Tutorial: Microsoft Entra SSO integration with Marketo

In this tutorial, you learn how to integrate Marketo with Microsoft Entra ID. Integrating Marketo with Microsoft Entra ID provides you with the following benefits:

  • You can control in Microsoft Entra ID who has access to Marketo.
  • You can enable your users to be automatically signed-in to Marketo (Single Sign-On) with their Microsoft Entra accounts.
  • You can manage your accounts in one central location.

Prerequisites

To configure Microsoft Entra integration with Marketo, you need the following items:

  • A Microsoft Entra subscription. If you don't have a subscription, you can get a free account.
  • Marketo single sign-on enabled subscription.

Scenario description

In this tutorial, you configure and test Microsoft Entra single sign-on in a test environment.

  • Marketo supports IDP initiated SSO.

Note

Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

To configure the integration of Marketo into Microsoft Entra ID, you need to add Marketo from the gallery to your list of managed SaaS apps.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications > New application.
  3. In the Add from the gallery section, type Marketo in the search box.
  4. Select Marketo from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Alternatively, you can also use the Enterprise App Configuration Wizard. In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.

Configure and test Microsoft Entra SSO for Marketo

In this section, you configure and test Microsoft Entra single sign-on with Marketo based on a test user called Britta Simon. For single sign-on to work, a link relationship between a Microsoft Entra user and the related user in Marketo needs to be established.

To configure and test Microsoft Entra single sign-on with Marketo, perform the following steps:

  1. Configure Microsoft Entra SSO - to enable your users to use this feature.
    1. Create a Microsoft Entra test user - to test Microsoft Entra SSO with Britta Simon.
    2. Assign the Microsoft Entra test user - to enable Britta Simon to use Microsoft Entra SSO.
  2. Configure Marketo SSO - to configure the SSO settings on application side.
    1. Create Marketo test user - to have a counterpart of Britta Simon in Marketo that is linked to the Microsoft Entra representation of user.
  3. Test SSO - to verify whether the configuration works.

Configure Microsoft Entra SSO

Follow these steps to enable Microsoft Entra SSO.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Browse to Identity > Applications > Enterprise applications > Marketo > Single sign-on.

  3. On the Select a single sign-on method page, select SAML.

  4. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

    Edit Basic SAML Configuration

  5. On the Basic SAML Configuration section, perform the following steps:

    a. In the Identifier text box, type the URL: https://saml.marketo.com/sp

    b. In the Reply URL text box, type a URL using the following pattern: https://login.marketo.com/saml/assertion/<munchkinid>

    c. In the Relay State text box, type a URL using the following pattern: https://<munchkinid>.marketo.com/

    Note

    These values are not real. Update these values with the actual Reply URL and Relay State. Contact Marketo Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section.

  6. Your Marketo application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of Unique User Identifier is user.userprincipalname but Marketo expects this to be mapped with the user's email address. For that you can use user.mail attribute from the list or use the appropriate attribute value based on your organization configuration.

    Screenshot shows the image of token attributes configuration.

  7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.

    The Certificate download link

  8. On the Set up Marketo section, copy the appropriate URL(s) as per your requirement.

    Copy configuration URLs

Create a Microsoft Entra test user

In this section, you create a test user called B.Simon.

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.
  2. Browse to Identity > Users > All users.
  3. Select New user > Create new user, at the top of the screen.
  4. In the User properties, follow these steps:
    1. In the Display name field, enter B.Simon.
    2. In the User principal name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Select Review + create.
  5. Select Create.

Assign the Microsoft Entra test user

In this section, you enable B.Simon to use Azure single sign-on by granting access to Marketo.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications > Marketo.
  3. In the app's overview page, select Users and groups.
  4. Select Add user/group, then select Users and groups in the Add Assignment dialog.
    1. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.
    2. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
    3. In the Add Assignment dialog, click the Assign button.

Configure Marketo SSO

  1. In a different web browser window, sign in to your Marketo company site as an administrator

  2. To get Munchkin ID of your application, perform the following actions:

    a. Log in to Marketo app using admin credentials.

    b. Click the Admin button on the top navigation pane.

    Configure Single Sign-On1

    c. Navigate to the Integration menu and click the Munchkin link.

    Configure Single Sign-On2

    d. Copy the Munchkin ID shown on the screen and complete your Reply URL in the Microsoft Entra configuration wizard.

    Configure Single Sign-On3

  3. To configure the SSO in the application, follow the below steps:

    a. Log in to Marketo app using admin credentials.

    b. Click the Admin button on the top navigation pane.

    Configure Single Sign-On4

    c. Navigate to the Integration menu and click Single Sign On.

    Configure Single Sign-On5

    d. To enable the SAML Settings, click Edit button.

    Configure Single Sign-On6

    e. Enabled Single Sign-On settings.

    f. Paste the Microsoft Entra Identifier, in the Issuer ID textbox.

    g. In the Entity ID textbox, enter the URL as http://saml.marketo.com/sp.

    h. Select the User ID Location as Name Identifier element.

    Configure Single Sign-On7

    Note

    If your User Identifier is not UPN value then change the value in the Attribute tab.

    i. Upload the certificate, which you have downloaded from Microsoft Entra configuration wizard. Save the settings.

    j. Edit the Redirect Pages settings.

    k. Paste the Login URL in the Login URL textbox.

    l. Paste the Logout URL in the Logout URL textbox.

    m. In the Error URL, copy your Marketo instance URL and click Save button to save settings.

    Configure Single Sign-On8

  4. To enable the SSO for users, complete the following actions:

    a. Log in to Marketo app using admin credentials.

    b. Click the Admin button on the top navigation pane.

    Configure Single Sign-On9

    c. Navigate to the Security menu and click Login Settings.

    Configure Single Sign-On10

    d. Check the Require SSO option and Save the settings.

    Configure Single Sign-On11

Create Marketo test user

In this section, you create a user called Britta Simon in Marketo. follow these steps to create a user in Marketo platform.

  1. Log in to Marketo app using admin credentials.

  2. Click the Admin button on the top navigation pane.

    test user1

  3. Navigate to the Security menu and click Users & Roles.

    test user2

  4. Click the Invite New User link on the Users tab.

    test user3

  5. In the Invite New User wizard, fill the following information.

    a. Enter the user Email address in the textbox

    test user4

    b. Enter the First Name in the textbox.

    c. Enter the Last Name in the textbox.

    d. Click Next.

  6. In the Permissions tab, select the userRoles and click Next.

    test user5

  7. Click the Send button to send the user invitation

    test user6

  8. User receives the email notification and has to click the link and change the password to activate the account.

Test SSO

In this section, you test your Microsoft Entra single sign-on configuration with following options.

  • Click on Test this application, and you should be automatically signed in to the Marketo for which you set up the SSO

  • You can use Microsoft My Apps. When you click the Marketo tile in the My Apps, you should be automatically signed in to the Marketo for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.

Next steps

Once you configure Marketo you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Defender for Cloud Apps.