Marketo’s Single Sign On (SSO) feature allows your company to use your own company’s SSO service to authenticate your login into your Marketo instance. Your initial setup of the SSO is covered in the documentation here.
You may need to change your SSO authentication settings after the initial setup. This document will show you the process on how to do so.
The Identity Provider (IdP) you use will provide you with your SSO authentication credentials and security certificate. Marketo uses this information to validate your login from your IdP, so these credentials come from your IdP.
Updating SSO Credentials
Once you have retrieved the new security certificate, you can enter it into Marketo.
1. Under Admin click on Single Sign-On.
2. Select Edit in the SAML Settings
3. Enter your Issuer ID, Entity ID, select the User ID Location and click Browse.
4. Select your Identity Provider Certificate file.
5. Click Save.
There are a couple things to watch out for when changing your SSO certificate. Here’s a couple tips to avoid trouble along the way.
SSO Only Login
If your company uses SSO for login, you’ll have an optional setting to restrict login access to your Marketo instance to SSO logins only. This prevents users from logging in directly, forcing the use of SSO.
You can check for this setting under Admin > Login Settings
These settings do allow the creation of a special User Role that can bypass the SSO restriction. However, sometimes as people come and go within the company, the users enabled with that User Role could no longer be available.
TIP: Before changing your SSO certificate, create a new user utilizing this User Role that bypasses the SSO requirement. If something goes wrong while setting up the new certificate, you’ll be glad you have a back door into the Marketo instance!
Wait to disable the existing certificate
Your IdP will issue a new certificate, but what if something goes wrong while entering the new information into Marketo?
TIP: Get the new certificate and set it up in Marketo before you fully disable the existing certificate within your IdP on their side. If something happens to the new certificate, you’ll be glad you have the do-over available and can switch back to the existing certificate that still works!