Loading
Feature degradation | Gmail Email delivery failureRead More

Marketing Cloud - Update Your Single Sign On (SSO) Login URL to Your Tenant’s Endpoint

Publish Date: Feb 15, 2025
Description

What is happening?

Salesforce is built from the ground up to protect your data and applications. As part of our ongoing commitment to customer trust and security, integrations into Marketing Cloud are recommended to utilize tenant-specific endpoints for improved stability and scalability
 

What is a tenant-specific endpoint?

Marketing Cloud automatically assigns a unique, system-generated subdomain to each of its tenants. A tenant represents your top-level Enterprise account and its business units, your Core account, your top-level Agency account, or your Client account, depending on your tenant type. Your subdomain is represented by a 28-character string starting with the letters "mc". When your subdomain is appended to Marketing Cloud URLs, it creates endpoints that are unique to your tenant.
 

Who is impacted?

Customers utilizing a Single Sign On (SSO) login experience may be impacted.
 

How do I determine if my Single Sign On (SSO) login URL needs to be updated?

Your Single Sign On (SSO) login URL will need to be updated if one of the following endpoints are being utilized:
  • auth.s1.exacttarget.com
  • mc.login.exacttarget.com

Where can I find out more?


For updates, questions and resources, please follows the Marketing Cloud API Endpoint Updates group on the Salesforce Trailblazer community 

Resolution

How do I update my UI/Login SSO Endpoints to TSEs?


Steps:
  1. Log in to Salesforce Marketing Cloud with an admin account
  2. Navigate to Setup > Security > Settings > Security Settings> Single Sign-On Settings
  3. Click the Download Metadata button
This will open a new tab showing the Salesforce Marketing Cloud Service Provider Metadata.

This metadata is now configured to use Tenant Specific Endpoints vs global endpoints. The Identity Provider (IDP) will need to be updated using this new metadata to ensure future connectivity using Single Sign-On. Your IDP is controlled by you the client and is typically not known to SFMC Support. a few common examples are Salesforce Identity, Shibboleth, PingFederate, or Active Directory Federation Services(ADFS)

The Following URLs will need to be updated in the IDP configuration for Marketing Cloud SSO.

RequestInitiator Location
AssertionConsumerService (ACS)
SinglLogoutService Binding (SLO)

You will see two ACS lines in the Metadata they are in order of preference. The First one is using HTTP-POST and the Second is using HTTP-Redirect.
They will begin with <md:AssertionConsumerService Binding= in the SFMC SP Metadata.
The md: is an XML namespace and may need to be used on the IDP side or it may not. This would be depended on the IPD being used.

With the SLO links, they are also in order of preference. but Redirect is first and POST is second.
They begin with <md:SingleLogoutService Binding= in the Salesforce Marketing Cloud Metadata

In your IDP configuration if you see one that is POST or REDIRECT please ensure the same line is updated in the IDP configuration.

Appropriate values appear similar to:
https://mcgxprdh-mztqszm-8rqj090lpz0.login.exacttarget.com/Shibboleth.sso/SAML2/POST

That would be for SAML2 POST

Use the Marketing Cloud SP Initiated URL and verify that you can log in to Marketing Cloud with SSO. That link is located under Setup > Security > Settings > Security Settings> Single Sign-On Settings > SP Initiated link

NOTE: If you use an IdP-initiated SSO, you can disregard this step.
Knowledge Article Number

000392837

 
Loading
Salesforce Help | Article