Global Login Endpoints Retire May 1, 2025

Global Login Endpoints for Single-sign-on to Marketing Cloud Engagement are retiring on May 1, 2025. To continue using SSO, configure your identity provider to use tenant-specific endpoints (TSEs). Below are the instructions as well as suggested best practices: 

Step 1: Download Service Provider Metadata for SSO

1. In Marketing Cloud Engagement Setup, in the Quick Find box, enter Security, and then select Security Settings.

2. Next to SSO SAML Metadata, click Download Metadata.

3. Save the metadata file to your computer.

Step 2: Configure the Single Sign-On URLs for your Identity Provider

The Assertion Consumer Service (ACS) or Single Sign-On URLs are the addresses that your Identity Provider sends login authentication requests to. You provide these URLs to your Identity Provider (IdP) when you configure SSO.

1. Open the SSO SAML metadata file in a text editor.

2. Find the two lines that begin with <md:AssertionConsumerService…>. One line is the HTTP Post URL, and the other is the HTTP Redirect URL. Copy the values of the Location elements in both lines.

3. Configure your IdP to use these values for single sign-on, replacing the values that you previously used. For more information, see the documentation for your IdP.

Additional Best Practices Include: 

Configure the Single Logout URL for your Identity Provider

If your integration uses a single logout (SLO) page, you can get the appropriate URLs from the metadata file and apply them to your IdP configuration.

1. In the SSO SAML metadata file, find the two lines that begin with <md:SingleLogoutService…>. One line is the HTTP Post URL, and the other is the Redirect URL. Copy the values of the Location elements.

2. Update the configuration for your IdP to use these single logout URLs. For more information, see the documentation for your IdP.

Note: If your IdP uses the Single Logout Endpoint, follow these best practices. 

Configure a Request Initiation Endpoint for your Identity Provider

In rare cases, an SSO integration requires a request initiation endpoint. 

1. In the SSO SAML metadata file, find the line that begins with <init:RequestInitiator…>. Copy the value of the Location element.

2. Configure your IdP to use the tenant-specific request initiation URL.

Note: If your IdP needs the Request Initiator endpoint, follow these best practices.

Configure Service Provider Initiated Logins for your Identity Provider

Some SSO integrations require you to provide Service Provider-Initiated (SP-Init) endpoints.

1. In Marketing Cloud Engagement Setup, enter Security in the Quick Find box, and then select Security Settings.

2. In the Single Sign-On Settings section, copy the URL next to the Marketing Cloud SP Initiated Link.

3. Configure your IdP to use the tenant-specific SP-Init URL.

Note: If you use SP-Initiated logins, follow these best practices.

Update the SAML Certificate for your Identity Provider

If your SSO integration uses Encrypted Assertions, or if your IdP validates signatures on AuthnRequests, you must provide your IdP with an updated certificate.

1. In Marketing Cloud Engagement Setup, enter Security in the Quick Find box, and then select Security Settings.

2. In the Single Sign-On Settings section, next to SSO SAML Certificate, click Download.

3. Configure your IdP to use the new certificate.

Update the Signing Signature for your Identity Provider

If your IDP validates the algorithm used for the signed AuthNRequests, you must configure the IdP integration to use SHA256 signatures. For more information, see the documentation for your IdP.

Update the Service Provider Entity ID for your Identity Provider

If your SSO integration requires you to provide a Service Provider Entity ID, you can obtain a tenant-specific URL. The Service Provider Entity ID URL is sometimes known as the SP Issuer, Audience, or Audience Restriction URL. 

1. In the SSO SAML metadata file, find the line that begins with <init:EntityDescriptor…>. Copy the value of the Location element.

2. Configure your IdP to use the tenant-specific service provider entity ID URL.
   

Additional Fields to Check for Global Endpoint Usage

There are optional fields often in Identity Providers that may also need to be updated if they are populated with Global Endpoints.  Fields to look for are “Sign on URL”, “Start URL”, “Application URL”, or even “Relay State” could be misconfigured to utilize a global endpoint. In most cases these fields are not needed within the setup, but will in the very least will need to be updated to use the Tenant’s TSE instead of a global endpoint.