Statements, enter the following values:
Name Name format Value email Basic user.email login Basic user.login - Click Next.
- Select I'm an Okta customer adding an internal app.
- Click Finish.
Step 5: Configure SAML SSO in Brevo
Now, configure SAML SSO in Brevo:
- From the Metadata details section in Okta, copy the value from the Metadata URL field and paste it into the Metadata Address field in Brevo.
- To retrieve the certificate value:
- In a new tab, paste this same Metadata URL into your browser's search bar.
- Copy the value between the
<ds:X509Certificate>
opening tag and</ds:X509Certificate>
closing tag. - Paste this value into the Certificate field in Brevo.
- From the Metadata details section in Okta, click More details.
- Copy the value from the Sign on URL field in Okta and paste it into the Sign-on-URL field in Brevo.
- In the Entity ID field in Brevo, enter:
Entity
- In the Email fieldname field in Brevo, enter:
email
- In the User ID field in Brevo, enter:
login
Step 6: Assign users to the Brevo application in Okta
To allow users to log into Brevo using SAML SSO, you need to create and assign them to the Brevo application:
- If you haven't done so already, create the users who will log into Brevo using SAML SSO in Okta. To learn more, check Okta's dedicated documentation.
- In Okta, go to the Assignments tab.
- Click Assign > Assign to People or Assign to Groups.
- Select the people or group you want to assign to the Brevo application.
- Click Done.
Step 7: (Optional) Enable SAML SSO for sub-organization users in Brevo
By default, SAML SSO is enabled only for Admin users while sub-organization users need to log into Brevo via the default Brevo login page using their standard Brevo credentials.
To enable SAML SSO for sub-organization users as well, select the Force sub-organization users to login with master IDP option.
Step 8: Verify your SAML configuration
After configuring SAML SSO, click Verify to check your configuration:
- ✅ If your SAML configuration works, click Save the settings.
- ❌ If your SAML configuration doesn't work, review each step of the configuration and re-verify.
You've enabled SAML SSO authentication on your Brevo account. Now, users can log into the Admin account and sub-organizations from the SSO login page.
After logging in, they will be directed to the Switch to account page. Here, they can select an Admin account or sub-organization for which they are an owner or user. |
Step 1: Enable SAML SSO in Brevo
To enable SAML SSO in Brevo and retrieve the values needed to configure it:
- Log into the Brevo Admin account or sub-organization you want to configure SAML SSO for.
- Click your account name and go to Security > SAML.
- Enable the Allow SAML Authentification toggle.
Step 2: Create the Brevo application in Auth0
Start by creating a new application for Brevo in your Auth0 account:
- Open a new tab in your browser and log into your Auth0 account.
-
In the navigation menu, go to Applications > Applications.
-
Click + Create Application.
- Name the application (e.g., "Brevo").
- Choose Regular Web Applications as the application type.
- Click Create.
Step 3: Configure SAML SSO in Auth0
Now, configure SAML SSO in Auth0:
- Go to the Settings tab.
- Copy the value from the Login URL field in Brevo and paste it into the Application Login URI field in Auth0.
- Copy the value from the Callback URL field in Brevo and paste it into the Allowed Callback URLs field in Auth0.
- Click Save Changes.
Step 4: (Optional) Add Brevo's certificate to Auth0 for stronger encryption
By default, Brevo's basic SAML SSO configuration allows for one-way encryption. However, you can enhance security by enabling two-way encryption using Brevo's certificate:
- Go to the Addons tab.
- Enable the SAML2 WEB APP add-on. The Addon: SAML2 Web App popup window opens.
- Go to the Settings tab.
- Delete the content of the Settings field and enter:
{
"signatureAlgorithm": "rsa-sha256", "digestAlgorithm": "sha256",
"signResponse": true,
"signingCert": "-----BEGIN CERTIFICATE-----\nMIID0zCCArugAwIBAgIUWnc/gwEE4bgMR2jZtbLUadQkw8YwDQYJKoZIhvcNAQEL\nBQAwgZExCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFy\naXMxDjAMBgNVBAoMBUJyZXZvMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEaMBgGA1UE\nAwwRaHR0cHM6Ly9icmV2by5jb20xIDAeBgkqhkiG9w0BCQEWEWNvbnRhY3RAYnJl\ndm8uY29tMB4XDTI0MDIxNTA4MzcyM1oXDTI1MDIxNDA4MzcyM1owgZExCzAJBgNV\nBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFyaXMxDjAMBgNVBAoM\nBUJyZXZvMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEaMBgGA1UEAwwRaHR0cHM6Ly9i\ncmV2by5jb20xIDAeBgkqhkiG9w0BCQEWEWNvbnRhY3RAYnJldm8uY29tMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuWTEstrogfZzkdTfmLqGTT6tKSMX\n8XnFo7biV9JLeChC3YWQV27xhKAR13On3xqM2h2qKWnQXyEyst163BvCM9OjpIwL\npodO4N77YYnUwdZVpLLitLB5x4Ge5O8RRyvw6bqyor+7mMp5bkOboDiOHwpi7iAq\n/tIRo55WcoIK9uCgYawUtxnZ1SE/aqWBdde1XjZdksvmY+UuNrMdnQEivIQQ6A/N\n9lfDeRv5yhFcqs/qD1zKtIIGQxQTtVL9j02ilD1wS6sU1AB29SGUqXFhFyIAvWBF\nTQ+HkgzKwK+MFOOi5sn9zffxKLJ4cl3sU68FeB7A/5kwyME3k9TWqOWEnwIDAQAB\noyEwHzAdBgNVHQ4EFgQU+5B8O9oUfjvSc/nGQ+j2q9bc6vowDQYJKoZIhvcNAQEL\nBQADggEBAKvvRQvorLCW9b1ze9QlkrmbSE5ZxW6icCY/FI/lOnNDxlUatjLwPysM\noF6Zx6udMaGcyTol0P96I+PbPedQL8N6pRis8VsBQhPbR8LxLeljjLjFid0sIa9k\nCjxLzYhS2GhPjxl2NAa8dpuQg+JxT9SonLCN239MOeK9eOgu6c8dO0z0A4VLSK5l\nNrx3fapkunxBWufFBhiiStmDJskOb35DeqlAz6pmk78Wl60gvuJtYLGBMUVbq60b\ncSZsge7z5z6W4Gx9evU2qcNdn18efvaM4Eox1VSregFmOc4ZEeKQYbKsWnGTlqn2\ncj7+9nZSzJuRsaw8Aimti/yOLhV1VxY=\n-----END CERTIFICATE-----"
} - Click Enable.
- Close the Addon: SAML2 Web App popup window.
Step 5: Assign users to the Brevo application in Auth0
By default, all users created in an Auth0 tenant are automatically assigned to the tenant's applications. Therefore, you don't need to take any additional steps to assign users to the Brevo application.
However, if you haven't done so already, make sure you create the users who will log into Brevo using SAML SSO in Auth0. To learn more, check Auth0's dedicated documentation.
Step 6: Configure SAML SSO in Brevo
Now, configure SAML SSO in Brevo:
- In Auth0, go to the Settings tab.
- Scroll down to the bottom of the page and expand the Advanced Settings section.
- Go to the Endpoints tab.
- Copy the value from the SAML Protocol URL field in Auth0 and paste it into the Sign-on-URL field in Brevo.
- Copy the value from the SAML Metadata URL field in Auth0 and paste it into the Metadata Address field in Brevo.
- In the Entity ID field in Brevo, enter:
https://account-app.brevo.com/account/
- In the Email fieldname field in Brevo, enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- In the User ID field in Brevo, enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Step 7: (Optional) Enable SAML SSO for sub-organization users in Brevo
By default, SAML SSO is enabled only for Admin users while sub-organization users need to log into Brevo via the default Brevo login page using their regular Brevo credentials.
To enable SAML SSO for sub-organization users as well, select the Force sub-organization users to login with master IDP option.
Step 8: Verify your SAML configuration
After configuring SAML SSO, click Verify to check your configuration:
- ✅ If your SAML configuration works, click Save the settings.
- ❌ If your SAML configuration doesn't work, review each step of the configuration and re-verify.
You've enabled SAML SSO authentication on your Brevo account. Now, users can log into the Admin account and sub-organizations from the SSO login page.
After logging in, they will be directed to the Switch to account page. Here, they can select an Admin account or sub-organization for which they are an owner or user. |
⏭️ What's next?
- What is sub-organizations management?
- Add and manage users from your Admin account
- Authorize IP addresses for API calls to improve security
🤔 Have a question?
If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.
If you’re looking for help with a project using Brevo, we can match you with the right certified Brevo expert partner.