Marketo, anyone? Skip to main content
https://support.okta.com/help/answers?id=906f0000000i04kias&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
William GregorianWilliam Gregorian 

Marketo, anyone?

Trying to integrate Marketo app, but running into issues. Has anyone else configured it successfully? 
Wils DawsonWils Dawson (Okta, Inc.)
Hi William,

What sorts of issues are you running into? Several orgs within Okta are integrating successfully.

Thanks,
Wils
William GregorianWilliam Gregorian
I haven't been able to successfully authenticate. It seems to always error 500 somewhere, and the instructions are somewhat cryptic to follow. For example, Name ID Format is using urn:oasis:names:tc:SAML:1.1:nameid-format:email

Is that even compatible since Okta supports SAML 2.0 only? I'm so confused...
Wils DawsonWils Dawson (Okta, Inc.)
Hi William,

The SAML:1.1 reference there is indicating a unique resource name (urn) of the name-id-format called "email". It's just refering to the unique name of that resource, which was defined in SAML 1.1, but it's used in SAML 2.0 as well, so no worries there. Have you seen this link from the Marketo docs? https://docs.marketo.com/display/public/DOCS/Add+Single+Sign-On+to+a+Portal

When setting up the Marketo app in Okta, make sure you've got the correct loginURL and the correct account ID fields set up in step 1 of adding the app, where the "Account ID" is your munchkin ID

Step 1 of Marketo app creation

Next, choose SAML 2.0 in step 2 and click the "View Setup Instructions" link shown below:
Step 2 of Marketo app creation

Once you click that, you'll be presented with generic instructions because Marketo is a community verified app. That's ok though, all the information we need is in there.

Following the "Update SAML Settings (https://docs.marketo.com/display/public/DOCS/Add+Single+Sign-On+to+a+Portal#AddSingleSign-OntoaPortal-UpdateSAMLSettings)" section of the Marketo documentation (screenshots not duplicated here), you'll need the "Issuer ID" and "Entity ID" from the Okta setup instructions page (which are the same value). Look for #2 "IDP Issuer/Entity ID" on the Okta setup instructions (should be bolded). Your value will be different than the one shown here, but to give you an idea of what to look for see below:

IDP Issuer/Entity ID

Next, select in Marketo that the Marketo "User ID Location" is in the Name Identifier element of the Subject.

In the Okta Setup Instructions, download the x.509 certificate (this is the IDP certificate needed for Marketo). Marketo specifies that they expect the cert in .crt, .der, or .cer extension, so just change the .cert to .crt and you should be good to go (not sure if that's needed, but better safe than sorry). Your download link will be different from the picture, but to give you an idea:
Okta IDP certificate download
Once the cert is downloaded, upload it to Marketo as they specify in their documentation.

If you want, you can set the logout redirect url to the url specified at the bottom of the Okta Setup Instructions (again your value will be different):
Logout URL

Now we should be done on the Marketo side. Back in Okta, make sure you select the correct user name format that your Marketo users are identified with (defaults to the Okta username, but may be different depending on how you are creating users in Marketo).

Finally, assign the to yourself, or someone who can test the integration and make sure it works.

If all that doesn't work, please reach out to Okta support and we'll try to make sure you're successful.

Good luck,
Wils
William GregorianWilliam Gregorian
Yup, followed the instructions as specified to no success. Unless I'm plugging-in the wrong values, I've done this correctly. 

User-added image

Issuer/Entity IDs are the same using the recommended value from the setup instructions. Uploaded the certificate from the downloads as well.
Topher WheelerTopher Wheeler
I am having the same problem, I keep getting an error:

Error processing SAML message. Request was ill-formed in some way.

My Marketo config looks the same as above, the Issuer and Entity ID are both the same and the Logout and Error URL are both our instances of Okta. I did hear from our support agent at Okta that without having anywhere in Marketo to add the IDP Metadata there was no way SAML would work.
Joe FahsJoe Fahs
I know this issue is several months old, but I was able to get Marketo to work by entering the MarketologinURL as teh default relay state on the SAML page. Everything else was the same as the Okta documentation.
Madison GouldMadison Gould
I know this is super old but worth a shot. Anyone else able to get this to work? I'm also getting Error processing SAML message. Request was ill-formed in some way. 
Dustin ShashoDustin Shasho

I am having the same problem @Joe when you say "MarketologinURL" what exactly do you mean?

 

Are you referring to the Marketo login same as this?

 Enter your login URL for SWA authentication. For example, if you log into
https://app-sj02.marketo.com/
OR

https://login.marketo.com/?

Vlad IvascuVlad Ivascu (Okta, Inc.)
If anyone is still encountering issues with SSO for Marketo, I would recommend clicking on the "View Setup Instructions" for SAML only after you have created the Marketo app in Okta afterwards update the settings in Marketo. If you are still encountering issues submit a ticket with Okta Support and they should be able to help.