Configuring SAML SSO with Marketo and PingFederate

Learn how to enable Marketo sign-on from PingFederate (IdP-initiated sign-on).

Before you begin

Configure PingFederate to authenticate against an identity provider (IdP) or datastore containing the users requiring application access.
Populate Marketo with at least one user to test access.
You must have administrative access to PingFederate.

Sign on to PingFederate.
Configure using Browser SSO profile SAML 2.0.
Set Partner’s Entity ID to https://www.marketo.com/SAML/your-Munchkin-account-ID.
Enable the IDP-initiated SSO SAML Profile.

Marketo does not currently support SP-initiated SSO.
In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map the SAML_SUBJECT to your email attribute.
In Protocol Settings: Assertion Consumer Service URL, set Binding to POST and set Endpoint URL to https://login.marketo.com/saml/assertion/your-Munchkin-account-ID.
In Protocol Settings: Allowable SAML Bindings, enable POST.
In Credentials: Digital Signature Settings, select the PingFederate Signing Certificate and download it.

Sign on to the Marketo console as an administrator.
Select Admin in the toolbar.
Select Other Stuff in the left navigation pane.
Select Single Sign-On.

If you don’t see Single Sign-On, contact support@marketo.com to enable SAML for your account.
Next to SAML Settings, select Edit.
For the Issuer ID, enter the value you entered for the IdP Entity ID in PingFederate.
For the Entity ID, enter the value you entered for the IdP Entity ID in PingFederate.
For the User ID Location, click the In Name identifier element of Subject.
Click Browse next to Identity Provider Certificate and upload your public certificate.
Click Save.