Page created: 22 Dec 2021 |
Page updated: 23 Dec 2021
Learn how to enable Marketo sign on from PingOne (IdP-initiated sign on).
- Link PingOne to an identity repository containing the users requiring application access.
- Populate Marketo with at least one user to test access.
- Gather your Munchkin Account ID.
- You must have administrative access to PingOne and an admin account on Marketo.
Add the Marketo Application to PingOne:
In PingOne, go to and click the + icon.
- When you’re prompted to select an application type, select WEB APP and then click Configure next to SAML for the chosen connection type.
- Enter Marketo as the application name.
- Enter a suitable description.
- Optional: Upload an icon.
- Click Next.
- For Provide App Metadata, select Enter Manually.
- For ACS URLS, enter https://login.marketo.com/saml/assertion/<Your Munchkin Account ID>.
- For EntityID enter https://login.marketo.com/saml/<Your Munchkin Account ID>.
- Choose the Signing Key to use and then click Download Signing Certificate to download as X509 PEM (.crt).
- Leave SLO Endpoint and SLO Response Endpoint blank.
- In the Subject NameID Format list, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
- Enter a suitable value for Assertion Validity Duration (in seconds). A value of 300 seconds is typical.
- Click Save and Continue.
Marketo expects an email address to identify a user in the SSO security
- If you use an email address to sign on through PingOne, click Save and Close.
- If you sign on with a username, in the PingOne User Attribute list, select Email Address to map that to the SAML_SUBJECT, then click Save and Close.
- Click the toggle to enable the application.
On the Configuration tab of the newly-created Marketo application, copy
and save the IDP Metadata URL value.
You’ll need this when configuring SAML on Marketo.
- In PingOne, go to and click the + icon.
Enable SAML SSO with Marketo:
- Sign on to the Marketo console as an administrator.
- Select Admin in the toolbar.
- Select Other Stuff in the left navigation pane.
Select Single Sign-On.
If you don't see Single Sign-On, contact email@example.com to enable SAML for your account.
- Select Edit next to SAML Settings.
- For the Issuer ID, enter the value you entered for the IdP Entity ID in PingOne.
- For the Entity ID, enter the value you entered for the IdP Entity ID in PingOne.
- For the User ID Location, click the In Name identifier element of Subject.
- Click Browse next to Identity Provider Certificate and upload your public certificate.
- Click Save.
Test the PingOne IdP
Go to the PingOne
Application Portal and sign on with a user account.
In the Admin console, go to PingOne Application Portal URL.to find the
Click the Marketo icon.
You're redirected to the Marketo website and signed on with SSO.
- Go to the PingOne Application Portal and sign on with a user account.