Single Sign-On Authentication Using SAML 2.0 for Marketing Cloud Engagement

You can configure a third-party identity provider (IdP) to authenticate your users to Marketing Cloud Engagement. Each account supports up to one SAML key.

To use single sign-on (SSO) with Marketing Cloud Engagement, begin by identifying and configuring an IdP that uses SAML 2.0 to handle authentication to your accounts. After you finish configuring the IdP, a Salesforce admin can enter the configuration information from the IdP into Marketing Cloud Engagement.

After you configure SSO, your users are sent to the IdP's login page when they attempt to log in to Marketing Cloud Engagement. After they confirm their identity, the IdP sends the user back to Marketing Cloud Engagement, logging them in and granting them permission to access your account.

Your configuration must also support a single logout (SLO) procedure that logs out all authenticated accounts using a single command.

Important Marketing Cloud Engagement supports only self-signed certificates. If you can't upload a self-signed certificate to Marketing Cloud Engagement, you can modify your IdP policies to permit self-signed certificates. Alternatively, you can turn off signature validation on authentication requests, SLO requests, or assertion encryption, depending on which of these features you use.

• Enable SAML 2.0 Single Sign-On Authentication
  To enable single sign-on (SSO), you must have an identity provider, a Security Assertion Markup Language (SAML) key, and a completed Marketing Cloud Engagement service provider configuration.
• Change Single Sign-On Information
  When you renew your security certificate or change your identity provider, update the single sign-on (SSO) settings in Marketing Cloud Engagement.
• Generate Tenant-Specific Single Sign-On Metadata for Multiple Tenants
  Configure a globally unique, tenant-specific service provider ID to use multiple Marketing Cloud Engagement tenants with the same identity provider (IdP) for single sign-on (SSO). You can request a tenant-specific endpoint entity ID for each tenant that you manage.
• Increase Login Security by Using Tenant-Specific Endpoint Isolation
  Enterprises that have multiple Marketing Cloud Engagement accounts can use Tenant-Specific Endpoint (TSE) Isolation for additional login security. If you turn on this feature, users who use single sign-on (SSO) to access Marketing Cloud Engagement can only do so by using a unique URL that’s specific to each account, as opposed to using a global login endpoint.
• Update Your Marketing Cloud Engagement SSO Certificate
  When you use single sign-on (SSO), your identity provider (IdP) authenticates the identity of each user that attempts to log in to Marketing Cloud Engagement. Salesforce provides a digital certificate that ensures the security and integrity of communications to and from your IdP. These certificates expire after a specific amount of time. When your certificate expires, you must update the certificate details with your IdP.
• Resolve Marketing Cloud Engagement Single Sign-On Errors
  Marketing Cloud Engagement returns an error message if an incorrect SAML assertion is received. Errors can occur during initial integration configuration or when you make modifications.
• Enable Single Sign-On with Marketing Cloud Engagement and the Salesforce Platform
  Unify the login experience for your users by implementing single sign-on (SSO) for Marketing Cloud Engagement and Salesforce Platform applications, such as Data 360, Sales Cloud, and Service Cloud. For example, if your organization uses Data 360 with Marketing Cloud Engagement, you can configure both platforms so that your users log in only one time to use both applications.