If you have a directory service that authenticates users, you can allow single sign-on (SSO) into Marketo. We support this feature using Security Assertion Markup Language (SAML) version 2.0 and higher.
Marketo functions as a SAML Service Provider (SP), and depends on an external Identity Provider (IdP) to authenticate users.
Once SSO is enabled, the IdP can validate a user’s credentials. When a user wishes to use Marketo software, the IdP then sends a signed SAML message to Marketo, acting as the SP. This message vouchsafes to Marketo that the user is authorized to use Marketo software.
Admin Permissions Required
Are you a Microsoft Azure user? Check out their integration tutorial.
Marketo only supports Identity Provider-initiated (also known as IdP-initiated), in which the user first launches the Idp login page, authenticates, then navigates to My Marketo.
Before starting, have your Identity Provider Certificate in X.509 format and in .crt, .der, or .cer extension.
SSO is disabled by default. Follow these steps to enable SAML and configure it.
Go to Admin and click Single Sign-On.
If you don’t see Single Sign-On under Admin, contact Marketo Support.
Under the SAML Settings section, click on Edit.
Change SAML Single Sign-On to Enabled.
Enter your Issuer ID, Entity ID, select the User ID Location, then click Browse.
Select your Identity Provider Certificate file.
Under the Redirect Pages section, click Edit.
Customers using Universal ID along with SSO must enter the login URL of the Identity Provider in the Login URL field.
Enter a Logout URL. This is the URL you want the user to be directed to when they log out of Marketo.
Enter an Error URL. This is the URL you want the user to be directed to in case logging into Marketo fails. Click Save.
Both of these pages must be publicly available.