Add Single Sign-On to a Portal add-single-sign-on-to-a-portal
If you have a directory service that authenticates users, you can allow single sign-on (SSO) into Marketo. We support this feature using Security Assertion Markup Language (SAML) version 2.0 and higher.
Marketo functions as a SAML Service Provider (SP), and depends on an external Identity Provider (IdP) to authenticate users.
Once SSO is enabled, the IdP can validate a user’s credentials. When a user wishes to use Marketo software, the IdP then sends a signed SAML message to Marketo, acting as the SP. This message vouchsafes to Marketo that the user is authorized to use Marketo software.
https://<munchkinid>.mktoweb.com
, not https://<munchkinid>.marketo.com
.How to Send the Request how-to-send-the-request
- Send the SSO request, which is a SAML response, to
https://login.marketo.com/saml/assertion/<your-munchkin-id>
- As the SP’s Audience URL. Use
http://saml.marketo.com/sp
- If you are using the SPNameQualifier attribute, set the NameID element for Subject to
http://saml.marketo.com/sp
- If you are federating multiple Marketo subscriptions to the same SSO provider, you can use unique SP urls for each Marketo sub with the format
http://saml.marketo.com/sp/<munchkin_id>
Additional Notes additional-notes
- Sync-up time - For a new user, there is about a 10 minute delay before an initial SSO request is processed.
- User Provisioning - Users are provisioned manually by Marketo.
- Authorization - User permissions are maintained within Marketo.
- OAuth support - Marketo does not currently support OAuth.
- Automatic User Propagation - Also known as “Just in Time Provisioning,” this is when a user’s first SAML login is capable of creating the user in whatever web application they’re accessing (e.g., Marketo) and no manual admin action is required. This is not supported by Marketo at this time.
- Encryption - Marketo does not currently support encryption.
Update SAML Settings update-saml-settings
SSO is disabled by default. Follow these steps to enable SAML and configure it.
-
Go to the Admin area.
-
Click Single Sign-On.
note note NOTE If you don’t see Single Sign-On under Admin, contact Marketo Support. -
Under the SAML Settings section, click Edit.
-
Change SAML Single Sign-On to Enabled.
-
Enter your Issuer ID, Entity ID, select the User ID Location, then click Browse.
-
Select your Identity Provider Certificate file.
-
Click Save.
Update Redirect Page Settings update-redirect-page-settings
-
Under the Redirect Pages section, click Edit.
note note NOTE Customers using Universal ID along with SSO must enter the login URL of the Identity Provider in the Login URL field. -
Enter a Logout URL. This is the URL you want the user to be directed to when they log out of Marketo.
-
Enter an Error URL. This is the URL you want the user to be directed to in case logging into Marketo fails. Click Save.
note note NOTE Both of these pages must be publicly available.