Re: Issue with Marketo SSO implementation with Azure AD

Sumanth_KV · ‎09-05-2023

We are trying to implement SSO in Marketo using Azure AD. We have followed the Microsoft document in order to configure Azure AD SSO, and the SSO setup has been updated along with adding the identity provider certificate in Marketo. However, while we proceed to test the same, the Marketo user is not able to access it using the Azure-generated login URL (landing on an error page that says "AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding."), and if they try to access Marketo using the default URL, they get an error message that says incorrect username/password. It's possible that I might be missing some crucial step from my side, so I'm looking forward to any guidance.

URL's that we have shared with Azure team are:
Identifier: https://saml.marketo.com/sp/<munchkin_id>

Reply URL: https://login.marketo.com/saml/assertion/<munchkinid>

Relay State: https://<munchkinid>.marketo.com/

SSO settings that we have updated in Marketo are:
Issuer ID: https://sts.windows.net/SomeRandomCode

Entity ID: https://saml.marketo.com/sp/<munchkin_id>

Redirect Pages:
Login URL: https://login.microsoftonline.com/SomeRandomCode/saml2

Logout URL: https://login.microsoftonline.com/SomeRandomCode/saml2

Darshil_Shah1 · ‎09-05-2023

This error message means that the Azure AD login URL is not passing the SAML request or response as query string parameters. This can happen if the URL is not configured correctly or if the application is not using HTTP redirect binding when sending the SAML request to Azure AD.

Here are a few things to check:

Make sure that the Azure AD login URL is correct. You can find the correct URL in the Azure AD application registration for Marketo.
Make sure that the application is using HTTP redirect binding when sending the SAML request to Azure AD. This can be configured in the application's SAML configuration.
If you are still getting the error, you can try clearing the browser's cache and cookies.

If you have checked all of these things and you are still getting the error, you can contact Azure AD support for help.

Here are some additional things to keep in mind when configuring SSO between Marketo and Azure AD:

The Entity ID in Marketo must match the Identifier in Azure AD.
Reply URL text box, type a URL using the following pattern: https://login.marketo.com/saml/assertion/<munchkinid>
In the Relay State text box, type a URL using the following pattern: https://<munchkinid>.marketo.com/

I hope this helps! Let us know if you have any other questions.

View solution in original post

Darshil_Shah1 · ‎09-05-2023

This error message means that the Azure AD login URL is not passing the SAML request or response as query string parameters. This can happen if the URL is not configured correctly or if the application is not using HTTP redirect binding when sending the SAML request to Azure AD.

Here are a few things to check:

Make sure that the Azure AD login URL is correct. You can find the correct URL in the Azure AD application registration for Marketo.
Make sure that the application is using HTTP redirect binding when sending the SAML request to Azure AD. This can be configured in the application's SAML configuration.
If you are still getting the error, you can try clearing the browser's cache and cookies.

If you have checked all of these things and you are still getting the error, you can contact Azure AD support for help.

Here are some additional things to keep in mind when configuring SSO between Marketo and Azure AD:

The Entity ID in Marketo must match the Identifier in Azure AD.
Reply URL text box, type a URL using the following pattern: https://login.marketo.com/saml/assertion/<munchkinid>
In the Relay State text box, type a URL using the following pattern: https://<munchkinid>.marketo.com/

I hope this helps! Let us know if you have any other questions.

Sumanth_KV · ‎09-06-2023

Thanks for your response with detailed pointers. I have cross checked, and as you have pointed out, the Azure AD login URL was incorrect. I have found a correct one from the Azure AD application.

While I confirm that the Entity ID in Marketo is correct and matches the Identifier in Azure AD, I'm a little confused with your last two points regarding the Reply URL and Relay State. This is not something that we update within Marketo, isn't it? I would appreciate it if you could please elaborate on this.

Additionally, although we now have the correct login URL, we are facing a different error that says "Error processing SAML message. Request was ill-formed in some way". I have found a post regarding the same issue (though it's for Okta SSO), and I have reached out to Adobe support as suggested in the post: https://nation.marketo.com/t5/product-discussions/marketo-and-okta-sso/m-p/331372#M187119

Besides, could you please provide any other suggestions to help resolve this issue?

Darshil_Shah1 · ‎09-06-2023

You're right, we update the Reply and Relay state URLs in Azure's Basic SAML Configuration section. What I meant is that you should have added the correct Munchkin ID of your instance in both URLs; I also updated the last 2 pointers to be clearer. Additionally, the error message "Error processing SAML message. Request was ill-formed in some way" means that the SAML message that was sent to Azure AD was not valid. This can happen if there is an error in the SAML configuration, or if the SAML message was tampered with (typically indicates an issue with the formatting or structure of the SAML message). Let us know what Adobe comes back with. Also, just to verify, I hope you downloaded the Base64 Certification and uploaded it to Marketo > Identity Provider Certificate.

Sumanth_KV · ‎09-06-2023

Thanks for the clarification. I confirm that we have added the correct Reply and Relay State URLs. Also, I have added the Base64 certification within Marketo. As far as the error message, I have gotten a response from Adobe Support asking me to check for the SAML assertion. I will again coordinate with our internal team to make sure they have configured SAML properly and will keep you informed.

Darshil_Shah1 · ‎09-07-2023

Thank you for posting an update here, @Sumanth_KV! Yeah, this error most likely has to do with an issue with the SAML assertion/configuration. Let us know what your time finds out. 🙂

Sumanth_KV · ‎09-12-2023

I would like to confirm that this issue has been resolved now and is working fine. I believe it was because of a small error in the Microsoft document wherein as per the document, the identifier URL in the Azure application should start with https://," which is incorrect. This has to be http://," which should match with the entity ID of Marketo (which is correct in the Microsoft document). Thanks, @Darshil_Shah1 for your pointer ("The Entity ID in Marketo must match the Identifier in Azure AD"), which helped us make a minor adjustment. Here is how we have updated now:

Identifier in Azure AD: http://saml.marketo.com/sp/<munchkin_id>
Entity ID in Marketo: http://saml.marketo.com/sp/<munchkin_id>

Darshil_Shah1 · ‎09-13-2023

Thank you so much for posting an update here on the thread, @Sumanth_KV! Great to know that you were able to fix this, and of course, you're very welcome! Happy to be of help. 🙂