Documentation Marketo Engage Marketo Guide

Add Single Sign-On to a Portal add-single-sign-on-to-a-portal

Last update: Wed Jan 15 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Administration

If you have a directory service that authenticates users, you can allow single sign-on (SSO) into Marketo. We support this feature using Security Assertion Markup Language (SAML) version 2.0 and higher.

Marketo functions as a SAML Service Provider (SP), and depends on an external Identity Provider (IdP) to authenticate users.

Once SSO is enabled, the IdP can validate a user’s credentials. When a user wishes to use Marketo software, the IdP then sends a signed SAML message to Marketo, acting as the SP. This message vouchsafes to Marketo that the user is authorized to use Marketo software.

NOTE

Admin Permissions Required

IMPORTANT

This does not apply to subscriptions onboarded to Adobe Identity. For subscriptions onboarded to Adobe Identity, Single Sign On is set up at the Adobe Org level in Adobe Admin Console. Adobe Admin Console only supports SP-initiated at this time. Learn more here.

NOTE

Are you a Microsoft Azure user? Check out their integration tutorial. FYI, there is a typo in Step 5c of their tutorial. Please set the Relay State to https://<munchkinid>.mktoweb.com, not https://<munchkinid>.marketo.com.

How to Send the Request how-to-send-the-request

Send the SSO request, which is a SAML response, to https://login.marketo.com/saml/assertion/<your-munchkin-id>
As the SP’s Audience URL. Use http://saml.marketo.com/sp
If you are using the SPNameQualifier attribute, set the NameID element for Subject to http://saml.marketo.com/sp
If you are federating multiple Marketo subscriptions to the same SSO provider, you can use unique SP urls for each Marketo sub with the format http://saml.marketo.com/sp/<munchkin_id>

NOTE

Marketo only supports Identity Provider-initiated (also known as IdP-initiated), in which the user first launches the IdP login page, authenticates, then navigates to My Marketo. If your Marketo subscription has been moved to admin console, Adobe Admin Console only supports Service Provider-initiated (also known as SP-initiated) at this time. There may be changes made in your SSO experience.

Additional Notes additional-notes

Sync-up time - For a new user, there is about a 10 minute delay before an initial SSO request is processed.
User Provisioning - Users are provisioned manually by Marketo.
Authorization - User permissions are maintained within Marketo.
OAuth support - Marketo does not currently support OAuth.
Automatic User Propagation - Also known as “Just in Time Provisioning,” this is when a user’s first SAML login is capable of creating the user in whatever web application they’re accessing (e.g., Marketo) and no manual admin action is required. This is not supported by Marketo at this time.
Encryption - Marketo does not currently support encryption.

NOTE

Before starting, have your Identity Provider Certificate in X.509 format and in .crt, .der, or .cer extension.

Update SAML Settings update-saml-settings

SSO is disabled by default. Follow these steps to enable SAML and configure it.

Go to the Admin area.

Click Single Sign-On.

note note
NOTE
If you don’t see Single Sign-On under Admin, contact Marketo Support.

Under the SAML Settings section, click Edit.
Change SAML Single Sign-On to Enabled.
Enter your Issuer ID, Entity ID, select the User ID Location, then click Browse.
Select your Identity Provider Certificate file.
Click Save.