Marketing Cloud

Implement SSO in SFMC with Azure

Use Case:

This is a pretty standard use case wherein the client would want us to setup SSO between SFMC and Azure to avoid logging to SFMC using credentials. This one is a step-by-step instructions to have the setup done.

Salesforce Marketing Cloud – SSO Steps:-

  1. Go to SFMC Setup and click Settings -> Security settings.

  2. Scroll the Security settings page and you see the Single Sign-on Option.

  3. SSO SAML Metadata: Download Metadata file.

  4. Click and download the metadata file. When you click you see New Tab open.

  5. Save the file in your directory .xml.

Salesforce Marketing Cloud – Azure SSO Implementation Setup:-

Azure Setup:-

  1. From your Azure Portal, select the Azure Active Directory service on the left navigation panel.

  2. Navigate to Enterprise Applications and then select All Applications.

  3. To add a new application, select New application.

  4. Click the Create Your Own Application button.

  5. Provide a meaningful name in the ‘What’s the name of your app?’ field

  6. Choose an option in the ‘What are you looking to do with your application?’ section.

  7. Click Create

Wait a few seconds while the app is added to your tenant. Within Azure Active Directory, a new 3rd Party Enterprise Application would be created to utilize SSO with the Marketing Cloud.

  1. Once you select the Enterprise Application, you will need to select the Setup Single Sign-on Option.

  2. Choose SAML

  3. Then, from the SFMC side, navigate to Setup > Security Settings > SSO > and click the Download Metadata button.

  4. Click on the new browser tab or verify the file download; it will typically be called SFMCMetadata.xml or right-click and save the file as an XML document.

  5. Then, in the Azure Application, you made prior click the Upload metadata file button.

  6. Click the file folder on the right

  7. Locate and select the file

  8. Click Open

  9. Then finally click Add

This file will process it may take a few seconds, and once complete, it will display the basic SAML configuration.

Once completed, then select Save. Then Download the Base64 signing cert. This is found under the Single Sign-On page under “Point 3” and was downloaded based on the above steps (Federation Metadata XML > Download). Also used for pasting metadata

Create Key for (Paste Metadata):-

After the SFMC Metadata has been applied, you’ll then take the metadata from your IDP and input it into the Key Management section of SFDC. Within your Org go to Setup > Administration > Data Management > Key Management. Click the Create Button then select SSO Metadata A <NameIDFormat> Value is required for the IDP Metadata entered into the SFMC configuration add one of the following lines to the metadata if you receive an error saying the <NameIDFormat> is missing or invalid. If the <NameIDFormat> is in the wrong location it will also error.

Metadata.xml file: Add this code in the last line after

</KeyDescriptor> 

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

The <NameIdFormat> must be placed in between the </KeyDescriptor> closing tag and the <SingleSignOnService> Open tag. Also, remove this code in the last line.

<SingleLogoutServiceBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=”https://login.microsoftonline.com/5**********************b14b27df46e1/saml2″/>

NOTE:- the MD: is an XML namespace, and if your IDP Metadata doesn’t use it or it’s different, you must remove or change it accordingly. The <NameIDFormat>  opening and closing tags must match the namespace used in the closing <KeyDescriptor> and opening <SingleSignOnService>  elements.

Marketing Cloud Setup:-

Our Help Documentation on SSO can be found here. Everything needed is outlined on our help docs, but the below should hopefully supplement your configuration when specific to Azure.

Marketing Cloud SSO is enabled under Setup by a user that is a Marketing Cloud Administrator. Access the setup tab and then create a key under key management.

  1. From Key Management, click Create to create a new SSO Key.

  2. Select SSO Metadata.

  3. Provide a Name, such as Azure SSO Key (this can be anything meaningful).

  4. Choose the “Paste Metadata” option.

  5. Upload your IDP Certificate from Azure Active Directory. This is found under the Single Sign-On page under (Federation Metadata XML > Download) if you did not download this prior.

Note:-

Configuration

On Azure Side

  1. For any user in SFMC to use SSO, the user must be added to “User and Groups” on the Enterprise application on Azure. Please note, that adding a user on Azure doesn’t automatically allow the SSO to work until the steps in SFMC are done.

  2. Also, SFMC doesn’t support provisioning features from Azure i.e. a user must be manually created and allowed in SFMC to use for SSO.

On SFMC side

  1. Create a user in SFMC if not created already

  2. Edit the user to allow “Single Sign-on” on the user and add “Email Address” as federation ID

  3. Click on Save.

You can use the link provided by Azure or the application i.e. “CIT Marketing Cloud” to automatically sign to SFMC, please note SSO bypasses the MFA so a code is not required from the Authenticator app.

Leave a Reply