- What is SAML SSO?
- Requirements to enable SAML SSO on Mailjet
- Accessing and enabling SAML SSO on Mailjet
- Disabling SAML SSO
- Identity providers
- Users management
- Sign in with SSO
What is SAML SSO?
Using the SAML 2.0 protocol, Mailjet allows you to integrate with your Identity Provider to authenticate users via single sign-on, also known as SSO. Theoretically, as long as your current Identity Provider supports the SAML 2.0 protocol (Okta, Auth0, Onelogin, Azure AD, etc), then you should be able to use your provider with Mailjet.
Note: SAML SSO is only available for Custom accounts.
Requirements to enable SAML SSO on Mailjet
In order to set up SAML, you will need to verify that you own your corporate domain (the domain being used in the SAML configuration to login). Currently, the Mailjet platform uses TXT records for domain verification.
Mailjet can generate a unique TXT record for you to add to your corporate domain’s DNS that will allow us to verify you own this domain. In order to use this method, head to the SAML Setup page ( Settings > Details in the left-hand nav and then scroll down to the Authentication section, and in the SAML Auth sub-section, click on Setup SAML SSO) enter your corporate domain in the Domain Name field under Domain TXT Record Generation, and hit Generate. Copy the TXT record from the modal and add that to the DNS records for your domain.
Make sure all user account domains are verified before trying to set up SAML on Mailjet. For example, if the domains are mailjet.com and mailgun.com, these actions must be performed for each one of them.
Identity Provider details
You’ll need to provide the following to Mailjet from your Identity Provider:
IdP Entity ID (Also known as Identity Provider Issuer)
Single Sign-on URL
Service Provider details
You’ll need to provide the following SAML Provider details to your Identity Provider from Mailjet:
Assertion Consumer Service URL
Single Logout Service URL
Accessing and enabling SAML SSO on Mailjet
Note: Only Admin users have access to enable/disable SAML on an account.
In order to access the SAML configuration on Mailjet, click on Account Settings > SAML Auth (SSO) on the Account Information page:
Once there, you will find the relevant Service Provider details, as well as the form you’ll need to complete:
In order to enable your configuration, all the required fields have to be filled with the identity provider details.
Disabling SAML SSO
Note: Only Admin users have access to enable/disable SAML on an account.
In order to disable SAML SSO on your account, click on Account Settings > SAML Auth (SSO) on the Account Information page. Once there, click on the cog icon and then click on Deactivate SAML.
Different Identity Providers can be used: Okta, Auth0, Onelogin, Azure AD, etc. This article explains how to do it with Okta and Azure.
Setting up SAML SSO using Okta
First, you’ll need an Okta account. If you already have one, great! If not, you can register at https://developer.okta.com and follow the instructions to get a free developer account.
Once you have an Okta account, navigate to 'Applications'.
Once there click on 'Create App Integration'. When the modal pops up, select 'SAML 2.0' as the Sign-on method and click on Next.
Give your app a descriptive name, and a logo, if you wish. You can ignore the App visibility options and then click on Next.
Single sign-on URL (this is referred to as 'Assertion Consumer Service URL' in your Mailjet Dashboard)
Leave the Use this for Recipient URL and Destination URL checkbox checked
Audience URI (Entity ID in your Mailjet Dashboard)
Leave Default RelayState blank
Name ID format should be set to `EmailAddress`
Application username should be set to `email`.
Leave Update application username on as default.
Leave the Attribute Statements section empty and click on Next.
On the next page, choose 'I’m an Okta customer adding an internal app', and click on Finish.
You’ll land on the Sign On tab on the application you’ve just configured.
Look for the 'View Setup Instructions' button and click on it to display the actual data you need to add on Mailjet. It should look like this:
Copy the data into the SAML Auth (SSO) page in Mailjet and submit the form. If everything is correct, you should be good to go.
Setting up SAML SSO using Azure
To enable SAML SSO for your Azure application, follow the official Azure documentation. It’s important to provide the necessary data following the correspondences below.
Provide Mailjet information to Azure
|Identifier (Entity ID)||Entity ID|
|Reply URL (Assertion Consumer Service URL)||Assertion Consumer Service URL|
|Logout Url (Optional)||Single Logout Service|
Provide Azure information to Mailjet
|Associated domain(s)||-||The custom domain name must be added and verified in Azure and Mailjet|
|IdP Entity ID||
Azure AD Identifier
|Request signing preference||SAML Signing Certificate section > Edit > Signing option||Should be Sign SAML response and assertion|
|Single Sign-On URL||Login URL|
|Single Logout Service URL||
|X.509 certificate||Certificate (Base64)||Must be downloaded as Base64 and opened in a text editor before so the value can be copied in the required format|
Note: Users must have assigned access to Mailjet in Azure AD to sign-in.
Our SAML-based SSO feature can provide your end-users with access to the Mailjet application through an identity provider (IdP). All users you have given shared access to your account will be listed in the 'Users' section.
Note: The single sign-on feature will be disabled by default for all users. Only active users with an Associated domain in the SAML configuration will be able to log in to your account via SSO.
You can enable SSO functionality for all users at once, by clicking the 'Enable SAML for all' button...
... or manually choose to enable or disable access for individual users one by one via the cog icon.
Identity provider (Okta)
Once you have activated your end-users within the Mailjet application you will also need to add them to your identity provider (IdP), in this case Okta.
Open your Okta account, go to Directory --> People and click on 'Add person'.
Once you have entered all the required information, select 'Save'.
Note: If you want to immediately notify the new user and send him an activation email, check the box 'Send user activation email now'. The user will then be prompted to click on a link to activate his Okta account.
Next step will be to visit the Applications page and select the application to which you want to assign the newly added user.
Select 'Assign to people' from the Assign drop-down menu.
Click 'Assign' on the user you previously added.
Note: Only unassigned users will be displayed.
You will then be redirected to the People page to find all users added to your Okta account and their current status.
If all the steps mentioned above have been followed correctly, end-users with access to your Mailjet application should have no problem logging in via SSO.
Sign in with SSO
To sign in, click on the 'Sign in with SSO' button on the Mailjet login page.
A new window will then appear with a single input form for your email.
Once you enter your email and click on the 'Sign in' button, you will be redirected to your account dashboard.
Note: If a shared user has SSO enabled, they will no longer be able to log in to the account in the usual way. The user will still need to log in via the SSO option.