Configuration Guides

Configuring SAML SSO with Marketo and PingOne

Learn how to enable Marketo sign-on from PingOne (IdP-initiated sign-on).

Before you begin

  • Link PingOne to an identity repository containing the users requiring application access.

  • Populate Marketo with at least one user to test access.

  • Gather your Munchkin Account ID.

  • You must have administrative access to PingOne and an admin account on Marketo.

Add the Marketo Application to PingOne

  1. In PingOne, go to Connections → Applications and click the + icon.

    Screen capture of PingOne Applications page.

  2. When you’re prompted to select an application type, select WEB APP and then click Configure next to SAML for the chosen connection type.

  3. Enter Marketo as the application name.

  4. Enter a suitable description.

  5. Optional: Upload an icon.

  6. Click Next.

  7. For Provide App Metadata, select Enter Manually.

  8. For ACS URLS, enter https://login.marketo.com/saml/assertion/your-Munchkin-account-ID.

  9. For EntityID enter https://login.marketo.com/saml/your-Munchkin-account-ID.

  10. Choose the Signing Key to use and then click Download Signing Certificate to download as X509 PEM (.crt).

  11. Leave SLO Endpoint and SLO Response Endpoint blank.

  12. In the Subject NameID Format list, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  13. Enter a suitable value for Assertion Validity Duration (in seconds). A value of 300 seconds is typical.

  14. Click Save and Continue.

  15. Marketo expects an email address to identify a user in the SSO security assertion:

    • If you use an email address to sign on through PingOne, click Save and Close.

    • If you sign on with a username, in the PingOne User Attribute list, select Email Address to map that to the SAML_SUBJECT, then click Save and Close.

  16. Click the toggle to enable the application.

  17. On the Configuration tab of the newly-created Marketo application, copy and save the IDP Metadata URL value.

    You’ll need this when configuring SAML on Marketo.

    Screen capture of PingOne Connection Details section.

Enable SAML SSO with Marketo

  1. Sign on to the Marketo console as an administrator.

  2. Select Admin in the toolbar.

  3. Select Other Stuff in the left navigation pane.

  4. Select Single Sign-On.

    If you don’t see Single Sign-On, contact support@marketo.com to enable SAML for your account.

  5. Select Edit next to SAML Settings.

  6. For the Issuer ID, enter the value you entered for the IdP Entity ID in PingOne.

  7. For the Entity ID, enter the value you entered for the IdP Entity ID in PingOne.

  8. For the User ID Location, click the In Name identifier element of Subject.

  9. Click Browse next to Identity Provider Certificate and upload your public certificate.

  10. Click Save.

Test the PingOne IdP integration

  1. Go to the PingOne Application Portal and sign on with a user account.

    In the Admin console, go to Dashboard → Environment Properties to find the PingOne Application Portal URL.

  2. Click the Marketo icon.

    You’re redirected to the Marketo website and signed on with SSO.