Issue with Marketo SSO implementation with Azure AD | Community
Skip to main content
S
Sumanth_Venkate
New Participant
September 5, 2023
Solved

Issue with Marketo SSO implementation with Azure AD

  • September 5, 2023
  • 1 reply
  • 4303 views

We are trying to implement SSO in Marketo using Azure AD. We have followed the Microsoft document in order to configure Azure AD SSO, and the SSO setup has been updated along with adding the identity provider certificate in Marketo. However, while we proceed to test the same, the Marketo user is not able to access it using the Azure-generated login URL (landing on an error page that says "AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding."), and if they try to access Marketo using the default URL, they get an error message that says incorrect username/password. It's possible that I might be missing some crucial step from my side, so I'm looking forward to any guidance.

 

URL's that we have shared with Azure team are:
Identifier: saml.marketo.com/sp/<munchkin_id>

Reply URL: login.marketo.com/saml/assertion/<munchkinid>

Relay State: <munchkinid>.marketo.com/

 

SSO settings that we have updated in Marketo are:
Issuer ID: sts.windows.net/SomeRandomCode

Entity ID: saml.marketo.com/sp/<munchkin_id>

 

Redirect Pages:
Login URL: https://login.microsoftonline.com/SomeRandomCode/saml2

Logout URL: https://login.microsoftonline.com/SomeRandomCode/saml2

 

Best answer by Darshil_Shah1
This error message means that the Azure AD login URL is not passing the SAML request or response as query string parameters. This can happen if the URL is not configured correctly or if the application is not using HTTP redirect binding when sending the SAML request to Azure AD.

Here are a few things to check:

  • Make sure that the Azure AD login URL is correct. You can find the correct URL in the Azure AD application registration for Marketo.
  • Make sure that the application is using HTTP redirect binding when sending the SAML request to Azure AD. This can be configured in the application's SAML configuration.
  • If you are still getting the error, you can try clearing the browser's cache and cookies.

If you have checked all of these things and you are still getting the error, you can contact Azure AD support for help.

Here are some additional things to keep in mind when configuring SSO between Marketo and Azure AD:

  • The Entity ID in Marketo must match the Identifier in Azure AD.
  • Reply URL text box, type a URL using the following pattern: login.marketo.com/saml/assertion/<munchkinid>
  • In the Relay State text box, type a URL using the following pattern: https://<munchkinid>.marketo.com/

I hope this helps! Let us know if you have any other questions.

1 reply

Darshil_Shah1
Darshil_Shah1Accepted solution
Community Manager
September 6, 2023
This error message means that the Azure AD login URL is not passing the SAML request or response as query string parameters. This can happen if the URL is not configured correctly or if the application is not using HTTP redirect binding when sending the SAML request to Azure AD.

Here are a few things to check:

  • Make sure that the Azure AD login URL is correct. You can find the correct URL in the Azure AD application registration for Marketo.
  • Make sure that the application is using HTTP redirect binding when sending the SAML request to Azure AD. This can be configured in the application's SAML configuration.
  • If you are still getting the error, you can try clearing the browser's cache and cookies.

If you have checked all of these things and you are still getting the error, you can contact Azure AD support for help.

Here are some additional things to keep in mind when configuring SSO between Marketo and Azure AD:

  • The Entity ID in Marketo must match the Identifier in Azure AD.
  • Reply URL text box, type a URL using the following pattern: login.marketo.com/saml/assertion/<munchkinid>
  • In the Relay State text box, type a URL using the following pattern: https://<munchkinid>.marketo.com/

I hope this helps! Let us know if you have any other questions.

S
Sumanth_VenkateAuthor
New Participant
September 6, 2023

Thanks for your response with detailed pointers. I have cross checked, and as you have pointed out, the Azure AD login URL was incorrect. I have found a correct one from the Azure AD application.

While I confirm that the Entity ID in Marketo is correct and matches the Identifier in Azure AD, I'm a little confused with your last two points regarding the Reply URL and Relay State. This is not something that we update within Marketo, isn't it? I would appreciate it if you could please elaborate on this.

 

Additionally, although we now have the correct login URL, we are facing a different error that says "Error processing SAML message. Request was ill-formed in some way". I have found a post regarding the same issue (though it's for Okta SSO), and I have reached out to Adobe support as suggested in the post: https://nation.marketo.com/t5/product-discussions/marketo-and-okta-sso/m-p/331372#M187119

Besides, could you please provide any other suggestions to help resolve this issue?

Darshil_Shah1
Darshil_Shah1
Community Manager
September 6, 2023

You're right, we update the Reply and Relay state URLs in Azure's Basic SAML Configuration section. What I meant is that you should have added the correct Munchkin ID of your instance in both URLs; I also updated the last 2 pointers to be clearer. Additionally, the error message "Error processing SAML message. Request was ill-formed in some way" means that the SAML message that was sent to Azure AD was not valid. This can happen if there is an error in the SAML configuration, or if the SAML message was tampered with (typically indicates an issue with the formatting or structure of the SAML message). Let us know what Adobe comes back with. Also, just to verify, I hope you downloaded the Base64 Certification and uploaded it to Marketo > Identity Provider Certificate.

Terms & ConditionsAccessibility statement

Loading footer...