Setting Up Marketo SSO with Okta

No ratings

Issue Description
You are trying to configure Marketo and Okta for SSO, but encounter errors.

Issue Resolution

1. Log in to Okta and go to the admin section.

2. Click "add applications" then "create new app" (Do not use the community sourced Marketo app)

3. For platform select "web" and for signon method select "SAML 2.0"

4. Name the app "Marketo" (or any name you prefer) and upload the Marketo logo you would like to see displayed on the login tile, then click next

5. In "SAML Setttings" for the Single sign on URL you will want:

https://login.marketo.com/saml/assertion/<YOURMUNCHKINHERE>

. For the Audience URI you will want:

http://saml.marketo.com/sp

Default Relay State can be left blank. For Name ID format select "email" or "emailAddress" and for application username you will want to select email (Be sure that your Okta user email matches what is in the login field for your Marketo user within Admin > Users & Roles). Leave attribute statements unused.

6. Select finish and you should be brought to a page where you can select either "view setup instructions or identity provider metadata".

7. One of those links mentioned in the last step will take you to a page where you can retrieve the issuer ID which will be put in the Marketo settings (under both Issuer ID and Entity ID) as well as the certificate you will need to download and then upload into your Marketo SSO configuration.

8. Once you have set the issuer id, entity id, and certificate as described above, confirm that your Marketo User ID Location is set to Subject and then enable SSO. When you hit "save" in the SAML settings window in Marketo, the popup may not close, but your settings are retained and the window can be closed (if you would like to confirm it was saved, you can reload the page and will see the new saved settings)

9. When you first setup SSO it is preferable to have all the SSO users available to confirm there are no issues with a particular user in an otherwise operational SSO configuration. However, if SSO works for one user, then the overall configuration is set correctly.

Disclaimer: Marketo Support does not support 3rd party products, and cannot configure an SSO Identity Provider on your behalf.

This document exists to aid users in configuring SSO, however, no guarantees are made that these setup steps will work.


Who This Solution Applies To
Okta Users, SSO users

Comments

Great!

We are looking to add Marketo to SSO on our Okta (right now its a bookmark).

I have a question regarding SSO with API users, will this affect API logins if we turn on our Marketo SSO with Okta?

I'm concerned that the SSO with Okta works well for actual Marketo users but fails for API users for our MarTech stack.

Any insight will be helpful.

Marketo has the ability to bypass SSO by role. The bypass SSO option is only available when you have completed the SSO configuration and checked the "require SSO" option under login settings > Edit security settings > Advanced. Once the above configuration is completed, you can then create custom roles ( for non SSO users) or make changes to the existing roles.