Loading

Marketing Cloud Single Sign-On (SSO) Implementation Overview

Дата публикации: Jan 24, 2025
Описание

This Article walks you through setting up Single Sign On (SSO) for an Identity provider with Salesforce Marketing Cloud as a Service Provider. The following guidance helps with the specifics of implementing SSO alongside our existing

SSO documentation.

 

NOTE: This Article isn’t a comprehensive solution for every use case, but provides guidance on getting started with the configuration of SSO and Salesforce Marketing Cloud. For each use case, also work with your IDP.

Решение

Key Terms:

  • SAML: - Security Assertion Markup Language
  • SAML2: - second Iteration of the Security Assertion Markup Language
  • Identity Provider (IDP): A kind of service provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles. (ADFS, Okta, Salesforce.com, Ping Federated, and so on)
  • Principals: A system entity whose identity can be authenticated. (X.811 IT Security Standard)
  • Service Provider (SP): A role donned by a system entity where the system entity provides services to principals or other system entities. (i.e., Salesforce Marketing Cloud Uses Shibboleth as our SP)

 

Here are the general steps to complete an SSO Integration for a SAML2 IDP to the SFMC

 

NOTE: This guide is for educational purposes only, and your actual implementation could vary based on the IDP configuration. Consult your IDP vendor or IT team for IDP-Specific requests. 

 

 

 

1. Enable SSO

 

a) Enable SSO on your Salesforce Marketing Cloud Account. SSO could already be enabled on the Enterprise account. To verify, log on to the Main Enterprise account Id on your MC instance and then go to Setup > Administration > Data Management > Key Management then select the create button.

b) If SSO is enabled, the SSO Metadata radio button appears. If the radio-button doesn’t appear in the UI, then either SSO isn’t enabled or you are within a Business Unit. If you are on the Enterprise-level business unit and SSO isn’t enabled, raise a case to have support enable SSO for your account.

 

NOTE: You can only have one active SSO Metadata active at a time.

 

2. Retrieve SAML Metadata

 

After SSO has been enabled, you must retrieve your SAML Metadata from the MC account. It’s located under Setup > Settings > Security > Security Settings > Single Sign-On Settings > SSO SAML Metadata (Button) A url looks similar to the following:

 

https://TenantSpecificEndpoint.login.exacttarget.com/SFMCMetadata

 

NOTE: If you have an option to select a certificate version to choose the one with the latest expiration data example (Jan 2021 - mc.login.exacttarget.com (expires February 5, 2022))

 

3. Apply to your IDP

 

You now must apply the SFMC Metadata to your IDP.

 

NOTE:  Your network connection IP address must remain static during the connection to Marketing Cloud.  If your network uses IP cycling this error "An error occurred during your SAML SSO login None of the configured session Initiators handled the request."  may be encountered.

 

4. Create Key

 

After the SFMC Metadata has been applied, you’ll then take the metadata from your IDP and input it into the Key Management section of SFDC. Within your Org go to Setup > Administration > Data Management > Key Management. Click the Create Button then select SSO Metadata A <NameIDFormat> Value is required the IDP Metadata entered into the SFMC configuration add one of the following lines to the metadata if you receive an error saying the <NameIDFormat> is missing or invalid. If the <NameIDFormat> is in the wrong location it will also error.

 

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</md:NameIDFormat>

 

The <NameIdFormat> must be placed in between the </KeyDescriptor> closing tag and the <SingleSignOnService> Open tag. 

 

</md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</md:NameIDFormat>
<md:SingleSignOnService ... >

 

NOTE: the MD: is an XML namespace, and if you IDP Metadata doesn’t use it or it’s different, you must remove or change it accordingly. The <NameIDFormat> opening and closing tags must match the name space used in the closing <KeyDescriptor> and opening <SingleSignOnService> elements.

 

5. Save Key

 

Now hit Save, if the key is accepted, a green banner appears and the Key was saved successfully. If an error occurs, and you can’t resolve the issue, then open a Support Case. 


 

6. Enable SSO Setting

 

After you have a green banner and a key in place, You must enable SSO for your MC account under Setup > Settings > Security > Security Settings > Edit > Single Sign-On Settings > Enable SSO by selecting or checking the setting and then selecting Save.

NOTE: SFMC requires MFA to be enabled on SSO connections by the 2022 deadline. We recommend it to be introduced prior for a more secure experience.
 
NOTE: Certificate version may vary or there may be multiple versions listed. 

 

7. Configure User SSO Settings

 

The next step will be to go to Setup > Users > Users, then click a User. Select the enable SSO option and add the Federation ID that was configured on the IDP side. If the value is unknown, you must verify with your IDP or IT team to gather that information to continue.


NOTE: A common situation with SSO enablement is the End-User attempting to log in can’t reset their user password or login via the mc.exactarget.com URL. The user and pass log in route is ignored when SSO is enabled. This is functioning as designed as an End-User is only able to log in via the SP initiated link provided under Setup > Settings > Security > Security Settings > Edit > Single Sign-On Settings > Marketing Cloud SP Initiated Link, or an IDP initiated connection via a dashboard or another method to start the conversation. ALL mc.exacttarget.com requests are received but not processed for any user that has the SSO Enabled box enabled. If a user is not SSO enabled then this issue will not present and they can request password normally.


 

8. Test the SSO Configuration

Test the newly appointed SSO user, either via an incognito window or a freshly purged cache browser. If you receive an error, open a case with support. If you log in without issue you can go ahead and implement further SSO users.

Best Practice: Leave at least one admin user not on SSO so you can recover the account and login to the SFMC to correct any configuration SSO issue. 

Номер статьи базы знаний

000388896

 
Загрузка
Salesforce Help | Article