Loading

Salesforce Marketing Cloud - Azure SSO Implementation

Publish Date: Jan 30, 2025
Description

Marketing Cloud supports identity providers that utilize the SAML 2.0 specification, such as Salesforce Identity, Shibboleth, PingFederate, and Active Directory Federation Services (ADFS). The configuration for the identity provider must trust the Marketing Cloud product as a service provider, sometimes called a relying party.  Azure Active Directory is a supported Identity Provider.  The following information is designed to supplement documentation and guidance provided by Azure Active Directory, your IDP.  Please consult with your IDP further if you run into any issues with the initial configuration.   

Resolution

Azure Setup

  1. From your Azure Portal, select the Azure Active Directory service on the left navigation panel.
  2. Navigate to Enterprise Applications and then select All Applications.
  3. To add a new application, select New application.
  4. Click the Create your own application button.
  5. Provide a meaningful name in the 'What's the name of your app?' field
  6. Choose an option in the 'What are you looking to do with your application?' section.
  7. Click Create


Wait a few seconds while the app is added to your tenant. Within Azure Active Directory, a new 3rd Party Enterprise Application would be created to utilize SSO with the Marketing Cloud. 
 

  1. Once you selected the Enterprise Application, you will need to select the Setup Single Sign-on Option.
  2. Choose SAML
  3. Then, from the SFMC side, navigate to Setup > Security Settings > SSO > and click the Download Metadata button.
  4. Click on the new browser tab or verify the file download; it will typically be called SFMCMetadata.xml or right-click and save the file as an XML document.
  5. Then, in the Azure Application, you made prior click the Upload metadata file button
  6. Click the file folder on the right
  7. Locate and select the file
  8. Click Open
  9. Then finally click Add


This file will process it may take a few seconds, and once complete, it will display the basic SAML configuration.

Once completed, then select Save. Then Download the Base64 signing cert. This is found under the Single Sign-On page under "Point 3" and was downloaded based on the above steps (Certificate (Base64) > Download).
 

Marketing Cloud Setup

Our Help Documentation on SSO can be found here.  Everything needed is outlined on our help docs, but the below should hopefully supplement your configuration when specific to Azure. 

Marketing Cloud SSO is enabled under Setup by a user that is a Marketing Cloud Administrator. Access the setup tab and then create a key under key management.  

  1. From Key Management, click Create to create a new SSO Key.
  2. Select SSO Metadata
  3. Provide a Name, such as Azure SSO Key (this can be anything meaningful)
  4. Choose the "Guided Configuration" option
  5. Upload your IDP Certificate from Azure Active Directory.  This is found under the Single Sign-On page under  (Certificate (Base64) > Download) if you did not download this prior.
  6. All other required information can be obtained from Azure Active Directory under your SFMC Application > Single Sign-On "Point 4" as mentioned above. 
    • Entity ID = Azure AD Identifier 
    • Name ID Format = Email Address(Typically if you have not modified it)
    • Single Sign-On Service Location URLLOGIN URL Single Sign-On Service Binding:  HTTP POST OR HTTP REDIRECT
    • Single Log-Out Service Location URL: LOGOUT URL Single Log-Out Service Binding: HTTP REDIRECT OR HTTP POST

 

Complete & Test

Once the Key is created, and Azure Active Directory is properly configured along with your users, you can now enable this for a test user in the Marketing Cloud.  

  1. Navigate to Setup 
  2. Expand Users and select Users
  3. Find a user that would like to have SSO enabled
  4. Click on the user's name to take you to their settings
  5. Click Edit
  6. You should see a section for "Single Sign-On Settings."
  7. Check the box "Allow Single Sign-On."
  8. Federation ID would need to match that of the user in Azure. This typically will be in the form of an email address/username. 
  9. Add the Federation ID and save.
  10. Test SSO Login with that User  
  11. Use the SP Initiated link located in Setup > Security > Security Settings > SSO > SP Initiated link OR
  12. Use the IDP Initiated link located in Azure AD under Home > {Name of your Tennant} > Enterprise Applications > {Name of the Enterprise App used for SFMC SSO} > Manage > Properties > User access URL.
SP Initiated example:
https://mcYYYYYYYYYYYYYYYYYYYYYYYYY.login.exacttarget.com/sso/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

IDP Initiated example:
https://myapps.microsoft.com/signin/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX?tenantId=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

 

Note:

Azure defaults the Enterprise SSO Saml config to SHA-254. You may need to update to SHA-1 in Azure as well as allow SHA-1 verification.

Knowledge Article Number

000381262

 
Loading
Salesforce Help | Article