Configure SAML Single Sign-On (SSO) with Brevo

💡 Good to know
SAML SSO is only available on an Enterprise plan. For more information, check our website or get in touch with our Sales team.

Brevo supports SAML (Security Assertion Markup Language), which allows you and your users to log into Brevo via SSO (Single Sign-On) and access your Admin account and sub-organizations using only one set of credentials. 

Good to know

  • We recommend you ask an IT administrator with experience with your identity provider to handle this configuration process.
  • Enabling SAML SSO authentication requires some back-and-forth between Brevo and your identity provider. Make sure you keep both platforms open in separate tabs, as you'll be copying and pasting values between them at some point.

ℹ️ About SAML SSO with Brevo

SAML SSO improves security for you and your customers, adding an extra layer of protection to your Brevo account. Users are authenticated by a trusted third-party identity provider and Brevo is accessible to them with a secure token.

Which identity providers does Brevo support?

Brevo supports the configuration of SAML SSO with the following identity providers: Microsoft Entra ID (formerly known as Azure AD), Okta, and Auth0.

What SAML methods does Brevo use to interact with the IDPs?

To log in to the IDPs, Brevo uses the HTTP-Redirect Binding method for the authentication request from Brevo to the IDP.

In response from the IDPs, Brevo supports only the HTTP-POST Binding method for the authentication response from the IDP to Brevo after authentication is complete.

Who can use SAML SSO to log into Brevo?

In Brevo, SAML SSO configuration varies depending on the intended users:

  • Enable it for Admins only or for both Admins and all sub-organizations from the Admin account, or
  • Configure it individually for specific sub-organizations directly within each one.
❗️ Important
To configure SAML SSO individually for specific sub-organizations, you'll need to create separate applications in your identity provider. However, note that not all providers may support this option for multiple sub-organizations.

🛠️ Configure SAML SSO with Brevo

The configuration for SAML SSO varies depending on your identity provider. Use the following tabs to view instructions for Microsoft Entra ID, Okta, or Auth0:

Microsoft Entra ID Okta Auth0

Step 1: Enable SAML SSO in Brevo

To enable SAML SSO in Brevo and retrieve the values needed to configure it:

  1. Log into the Brevo Admin account or sub-organization you want to configure SAML SSO for.
  2. Click your account name and go to Security > SAML.
  3. Enable the Allow SAML Authentification toggle.
    SAML_enable-SAML_en-us.jpeg

Step 2: (Optional) Download Brevo's certificate for stronger encryption

💡 Good to know
The option to Generate and download Brevo's certificate for stronger encryption can be activated for your account at your request. Contact your dedicated Customer Success Manager to request its activation.

By default, Brevo's basic SAML SSO configuration allows for one-way encryption. However, you can enhance security by enabling two-way encryption using Brevo's certificate:

  1. In Brevo, select the Generate and download Brevo's certificate for stronger encryption option.
  2. Click Download Brevo's certification. A file named "public.cer" is downloaded on your computer.
    SAML_generate-certificate_en-us (3).jpeg

You will upload this file into Microsoft Entra ID during step 6.

Step 3: Create the Brevo application in Microsoft Entra ID

Start by creating a new application for Brevo in your Microsoft Entra admin center:

  1. Open a new tab in your browser and log into your Microsoft Entra admin center.
  2. In the navigation menu, go to Identity > Applications > Enterprise applications.

  3. Click + New application.
    SAML_create-application_en-us.jpeg

  4. Click + Create your own application.
    SAML_create-own-application_en-us.jpeg

  5. Name the application (e.g., "Brevo").
  6. Select Integrate any other application you don't find in the gallery (Non-gallery).
  7. Click Create.
    SAML_create-brevo-application_en-us.jpeg

Step 4: Assign users to the Brevo application in Microsoft Entra ID

To allow users to log into Brevo using SAML SSO, you need assign them to the Brevo application in Microsoft Entra ID:

  1. If you haven't done so already, create the users who will log into Brevo using SAML SSO in Microsoft Entra ID. To learn more, check Microsoft Entra's dedicated documentation.
  2. In the navigation menu, go to Identity > Applications > Enterprise applications.
  3. Select the Brevo application.
    SAML_brevo-application_en-us.jpeg
  4. Go to Users and groups.
  5. Select Add user/group.
    SAML_add-user-group_en-us.jpeg
  6. Under Users and groups, click None Selected.
  7. Select the users that you want to assign to the Brevo application and click Select.
  8. Under Select a role, click None Selected.
  9. Select the role that you want to assign to the users and click Select.
  10. Click Assign to assign the users to the Brevo application.

Step 5: Configure SAML SSO in Microsoft Entra ID

Now, enable and configure SAML SSO in Microsoft Entra ID:

  1. Go to Single sign-on.
  2. Select SAML as the single sign-on method.
    SAML_select-SAML_en-us.jpeg
  3. In the 1. Basic SAML Configuration section, click Edit.
    SAML_edit-basic-configuration_en-us.jpeg

  4. In the Identifier (Entity ID) field in Microsoft Entra ID, click Add identifier and enter:
    https://account-app.brevo.com/account/
    saml_microsoft-entra_entity-id_en-us.jpeg
  5. In the Reply URL (Assertion Consumer Service URL) field in Microsoft Entra ID, click Add reply URL.
  6. Copy the value from the Callback URL field in Brevo and paste it into the Reply URL (Assertion Consumer Service URL) field in Microsoft Entra ID.
    saml_microsoft-entra_callback-url_en-us.jpeg
  7. Copy the value from the Login URL field in Brevo and paste it into the Sign on URL field in Microsoft Entra ID.
    saml_microsoft-entra_login-url_en-us.jpeg
  8. Click Save.
  9. Close the side panel.

Step 6. (Optional) Upload Brevo's certificate into Microsoft Entra ID

If you have previously downloaded Brevo's certificate, you can upload it to Microsoft Entra ID:

  1. In the 3. SAML Certificates section, click Edit next to Verification certificates.
    SAML_edit-certificate_en-us.jpeg
  2. Select the Require verification certificates option.
  3. Click Upload certificate
    SAML_upload-certificate_en-us.jpeg
  4. From your computer, select Brevo's certificate named "public.cer" and click OK.
  5. Click Save.

Step 7: Configure SAML SSO in Brevo

Now, enable and configure SAML SSO in Brevo:

  1. In the 3. SAML Certificates section in Microsoft Entra ID, copy the value from the App Federation Metadata Url field and paste it into the Metadata address field in Brevo.
    SAML_copy-metadata_en-us.jpeg
  2. In the 4. Set up [Application Name] section in Microsoft Entra ID, copy the value from the Login URL field and paste it into the Sign-on URL field in Brevo.
    SAML_copy-login-url_en-us.jpeg
  3. In the Entity ID field in Brevo, enter:
    https://account-app.brevo.com/account/
  4. In the Email fieldname field in Brevo, enter:
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  5. In the User ID field in Brevo, enter:
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    SAML_enter-values_en-us.jpeg

Step 8: (Optional) Enable SAML SSO for sub-organization users in Brevo

By default, SAML SSO is enabled only for Admin users while sub-organization users need to log into Brevo via the standard Brevo login page using their regular credentials.

To enable SAML SSO for sub-organization users as well, select the Force sub-organization users to login with master IDP option.

SAML_disable-sub-organizations_en-us.jpeg

Step 9: Verify your SAML configuration

After configuring SAML SSO, click Verify to check your configuration:

  • ✅ If your SAML configuration works, click Save the settings.
  • ❌ If your SAML configuration doesn't work, review each step of the configuration and re-verify.

You've enabled SAML SSO authentication on your Brevo account. Now, users can log into the Admin account and sub-organizations from the SSO login page.

After logging in, they will be directed to the Switch to account page. Here, they can select an Admin account or sub-organization for which they are an owner or user.

SAML_switch-account_en-us.jpeg

⏭️ What's next?

🤔 Have a question?

If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.

If you’re looking for help with a project using Brevo, we can match you with the right certified Brevo expert partner.

Related to

💬 Was this article helpful?

0 out of 0 found this helpful