Re: SSO and ADFS

Jendy_Huang · ‎09-26-2013

Has anyone sucessfully done Marketo SSO with ADFS? The document provided by Marketo was not very helpful. Marketo Support Engineer said that can't help either.

In particular what should I put under Entity ID? Also, I try to test SSO using this URL: https://login.marketo.com/saml/assertion/<my-munchkin-id>, got "Error processing SAML message. Request was ill-formed in some way."

Any help you can share is greatly appreciated!

Jendy

Ivo_Hanbeukers · ‎11-30-2016

Hi, I will describe the steps which I did.

If you still have problems you can contact me directly: ivo.hanbeukers@rockwool.com

In Marketo go to the SSO Settings

Enable SAML Sngle Sign-On

Issuer ID and Entity ID are the same in my configuration: http://sts.youradfsserver.com/adfs/services/trust

User ID Location: In Name identifier element of Subject

Name Id Format: urn:oasis:names:tc:SAML:1.1:nameid-format:email

Identity Provider Certificate.: Upload here your certificate from your ADFS server.

Go now to your AFS Server and create a new Relying Party Trust

Enter the data about the relying party manually

Give it a name

Select all the
default settings except for:

Configure URL

Select Enable support for the SAML 2.0 Web SSO protocol

Enter the url: https://login.marketo.com/saml/assertion/Munchkin Account ID

you can find your Munchkin Account ID in Marketo un intergration -> Munchkin

On the next screen you have to enter the relying party trust identifier: http://saml.marketo.com/sp

On the claim rules window add a rule

Use the claim rule template: Send LDAP Attribute as Claims

Give it a name

Attribute store: Active directory

LDAP Attribute = E-mail-address (This can be different for you depending on the login name you use in Marketo)

Outgoing Claim Type must be: Name ID

Good luck

Ivo Hanbeukers

Legrandcharles_ · ‎02-04-2020

Hi

We try the same steps that you have mention above, but when we try to access the SAML Assertion URL mention below, getting an error as

"Error processing SAML message. Request was ill-formed in some way."

https://login.marketo.com/saml/assertion/Munchkin Account ID

Could you plz help us to resolve this. and let us know the cause for this issue

Anonymous · ‎11-21-2016

Hi,

We've been struggling with our SSO implementation as well and haven't had any support from Marketo. If someone can post the steps, that would be much appreciated!

Regards,

Patsy

Ivo_Hanbeukers · ‎11-30-2016

Done, I added the steps

Good luck

Ivo_Hanbeukers · ‎09-05-2016

Hi

I got it to work after struggling for 12 hours . I can help you If you still need help.
The documentation form Marketo is not very helpful .

Br.

Ivo Hanbeukers

Anonymous · ‎11-08-2016

Hi Ivo Hanbeukers,

We got the same error message "Error processing SAML message. Request was ill-formed in some way." when trying using URL https://login.marketo.com/saml/assertion/<my-munchkin-id> . Could you share how you made it work? Thank you very much!!!

Vivian

Ivo_Hanbeukers · ‎11-30-2016

Hi Vivian

Check my guide in this post.

Br. Ivo

Anonymous · ‎12-06-2016

Hi Ivo,

Thank you very much!!! We will try to follow your steps. Thank you!

Vivian

Ivo_Hanbeukers · ‎12-07-2016

You are welcome

Anonymous · ‎12-09-2016

Hi Ivo Hanbeukers,

We got the same error message "Error processing SAML message. Request was ill-formed in some way." again... and Marketo returned 400 bad request...But I can't figure out why it was a bad request. Did you encounter the issue before?

Here are our settings:

1. In Marketo SSO Settings

Enable SAML Sngle Sign-On

Issuer ID and Entity ID are the same: http://ouradfsserver.com/adfs/services/trust

User ID Location: In Name identifier element of Subject

Name Id Format: urn:oasis:names:tc:SAML:1.1:nameid-format:email

Identity Provider Certificate: the certificate from our ADFS server

2. In ADFS Server Setting

Enable support for the SAML 2.0 Web SSO protocol URLl: https://login.marketo.com/saml/assertion/Munchkin Account ID

Relying party trust identifier: http://saml.marketo.com/sp

LDAP Attribute: we have tried using E-mail-address and user principal name

Outgoing Claim Type: Name ID

Thanks!

Vivian

Ivo_Hanbeukers · ‎12-09-2016

Hi Vivian

When you go to users and Login in Marketo.
There is a column: Login

The value of this field must be send with the outgoing Claim type.
In our case it is the e-mail address,

Br.

Ivo

Anonymous · ‎12-09-2016

Hi Ivo Hanbeukers,

Yes, we have the same login value with the outgoing Claim type.

We tried two scenarios, email address and user principal name, separately, but both of them didn't work.

Does Marketo take some time to make SSO work?

Thank you!

Vivian

Ivo_Hanbeukers · ‎12-09-2016

No, When you configure it right it will work immediately.

Br. Ivo

Anonymous · ‎01-04-2017

We have got it work! Thanks for your detailed steps!

Ivo_Hanbeukers · ‎01-04-2017

Super! Good work.

Your are welcome

Grégoire_Miche2 · ‎12-06-2016

Hi Ivo Hanbeukers ,

What post?

-Greg

Ivo_Hanbeukers · ‎12-07-2016

Hi, I will describe the steps which I did.

If you still have problems you can contact me directly: ivo.hanbeukers@rockwool.com

In Marketo go to the SSO Settings

Enable SAML Sngle Sign-On

Issuer ID and Entity ID are the same in my configuration: http://sts.youradfsserver.com/adfs/services/trust

User ID Location: In Name identifier element of Subject

Name Id Format: urn:oasis:names:tc:SAML:1.1:nameid-format:email

Identity Provider Certificate.: Upload here your certificate from your ADFS server.

Go now to your AFS Server and create a new Relying Party Trust

Enter the data about the relying party manually

Give it a name

Select all the
default settings except for:

Configure URL

Select Enable support for the SAML 2.0 Web SSO protocol

Enter the url: https://login.marketo.com/saml/assertion/Munchkin Account ID

you can find your Munchkin Account ID in Marketo un intergration -> Munchkin

On the next screen you have to enter the relying party trust identifier: http://saml.marketo.com/sp

On the claim rules window add a rule

Use the claim rule template: Send LDAP Attribute as Claims

Give it a name

Attribute store: Active directory

LDAP Attribute = E-mail-address (This can be different for you depending on the login name you use in Marketo)

Outgoing Claim Type must be: Name ID

Anonymous · ‎01-20-2017

Ivo, I also haven't been able to make any progress with Marekto support on this and have basically just followed your instructions but seem to be stuck at " Error processing SAML message. Request was ill-formed in some way".

Any chance you have some advice? It would be much appreciated.

Roger_Walker · ‎01-14-2020

I followed Ivo's instructions and initially I was also still stuck at "Error processing SAML message. Request was ill-formed in some way".

For me, the additionaI step I had to do, to get it working, was to open the properties of the Marketo Relying Party Trust, go to the Advanced tab, and change the Secure hash algorithm to SHA-1. Using SHA-256 breaks it.

Ivo_Hanbeukers · ‎01-15-2020

Thanks for your reply