We are trying to implement SSO in Marketo using Azure AD. We have followed the Microsoft document in order to configure Azure AD SSO, and the SSO setup has been updated along with adding the identity provider certificate in Marketo. However, while we proceed to test the same, the Marketo user is not able to access it using the Azure-generated login URL (landing on an error page that says "AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding."), and if they try to access Marketo using the default URL, they get an error message that says incorrect username/password. It's possible that I might be missing some crucial step from my side, so I'm looking forward to any guidance.
URL's that we have shared with Azure team are:
Relay State: https://<munchkinid>.marketo.com/
SSO settings that we have updated in Marketo are:
Issuer ID: https://sts.windows.net/SomeRandomCode
Entity ID: https://saml.marketo.com/sp/<munchkin_id>
Login URL: https://login.microsoftonline.com/SomeRandomCode/saml2
Here are a few things to check:
If you have checked all of these things and you are still getting the error, you can contact Azure AD support for help.
Here are some additional things to keep in mind when configuring SSO between Marketo and Azure AD:
I hope this helps! Let us know if you have any other questions.
Thanks for your response with detailed pointers. I have cross checked, and as you have pointed out, the Azure AD login URL was incorrect. I have found a correct one from the Azure AD application.
While I confirm that the Entity ID in Marketo is correct and matches the Identifier in Azure AD, I'm a little confused with your last two points regarding the Reply URL and Relay State. This is not something that we update within Marketo, isn't it? I would appreciate it if you could please elaborate on this.
Additionally, although we now have the correct login URL, we are facing a different error that says "Error processing SAML message. Request was ill-formed in some way". I have found a post regarding the same issue (though it's for Okta SSO), and I have reached out to Adobe support as suggested in the post: https://nation.marketo.com/t5/product-discussions/marketo-and-okta-sso/m-p/331372#M187119
Besides, could you please provide any other suggestions to help resolve this issue?
You're right, we update the Reply and Relay state URLs in Azure's Basic SAML Configuration section. What I meant is that you should have added the correct Munchkin ID of your instance in both URLs; I also updated the last 2 pointers to be clearer. Additionally, the error message "Error processing SAML message. Request was ill-formed in some way" means that the SAML message that was sent to Azure AD was not valid. This can happen if there is an error in the SAML configuration, or if the SAML message was tampered with (typically indicates an issue with the formatting or structure of the SAML message). Let us know what Adobe comes back with. Also, just to verify, I hope you downloaded the Base64 Certification and uploaded it to Marketo > Identity Provider Certificate.
Thanks for the clarification. I confirm that we have added the correct Reply and Relay State URLs. Also, I have added the Base64 certification within Marketo. As far as the error message, I have gotten a response from Adobe Support asking me to check for the SAML assertion. I will again coordinate with our internal team to make sure they have configured SAML properly and will keep you informed.
Thank you for posting an update here, @Sumanth_KV! Yeah, this error most likely has to do with an issue with the SAML assertion/configuration. Let us know what your time finds out. 🙂
I would like to confirm that this issue has been resolved now and is working fine. I believe it was because of a small error in the Microsoft document wherein as per the document, the identifier URL in the Azure application should start with https://," which is incorrect. This has to be http://," which should match with the entity ID of Marketo (which is correct in the Microsoft document). Thanks, @Darshil_Shah1 for your pointer ("The Entity ID in Marketo must match the Identifier in Azure AD"), which helped us make a minor adjustment. Here is how we have updated now:
Thank you so much for posting an update here on the thread, @Sumanth_KV! Great to know that you were able to fix this, and of course, you're very welcome! Happy to be of help. 🙂