Loading
Salesforce now sends email only from verified domains. Read More
Marketing Cloud Engagement
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Single Sign-On Identity Provider Support

            You are here:

            1. Salesforce Help
            2. Docs
            3. Marketing Cloud Engagement

            Single Sign-On Identity Provider Support

            Marketing Cloud Engagement supports identity providers that use the Security Assertion Markup Language (SAML) 2.0 specification, such as Salesforce Identity, Shibboleth, PingFederate, and Active Directory Federation Services (AD FS). The identity provider must trust Engagement as a service provider, sometimes called a relying party.

            Metadata Document

            Download the metadata document under Security Settings in the Administration section of your Engagement account.

            Engagement accepts and generates SHA1 and SHA256 signed requests, depending on your configuration. To use SHA256, you must have a tenant-specific endpoint, as opposed to a global endpoint.

            The metadata document describes a service provider to an identity provider. It includes the endpoint addresses for communication, the X.509 certificates used to encrypt and sign SAML assertions, and a list of supported SAML bindings.

            SAML Bindings

            Marketing Cloud Engagement supports the HTTP POST and HTTP Artifact bindings.

            Name Identifier

            Configure the identity provider to provide a unique identifier for Engagement users. The <NameID> tag in the <Response> SAML assertions sent to Engagement must include the unique identifier. This unique identifier represents the shared identifier between the identity provider and Engagement. Common values include the user’s email address or login name. Use a <NameIDFormat> tag to specify the format of the <NameID> tag in the metadata of the identity provider and in the <Response> requests sent during login. Engagement supports four name ID formats.

            • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
            • urn:oasis:names:tc:SAML:2.0:nameid-format:entity
            • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
            • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

            Key Descriptors

            A key descriptor defines which keys to use to encrypt and sign SAML assertions. Engagement requires that all SAML assertions are signed using an X.509 certificate. The key is defined in metadata documents with the tag <KeyDescriptor>.

            See Also

             
            Loading
            Salesforce Help | Article