Changing your Single Sign On Certificate

Version 5

    Overview

    Marketo’s Single Sign On (SSO) feature allows your company to use your own company’s SSO service to authenticate your login into your Marketo instance. Your initial setup of the SSO is covered in the documentation here.

     

    You may need to change your SSO authentication settings after the initial setup. This document will show you the process on how to do so.

     

     

    SSO Authentication

    The Identity Provider (IdP) you use will provide you with your SSO authentication credentials and security certificate. Marketo uses this information to validate your login from your IdP, so these credentials come from your IdP.

     

     

    Updating SSO Credentials

    Once you have retrieved the new security certificate, you can enter it into Marketo.

     

    1. Under Admin click on Single Sign-On.

     

    Navigate to sso.PNG

     

    If no SSO call support.PNG

     

    2. Select Edit in the SAML Settings

     

    Edit existing SSO.png

     

     

     

    3. Enter your Issuer ID, Entity ID, select the User ID Location and click Browse.

     

    Enter new ID info.PNG

     

     

    4. Select your Identity Provider Certificate file.

     

    Select Id provider cert.PNG

     

     

    5. Click Save.

     

    Save new credentials.PNG

     

     

    Tips

    There are a couple things to watch out for when changing your SSO certificate. Here’s a couple tips to avoid trouble along the way.

     

     

    • SSO Only Login

    If your company uses SSO for login, you’ll have an optional setting to restrict login access to your Marketo instance to SSO logins only. This prevents users from logging in directly, forcing the use of SSO.

     

    You can check for this setting under Admin > Login Settings

     

    Require SSO.jpg

     

     

    These settings do allow the creation of a special User Role that can bypass the SSO restriction. However, sometimes as people come and go within the company, the users enabled with that User Role could no longer be available.

     

    TIP: Before changing your SSO certificate, create a new user utilizing this User Role that bypasses the SSO requirement. If something goes wrong while setting up the new certificate, you’ll be glad you have a back door into the Marketo instance!

     

     

     

    • Wait to disable the existing certificate

    Your IdP will issue a new certificate, but what if something goes wrong while entering the new information into Marketo?

     

    TIP: Get the new certificate and set it up in Marketo before you fully disable the existing certificate within your IdP on their side. If something happens to the new certificate, you’ll be glad you have the do-over available and can switch back to the existing certificate that still works!