0D50Z00008G7UcvSAFOkta Classic EngineSingle Sign-OnAnswered2024-04-30T09:18:25.000Z2016-03-18T19:38:17.000Z2018-04-23T16:26:37.000Z
IsaacB.04621 likes this.

  • Wils (Okta, Inc.)

    Hi William,

     

    What sorts of issues are you running into? Several orgs within Okta are integrating successfully.

     

    Thanks,

    Wils
    Expand Post

  • j5v7c (j5v7c)

    I haven't been able to successfully authenticate. It seems to always error 500 somewhere, and the instructions are somewhat cryptic to follow. For example, Name ID Format is using urn:oasis:names:tc:SAML:1.1:nameid-format:email

     

    Is that even compatible since Okta supports SAML 2.0 only? I'm so confused...
    Expand Post

  • Wils (Okta, Inc.)

    Hi William,

     

    The SAML:1.1 reference there is indicating a unique resource name (urn) of the name-id-format called "email". It's just refering to the unique name of that resource, which was defined in SAML 1.1, but it's used in SAML 2.0 as well, so no worries there. Have you seen this link from the Marketo docs? https://docs.marketo.com/display/public/DOCS/Add+Single+Sign-On+to+a+Portal

     

    When setting up the Marketo app in Okta, make sure you've got the correct loginURL and the correct account ID fields set up in step 1 of adding the app, where the "Account ID" is your munchkin ID

     

    0EMF00000009TW8

     

    Next, choose SAML 2.0 in step 2 and click the "View Setup Instructions" link shown below:

    0EMF00000009TWD

     

    Once you click that, you'll be presented with generic instructions because Marketo is a community verified app. That's ok though, all the information we need is in there.

     

    Following the "Update SAML Settings (https://docs.marketo.com/display/public/DOCS/Add+Single+Sign-On+to+a+Portal#AddSingleSign-OntoaPortal-UpdateSAMLSettings)" section of the Marketo documentation (screenshots not duplicated here), you'll need the "Issuer ID" and "Entity ID" from the Okta setup instructions page (which are the same value). Look for #2 "IDP Issuer/Entity ID" on the Okta setup instructions (should be bolded). Your value will be different than the one shown here, but to give you an idea of what to look for see below:

     

    0EMF00000009TWN

     

    Next, select in Marketo that the Marketo "User ID Location" is in the Name Identifier element of the Subject.

     

    In the Okta Setup Instructions, download the x.509 certificate (this is the IDP certificate needed for Marketo). Marketo specifies that they expect the cert in .crt, .der, or .cer extension, so just change the .cert to .crt and you should be good to go (not sure if that's needed, but better safe than sorry). Your download link will be different from the picture, but to give you an idea:

    0EMF00000009TWc

    Once the cert is downloaded, upload it to Marketo as they specify in their documentation.

     

    If you want, you can set the logout redirect url to the url specified at the bottom of the Okta Setup Instructions (again your value will be different):

    0EMF00000009TWm

     

    Now we should be done on the Marketo side. Back in Okta, make sure you select the correct user name format that your Marketo users are identified with (defaults to the Okta username, but may be different depending on how you are creating users in Marketo).

     

    Finally, assign the to yourself, or someone who can test the integration and make sure it works.

     

    If all that doesn't work, please reach out to Okta support and we'll try to make sure you're successful.

     

    Good luck,

    Wils
    Expand Post

  • j5v7c (j5v7c)

    Yup, followed the instructions as specified to no success. Unless I'm plugging-in the wrong values, I've done this correctly. 

     

    0EMF00000009TX1

     

    Issuer/Entity IDs are the same using the recommended value from the setup instructions. Uploaded the certificate from the downloads as well.
    Expand Post

  • 5sdw6 (5sdw6)

    I am having the same problem, I keep getting an error:

     

    Error processing SAML message. Request was ill-formed in some way.

     

    My Marketo config looks the same as above, the Issuer and Entity ID are both the same and the Logout and Error URL are both our instances of Okta. I did hear from our support agent at Okta that without having anywhere in Marketo to add the IDP Metadata there was no way SAML would work.
    Expand Post

  • dzwvd (dzwvd)

    I know this issue is several months old, but I was able to get Marketo to work by entering the MarketologinURL as teh default relay state on the SAML page. Everything else was the same as the Okta documentation.

  • 00u1alki3bgr8GLyY0h8m1.47335264119892E12 (Customer)

    I know this is super old but worth a shot. Anyone else able to get this to work? I'm also getting Error processing SAML message. Request was ill-formed in some way. 

  • DustinS.93778 (Customer)

    I am having the same problem @Joe when you say "MarketologinURL" what exactly do you mean?

     

     

     

    Are you referring to the Marketo login same as this?

     

     Enter your login URL for SWA authentication. For example, if you log into

    https://app-sj02.marketo.com/

    OR

    https://login.marketo.com/?

    Expand Post

  • vlad.ivascu1.4627695469476538E12 (Okta, Inc.)

    If anyone is still encountering issues with SSO for Marketo, I would recommend clicking on the "View Setup Instructions" for SAML only after you have created the Marketo app in Okta afterwards update the settings in Marketo. If you are still encountering issues submit a ticket with Okta Support and they should be able to help. 

This question is closed.

Recommended content

No recommended content found...