Marketo

Marketo SAML SSO is configured in the Admin area under Single Sign-On. Marketo supports IdP-initiated SSO only for legacy subscriptions.

Marketo subscriptions that have been onboarded to Adobe Identity Management System (Adobe IMS) configure SSO at the organization level through the Adobe Admin Console rather than through the Marketo Admin area. Confirm which identity management path your Marketo subscription uses before proceeding.

For legacy Marketo subscriptions, the fixed SP values are:

Entity ID 

http://saml.marketo.com/sp (note: HTTP not HTTPS)

ACS URL

https://login.marketo.com/saml/assertion/[munchkin-id], where the Munchkin ID is found in the Marketo Admin under Integration → Munchkin.

Prerequisites

• Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.

• Marketo Engage administrator access: Admin rights to the Marketo Admin area, including access to Integration → Single Sign-On.

• Munchkin Account ID: Available in Marketo Admin → Integration → Munchkin. Required for constructing the ACS URL.

• Adobe IMS status confirmed: Check whether your Marketo subscription is on Adobe Identity or legacy Marketo identity. For Adobe IMS subscriptions, use the Adobe Admin Console path instead.

• 1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.

Configuration values

Values to collect from 1Kosmos AdminX (IdP) for Marketo:

Fixed Marketo SP values to enter in AdminX (legacy subscriptions):

Integration steps

Step 1: Find your Marketo Munchkin ID

• Log in to Marketo as an administrator and navigate to Admin → Integration → Munchkin. Note your Munchkin Account ID (a string in the format XXX-ABC-XXX).

Step 2: Add Marketo as a SAML application in AdminX

• Log in to the AdminX portal and navigate to Applications → Add Application.

• Select SAML 2.0 Generic and click Add integration. Enter "Marketo" as the Application Name and https://login.marketo.com as the Application Access URL.

• Set NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and NameID Value to email. Add a claim for email. Enable Assertion signing.

• Enter http://saml.marketo.com/sp/[munchkin-id] as the SP Entity ID and https://login.marketo.com/saml/assertion/[munchkin-id] as the ACS URL, replacing [munchkin-id] with your actual Munchkin ID. Click Save.

Step 3: Configure SSO in Marketo Admin

• In Marketo, navigate to Admin → Integration → Single Sign-On.

• Under SAML Settings, click Edit.

• Set SAML Single Sign-On to Enabled.

• In the Issuer ID field, enter the 1Kosmos IdP Entity ID.

• In the Entity ID field, enter http://saml.marketo.com/sp (this is the SP audience value sent to 1Kosmos).

• Set User ID Location to Name identifier element of Subject.

• Upload the 1Kosmos X.509 signing certificate using the Browse button. Click Save.

• Under Redirect Pages, configure the Logout URL and Error URL as needed.

Step 4: Test the integration

• Since Marketo (legacy) supports IdP-initiated SSO only, access Marketo through your 1Kosmos application portal or by using the IdP-initiated login URL from AdminX.

• Authenticate biometrically using the 1Kosmos mobile app and confirm you are logged in to Marketo.

Attribute mappings

Integration notes

The Marketo SP Entity ID uses HTTP (not HTTPS) as the URL scheme. This is intentional and required by Marketo. Using HTTPS will cause the SAML assertion to fail validation.

For subscriptions on Adobe Identity Management System, SSO is configured at the Adobe organization level in the Adobe Admin Console under Identity → Directories → SAML-based ID.

The full procedure for Adobe IMS SSO differs from the legacy Marketo path; contact Adobe or Marketo support for guidance on the Adobe Admin Console SSO setup.