How to set up single sign-on (SSO)

Single sign-on (SSO) helps protect you, as well as your customers, by making your account more secure. If you have SSO set up for your business, you can require your Klaviyo users to log in using their SSO credentials.

Plus, if you use SSO for your organization, you and your users can remain logged in to Klaviyo for a longer period of time before re-entering your credentials.

Users added to the exemption list will be able to bypass SSO and log in with a username and password when SSO is enforced for a company. This is important if there is an IdP outage or when you do not want to add a partner, contractor, or agency member to your IdP instance.

Note that you will only be able to view the exemption list once SSO is set up. 

Also called the SSO login identifier, the workplace ID is required to set up SAML SSO in Klaviyo. It is usually the same name as your company. You'll create this ID as part of step 3 of the Klaviyo setup process (discussed in this section below).

After setting up a workplace ID, users can go directly to your company's custom URL (e.g., www.klaviyo.com/sso/workplace/<id>) to log in to Klaviyo. We recommend telling users to bookmark this URL to speed up the login process.  

When JIT provisioning is enabled, IT admins no longer need to create accounts manually for each user in each of their applications. Instead, user accounts are created the first time users try to log in to an application, as long as the user has permission for that app.

For instance, IT admins can automatically grant Klaviyo access to all users in their IdP so that those users' accounts will automatically be created the first time they log in to Klaviyo via their SSO portal or through Klaviyo-initiated login.

1. Log in to your Okta admin account. 
2. Navigate to Application > Applications. 
3. Select Create App Integration.
   
4. In the modal, select the option for SAML 2.0.
   
5. Click Next. 
6. Name the integration (e.g., “Klaviyo”).
   
7. Click Next.
8. In the Single sign-on URL field, paste in the Klaviyo SSO URL from the Klaviyo SSO setup screen. 
9. In the Audience URI (SP Entity ID) field, paste the Audience URI (Service Provider Entity ID) from Klaviyo.
10. Set the Name ID format field to EmailAddress.
11. Change the Application username to Email. 
12. Check that the Update application username on is set to Create and update. 
    
13. Click Next. 
14. Select I’m an Okta customer adding an internal app. 
    • You do not need to check or fill out any other information on this page. 
15. Scroll to the bottom of the page and click Finish. 
16. Go to the Sign On tab.
    
17. Scroll down to the SAML Signing Certificates section.
18. Find an active certificate and then click the Actions dropdown. 
19. Click View IdP metadata.
    
20. A new tab will open that should look like the one below.
    
21. In the new tab, right click and select Save as > Save so that you can upload this file to Klaviyo later. 
22. Navigate back to Okta. 
23. Go to the Assignments tab. 
24. Click Assign.
25. Choose whether to assign the app to an individual (i.e., people) or to a group.
    
26. Find the people or groups you want to assign Klaviyo to, and click Assign next to their name(s).
    
27. If you’re selecting individuals: 
    • Choose the username for each individual; the default is their username in Okta.
    • Click Save and go back.
      
28. When you are finished, click Done. 

1. Log in to your One Login account.
2. Navigate to Applications > Applications.
   
3. Click Add App in the upper right corner.
   
4. Search for “Klaviyo” and then select the result that appears.
   
5. Optional: choose the display name, upload a new icon, or add a description for this app.
6. Click Save in the upper right. 
7. Navigate to Configuration in the left sidebar.
   
8. In the SAML Consumer URL field, paste your Klaviyo SSO URL. 
9. In the Audience (SP EntityID) field, paste your Audience URI (Service Provider Entity ID). 
10. Click Save. 
11. Click SSO in the left sidebar. 
12. Open the SAML Signature Algorithm dropdown.
13. Select SHA-256.
    
14. Optional: scroll down to change your login display settings.
    
15. Click Save. 
16. Open the More Actions dropdown in the upper right.
17. Select SAML Metadata. This will download the file you need to upload in the next section.
    

Before moving on to the next section, you need to add users to the Klaviyo app in One Login and then assign their roles. 

1. To add users to the Klaviyo app, click Users > Users in the upper left.
   
2. Select a user to access Klaviyo. We recommend assigning the person who is setting up SSO in Klaviyo. 
3. Select Applications in the left sidebar.
4. Click the plus button on the right side to add an application to this user.
5. Select Klaviyo from the dropdown.
   
6. Click Continue. 
7. In the resulting modal, scroll down to the role dropdown.
8. Open this dropdown and select the Klaviyo role this user should be assigned.
   
9. Click Save. 

1. Log in to Microsoft Entra ID (formerly known as Azure AD).
2. Click Microsoft Entra ID. 
3. Select the Add dropdown and then click Enterprise Application.
4. Click Create your own application.
   
5. Name the application “Klaviyo,” then click Create. 
6. Click Single sign-on in the left sidebar.
   
7. Select SAML. 
8. Click Edit in the Basic SAML Configuration box.
   
9. In the right sidebar that appears, click Add identifier under Identifier (Entity ID).
   
10. In the field that appears, paste in the Audience URI (Service Provider Entity ID) from Klaviyo.
11. Under Reply URL (Assertion Consumer Service URL), click Add reply URL. 
12. Here, paste the Klaviyo SSO URL from Klaviyo.
    
13. Note: if you want to add in a Sign on URL, you must first create a workplace ID, which is discussed in the next section. We recommend finishing the setup process and then coming back to this step. 
14. Click Save in the top left corner of the sidebar before clicking the X in the upper right. 
15. Scroll down to the SAML Certificates box (step 3 on the Single sign-on page in Entra).
    
16. Next to Federation Metadata XML, click Download.
    
17. Still within the SAML Certificates box, click Edit in the upper right.
18. In the sidebar that appears on the right, check that the:
    • Signing Option requires that the SAML assertion be signed (here, we set it to Sign SAML assertion). Note that signing the response is optional. 
    • Signing Algorithm is set to SHA-256.
      
19. Scroll back up to the Attributes & Claims box (step 2 on Single sign-on page in Entra) and click Edit.
    
20. Click Unique User Identifier (Name ID) in the Required Claim section.
    
21. Click the Source attribute dropdown.
    
22. Search for “user.mail” and then select it.
    
23. Click Save in the upper left corner to go back to the Attributes & Claims page. 
24. Select Add new claim in the upper left.
    
25. Enter “role” for the name. 
26. Change the Source attribute to "user.assignedroles."
    
27. Click Save. 
28. Click Home to go back to the directory. 
29. In the left sidebar, click App registrations.
    
30. Go to the All applications tab.
    
31. Click into the Klaviyo app.
32. Select App roles > Create app role.
    
33. Create the display name for each role.
34. Select Users/Groups as the Allowed member types.
35. Assign one of these values exactly how it appears below:
    
    • admin
    • manager
    • analyst
    • campaign_coordinator
    • content_creator
    • support
      
36. Add a description, then click Apply.

Then, to assign users to the Klaviyo app, follow these steps: 

1. Navigate to Microsoft Entra ID > Enterprise applications. 
2. Click the Klaviyo app.
3. Navigate to Users and groups > Add user/group.
   
4. Click into Users to populate the right sidebar. 
   
5. Select the user(s) you want to add to the Klaviyo app.
6. Click Select.
7. Click into Select a role.
   
8. Choose the role this user should have in Klaviyo. 
9. Click Select to confirm the role. 
10. Click Assign in the bottom left.