ºÚÁϺ£½Ç91Èë¿Ú

Get Started: SAML Single Sign-on (SSO)

This Single Sign-On (SSO) workflow lets the ºÚÁϺ£½Ç91Èë¿Ú-managed identity be asserted via the SAML protocol to an application. SAML configuration guides for each of the application service providers supported by ºÚÁϺ£½Ç91Èë¿Ú can be found in the Integrations & Applications section of the ºÚÁϺ£½Ç91Èë¿Ú Help Center. Find a specific SSO configuration guide by searching for an application's name in the search bar at the top of the page. 

Using SSO Applications with ºÚÁϺ£½Ç91Èë¿Ú

1 – Select an App

Select an application you want to connect with ºÚÁϺ£½Ç91Èë¿Ú through SAML 2.0-based SSO.

You may see some applications in the list with a Beta flag. We're evaluating these connectors in various real-world environments so we can gather feedback to enhance their performance. 

You may see some applications with a JIT Provisioning label. This signals that you can provision users to that application using Just-In-Time Provisioning.

Some applications use a shared login with the services they provide. For example, the Atlassian connector provides SSO to JIRA, Confluence, and BitBucket. When you search for these applications, the Atlassian connector shows up in the search results because that’s the connector the applications share a login with.

Tip:

You can connect on-prem/legacy applications that use LDAP to ºÚÁϺ£½Ç91Èë¿Ú's LDAP services. See Use Cloud LDAP.

Note:

If there isn't a connector for an application you want to connect to ºÚÁϺ£½Ç91Èë¿Ú, you can use the SAML 2.0 connector to connect that app with ºÚÁϺ£½Ç91Èë¿Ú. 

2 – Configure Your App 

You can set various SAML configurations, with ºÚÁϺ£½Ç91Èë¿Ú acting as the app's "IDP," or identity provider. Each application connector has explicit instructions required to establish the connection. Refer to an application's SAML / SSO connection documentation for information on setting up your application to integrate with ºÚÁϺ£½Ç91Èë¿Ú. See SSO Application Connector Fields for more information about ºÚÁϺ£½Ç91Èë¿Ú's configuration options.

Metadata

You can export metadata to populate connector attributes for applications. 

To apply metadata for an application you’re connecting, click Export Metadata. Note where this is downloaded and then upload it to the service provider. If supported, you can also click Copy Metadata URL and paste it into the service provider's configuration page.

Important:

Be aware that if you upload more than one metadata file, you’ll overwrite the attribute values applied in the previously uploaded file.

3 – Connect Your App to a User Group 

After you connect the application to ºÚÁϺ£½Ç91Èë¿Ú, you can connect it to user groups. Members of connected groups gain access to the application through SAML. They see the application icon in the User Portal in Applications. Many service provider applications allow users to log in from their application. If users log in from the application, they are redirected to ºÚÁϺ£½Ç91Èë¿Ú for SAML authentication.

ºÚÁϺ£½Ç91Èë¿Ú uses the SAML 2.0 protocol as its method to assert identities with application service providers. ºÚÁϺ£½Ç91Èë¿Ú is considered the identity provider, or IdP. The application is considered the service provider, or SP.

Configuring Authentication from the Application Service Provider

The service provider (SP) typically provides SAML configuration parameters to set up SSO from a compatible IdP like ºÚÁϺ£½Ç91Èë¿Ú.

The following image shows  for setting up the Marketing Cloud for SAML SSO.

Managing Employee Access to Applications

Users are implicitly denied access to all ºÚÁϺ£½Ç91Èë¿Ú resources, including applications. ºÚÁϺ£½Ç91Èë¿Ú admins must explicitly grant access to SSO applications through the use of user groups.

To grant access to a user group

  1. Log in to the .
  2. If you haven't already created a user group, create a new group. See Get Started: User Groups.
  3. If the group exists, in the Admin Portal, go to User Authentication > SSO Applications.
  4. Click on the SSO application.
  5. On the Application panel, click the User Groups tab.
  6. Select the user group, then click save

End User Experience

After you configure both the IdP and SP for SSO, employees can access the applications in two ways:

  • IdP-Initiated  - Access from the ºÚÁϺ£½Ç91Èë¿Ú User Portal
  • SP-Initiated  - Access directly from the application

IdP-Initiated

For IdP-initiated SSO, users access an SP application from the ºÚÁϺ£½Ç91Èë¿Ú User Portal.

User workflow for IdP initiated SSO

  1. Log in to the . 
  2. Go to Applications.
  3. Click an application tile to launch the application. ºÚÁϺ£½Ç91Èë¿Ú asserts the user's identity to the SP and is authenticated without the user having to log in to the application.

SP-Initiated

For SP initiated SSO, users access a SP application from the SP application's login.

Note:

SP-initiated SSO isn't supported by all SP applications.

User workflow for SP initiated SSO

  1. Go to the SP application login.
  2. Generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO. This varies by SP.
  3. Login redirects the user to ºÚÁϺ£½Ç91Èë¿Ú. The user enters their ºÚÁϺ£½Ç91Èë¿Ú credentials.
  4. After the user is logged in successfully, they are redirected back to the SP and automatically logged in.

Additional User Experience Considerations

  • Session timeout in ºÚÁϺ£½Ç91Èë¿Ú is independent of SSO service providers. In situations where users of SSO applications experience a User Portal timeout (depending on session timeout settings), keep in mind:
    • Session timeout is completely independent of the service provider when configuring the ºÚÁϺ£½Ç91Èë¿Ú User Portal Session Duration in the Admin Portal
    • Some connectors will support passing along a Constant Attribute to dictate the duration of a user session before expiry. An example of this is Amazon AWS's "SessionDuration"
  • A few connectors support SLO (Single Logout). This is not related to session timeouts; SLO is a configuration that will push the user to the ºÚÁϺ£½Ç91Èë¿Ú User Portal when logging out of the service provider application
  • ºÚÁϺ£½Ç91Èë¿Ú users' email addresses are formatted in all lowercase which may cause issues with SSO and legacy applications that have case sensitive user names

Are you a visual learner? ºÚÁϺ£½Ç91Èë¿Ú offers two courses:

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case