Salesforce Marketing Cloud - OKTA SSO Implementation

OKTA SETUP

Refer to OKTA for SSO configuration steps in the OKTA IDP for the latest information.

1. Log in to OKTA and enter the Admin Screen
2. Click the Applications accordion
3. Click Applications 
4. Click Add Application
5. Search for Salesforce Marketing Cloud
6. Hit Add
7. Name the application
8. Choose your Application Visibility options
9. Click Next
10. Click the SAML 2.0 Radio button
11. Select the View Setup Instruction Button

*NOTE:* For any help with OKTA, reach out to the OKTA Support team.

Copy the IDP metadata from OKTA and save it for Step 6 in the next section. Paste it into a plain text editor (Notepad or TextEdit) rather than a rich text editor (Word) to ensure no extra characters get added.

MARKETING CLOUD SETUP

Our Help Documentation on SSO can be found here. Everything needed is outlined within our help docs, but the below should hopefully supplement your configuration when specific to OKTA. 

Create a Key within Setup

Marketing Cloud SSO is enabled under Setup by a user that is a Marketing Cloud Administrator. You would access the setup tab and then create a key under key management. 

1. Login into Salesforce Marketing Cloud with an Admin Account
2. Go to Setup > Data Management > Key Management
3. From Key Management, click Create to create a new SSO Key.
4. Select SSO Metadata
5. Provide a Name, such as "OKTA SSO Key."
6. Choose the XML Paste option
7. Paste the XML collected from OKTA into the XML field. 
8. Click save

Note: If you cannot see key management, then please verify you have access to it with an MC admin or open a support case

You should see a green banner; if you don’t, please proceed to troubleshoot and open a support case as needed if you cannot resolve the issue.

1. Next, Navigate to Set up 
2. Expand Users and select Users
3. Find a user that would like to have SSO enabled
4. Click the user's name to take you to their settings
5. You should see a section for "Single Sign-On Settings."
6. Edit the page and check the box "Allow Single Sign-On."
7. Federation ID must match that of the user in OKTA.
8. Add the Federation ID to the box.
9. Hit save

Note: For Okta, the Federation ID is the Okta username by default, and it typically is an email address or in the form of an email address.

COMPLETE and TEST

Locate the IDP initiated tile on the OKTA dashboard if using IDP initiated SSO OR the SP initiated link under Setup > Security > Security Settings > SSO > SP initiated link and provide that to your end-user.

After the Key is created, and OKTA is properly configured along with your users, you can now enable the feature for a test user in the Marketing Cloud.