Events
Apr 9, 3 PM - Apr 10, 12 PM
Code the Future with AI and connect with Java peers and experts at JDConf 2025.
Register NowMicrosoft Entra SSO integration with Marketo
In this article, you learn how to integrate Marketo with Microsoft Entra ID. Integrating Marketo with Microsoft Entra ID provides you with the following benefits:
- You can control in Microsoft Entra ID who has access to Marketo.
- You can enable your users to be automatically signed-in to Marketo (Single Sign-On) with their Microsoft Entra accounts.
- You can manage your accounts in one central location.
The scenario outlined in this article assumes that you already have the following prerequisites:
- A Microsoft Entra user account with an active subscription. If you don't already have one, you can Create an account for free.
- One of the following roles:
- Marketo single sign-on enabled subscription.
In this article, you configure and test Microsoft Entra single sign-on in a test environment.
- Marketo supports IDP initiated SSO.
Note
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure the integration of Marketo into Microsoft Entra ID, you need to add Marketo from the gallery to your list of managed SaaS apps.
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- Browse to Identity > Applications > Enterprise applications > New application.
- In the Add from the gallery section, type Marketo in the search box.
- Select Marketo from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Alternatively, you can also use the Enterprise App Configuration Wizard. In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.
In this section, you configure and test Microsoft Entra single sign-on with Marketo based on a test user called Britta Simon. For single sign-on to work, a link relationship between a Microsoft Entra user and the related user in Marketo needs to be established.
To configure and test Microsoft Entra single sign-on with Marketo, perform the following steps:
- Configure Microsoft Entra SSO - to enable your users to use this feature.
- Create a Microsoft Entra test user - to test Microsoft Entra SSO with Britta Simon.
- Assign the Microsoft Entra test user - to enable Britta Simon to use Microsoft Entra SSO.
- Configure Marketo SSO - to configure the SSO settings on application side.
- Create Marketo test user - to have a counterpart of Britta Simon in Marketo that's linked to the Microsoft Entra representation of user.
- Test SSO - to verify whether the configuration works.
Follow these steps to enable Microsoft Entra SSO.
Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Browse to Identity > Applications > Enterprise applications > Marketo > Single sign-on.
On the Select a single sign-on method page, select SAML.
On the Set up single sign-on with SAML page, select the pencil icon for Basic SAML Configuration to edit the settings.
On the Basic SAML Configuration section, perform the following steps:
a. In the Identifier text box, type the URL:
https://saml.marketo.com/spb. In the Reply URL text box, type a URL using the following pattern:
https://login.marketo.com/saml/assertion/<munchkinid>c. In the Relay State text box, type a URL using the following pattern:
https://<munchkinid>.marketo.com/Note
These values aren't real. Update these values with the actual Reply URL and Relay State. Contact Marketo Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section.
Your Marketo application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of Unique User Identifier is user.userprincipalname but Marketo expects this to be mapped with the user's email address. For that you can use user.mail attribute from the list or use the appropriate attribute value based on your organization configuration.
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.
On the Set up Marketo section, copy the appropriate URL(s) as per your requirement.
Follow the guidelines in the create and assign a user account quickstart to create a test user account called B.Simon.
In a different web browser window, sign in to your Marketo company site as an administrator
To get Munchkin ID of your application, perform the following actions:
a. Log in to Marketo app using admin credentials.
b. Select the Admin button on the top navigation pane.
c. Navigate to the Integration menu and select the Munchkin link.
d. Copy the Munchkin ID shown on the screen and complete your Reply URL in the Microsoft Entra configuration wizard.
To configure the SSO in the application, follow the below steps:
a. Log in to Marketo app using admin credentials.
b. Select the Admin button on the top navigation pane.
c. Navigate to the Integration menu and select Single Sign On.
d. To enable the SAML Settings, select Edit button.
e. Enabled Single Sign-On settings.
f. Paste the Microsoft Entra Identifier, in the Issuer ID textbox.
g. In the Entity ID textbox, enter the URL as
http://saml.marketo.com/sp.h. Select the User ID Location as Name Identifier element.
Note
If your User Identifier isn't UPN value then change the value in the Attribute tab.
i. Upload the certificate, which you have downloaded from Microsoft Entra configuration wizard. Save the settings.
j. Edit the Redirect Pages settings.
k. Paste the Login URL in the Login URL textbox.
l. Paste the Logout URL in the Logout URL textbox.
m. In the Error URL, copy your Marketo instance URL and select Save button to save settings.
To enable the SSO for users, complete the following actions:
a. Log in to Marketo app using admin credentials.
b. Select the Admin button on the top navigation pane.
c. Navigate to the Security menu and select Login Settings.
d. Check the Require SSO option and Save the settings.
In this section, you create a user called Britta Simon in Marketo. follow these steps to create a user in Marketo platform.
Log in to Marketo app using admin credentials.
Select the Admin button on the top navigation pane.
Navigate to the Security menu and select Users & Roles.
Select the Invite New User link on the Users tab.
In the Invite New User wizard, fill the following information.
a. Enter the user Email address in the textbox
b. Enter the First Name in the textbox.
c. Enter the Last Name in the textbox.
d. Select Next.
In the Permissions tab, select the userRoles and select Next.
Select the Send button to send the user invitation
User receives the email notification and has to select the link and change the password to activate the account.
In this section, you test your Microsoft Entra single sign-on configuration with following options.
Select Test this application, and you should be automatically signed in to the Marketo for which you set up the SSO
You can use Microsoft My Apps. When you select the Marketo tile in the My Apps, you should be automatically signed in to the Marketo for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.
Once you configure Marketo you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Defender for Cloud Apps.