This document contains conceptual, procedural, and scenario information about enabling Single Sign-On authentication for your Salesforce Marketing Cloud account. You can enable a third-party identity provider to authenticate your users to both your internal systems and your Salesforce Marketing Cloud application. Currently, you can enable a single SAML key per Salesforce Marketing Cloud account.

Note that this document covers only the steps related to integrating your existing system and third-party identity provider with the Single Sign-On feature offered by the Salesforce Marketing Cloud. You remain responsible for enabling and maintaining your own system and acquiring the third-party identity provider for use with Single Sign-On.


You must provision your own third-party identity provider for use with this feature before you can enable Single Sign-On for your account. You must also have Single Sign-On enabled in your account. Please contact your Salesforce Marketing Cloud relationship manager for more information on enabling this feature.

The Salesforce Marketing Cloud also recommends configuring an administrative user in your account for use in changing or maintaining your Single Sign-On configuration information. These changes occur when you change your internal system information or acquire a new security certificate. View the recommended configuration steps and create this user for all necessary changes or maintenance needs. Performing this step helps to ensure that you experience no interruption in your Single Sign-On implementation.


Northern Trail Outfitters wants internal users to utilize a single authentication source to access their email and network services, third-party applications in their infrastructure, as well as the Salesforce Marketing Cloud application and other SaaS products. To accomplish this, Northern Trail Outfitters implements a single identity provider that handles identity authentication for individuals that wish to access these services. Northern Trail Outfitters configure in their Salesforce Marketing Cloud account to trust and use this identity provider as the authentication source for the users. Once the configuration has been enabled, Northern Trail Outfitters users can use a single means of authentication to access both their internal systems and the Northern Trail Outfitters Salesforce Marketing Cloud account.

What Is Single Sign-On Authentication via SAML 2.0

Security Assertion Markup Language (SAML) permits system administrators to engage a third-party identity provider to grant users access to multiple systems. In this case, the Salesforce Marketing Cloud permits you to configure your account to authenticate users from your chosen identity provider and use those authentications to gain access to your Salesforce Marketing Cloud account. The authentication requires you to enter the appropriate configuration information from the identity provider in the Salesforce Marketing Cloud account to enable this integration. This mechanism also requires that the identity provider be configured to enable integration to the Salesforce Marketing Cloud product. This configuration establishes the trust between the identity provider and the Salesforce Marketing Cloud product.

Once the configuration is complete, the identity provider receives the appropriate authentications. The user then receives access to the Salesforce Marketing Cloud product using the SAML 2.0 protocol. The figure below demonstrates that protocol using the HTTP POST binding:



Once the process above is completed, the Salesforce Marketing Cloud application provides access to the appropriate account and permissions.

Note that your configuration must also support a single logout procedure where all accounts successfully log out based on a single command. Ensure that your configuration supports single logout when you implement your authentication procedures.

How to Enable Single Sign-On Authentication Via SAML

The Salesforce Marketing Cloud must enable this feature for use in your account. Please contact your Salesforce Marketing Cloud relationship manager for more information.

Implementing the Identity Provider

The Salesforce Marketing Cloud supports identity providers that utilize the SAML 2.0 specification, such as Shibboleth, PingFederate, and Active Directory Federation Services (ADFS). The configuration for the identity provider must trust the Salesforce Marketing Cloud product as a service provider (sometimes called a "relying party"). Most commonly, you accomplish this task by importing an XML-based metadata document. You can find the metadata document for the Salesforce Marketing Cloud at

The Salesforce Marketing Cloud requires uses the SAML 2.0 for Single Sign-On authentication. SAML 1.1 is not supported.

The metadata document describes a service provider to an identity provider, including the following elements:

  • The endpoint addresses for communication
  • the X.509 certificates being used to encrypt and sign SAML assertions
  • the SAML bindings supported by the service provider

Alternatively, some identity providers allow you to configure these settings manually. For the Salesforce Marketing Cloud, the metadata describes the following elements:

  • Audience (expected inside the AudienceRestriction tag of the SAML assertion):
  • Service Provider Identifier (Relying Party Identifier):
  • SAML Assertion Consumer Endpoints:
    • HTTP POST:
    • HTTP Artifact:
  • SAML Logout Endpoints:
    • HTTP POST:
    • HTTP Artifact:

SAML Bindings

The Salesforce Marketing Cloud supports the HTTP POST and HTTP Artifact bindings.

Relay State

The Salesforce Marketing Cloud also supports both identity provider-initiated and service provider-initiated login. For identity provider-initiated logins, you must include a defined relay state. The relay state defines the target application that the user wishes to access within the <Response> message posted to the Salesforce Marketing Cloud when initiating identity provider-initiated login. Use the following relay state value:

  • Salesforce Marketing Cloud:

Name Identifier

The identity provider must be configured to define a unique identifier for the users that will be using the Salesforce Marketing Cloud. The <NameID> tag in the <Response> SAML assertions sent to the Salesforce Marketing Cloud must include this unique identifier. This unique identifier represents the shared identifier between the identity provider and the Salesforce Marketing Cloud. This identifier can include any string value. Common values include the email address or the login name at the identity provider. You must specify the format of the <NameID> tag in the metadata of the identity provider (through the use of a <NameIDFormat> tag) and in the <Response> requests sent on login. The Salesforce Marketing Cloud supports the following name ID formats:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:2.0:nameid-format:entity
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Key Descriptors

Key descriptors define keys used for encryption and signing of SAML assertions. The Salesforce Marketing Cloud requires that all SAML assertions are signed by an X.509 certificate. In metadata documents, this is defined with the <KeyDescriptor> tag.

Configuring the Salesforce Marketing Cloud as a Service Provider

Once you have engaged and configured your identity provider, you must configure the Salesforce Marketing Cloud to use that identity provider. Follow these instructions to create a new SAML key. This describes the identity provider to the Salesforce Marketing Cloud.

Once you have created the new key, follow the steps below to enable Single Sign-On authentication on your account:

  1. Click the Admin tab in your Salesforce Marketing Cloud account.
  2. Select Security Settings.
  3. Click Edit.
  4. Under the Single Sign-On Settings heading, click the Single Sign-On checkbox.
  5. Click Save.

You must enable this feature in the parent account for all Enterprise and Enterprise 2.0 accounts.

Users are configured to use Single Sign-On on a user-by-user basis. Test your SAML enablement on one user before enabling multiple users on your account. You can better resolve any configuration issues or errors when dealing with a single user. To define users that will use Single Sign-On to gain access to the Salesforce Marketing Cloud:

  1. Navigate to My Users.
  2. Select the user you wish to enable for Single Sign-On.
  3. Click Edit.
  4. Click the Single Sign-On Enabled checkbox.
  5. Enter the shared identifier used to identify the specific user for Single Sign-On authentication in the Federation ID field. This is the identifier used to uniquely identify the user. This is the value that is passed in the <NameID> tag in the SAML assertions sent to the Salesforce Marketing Cloud when a user logs in.
  6. Click Save.

Once this procedure is completed, the individual can sign in to your Salesforce Marketing Cloud account via the identity provider. If the individual only has one Salesforce Marketing Cloud user account in the Salesforce Marketing Cloud system, that individual enters the application directly. If the individual is mapped to more than one user account, the individual must choose the user account desired on a pop-up dialog box before proceeding to the application.

If you choose to turn off Single Sign-On functionality in your account and then re-enable it, you must perform the entire configuration process again.

Error Resolution

You can use the error message presented within the Salesforce Marketing Cloud account to better resolve issues with enabling Single Sign-On functionality. Your Salesforce Marketing Cloud account displays this error message every time the application receives an incorrect SAML assertion (which can occur during your initial integration configuration or subsequent modifications), including detailed error information and information on past SAML requests (including successful and failed SAML assertions):


Possible error sources include the following:

  • Trying to log in with existing Salesforce Marketing Cloud credentials instead of the assigned Single Sign-On credentials
  • Using the wrong SAML authorization context
  • Using the wrong SAML name ID

When you receive an error message, please review all available error information and ensure you correctly followed the steps outlined in this document to better resolve the issue.

How to Maintain or Change Existing Single Sign-On Information

This action applies to any instance where you make changes to your existing Single Sign-On configuration, including:

  • Any changes in your internal system
  • Any changes to your security certificate (either new or renewal)
  • Any changes to your third-party identity provider

Follow the steps below to change your Salesforce Marketing Cloud configuration to match any changes made in your system or the third-party identity provider:

  1. Create a user with administrator-level permissions in your Salesforce Marketing Cloud account:
    • Do not configure this administrator for Single Sign-On authentication.
    • Disable this user after you complete the creation process.
  2. Before you perform any changes to your Single Sign-On configuration, enable the administrator user account.
  3. Reset the administrator user password.
  4. Log in to the administrator user account to test the new password.
  5. Update the existing SAML metadata. Refer to the encryption key directions if necessary. You can either paste the new SAML metadata into the appropriate field or perform the guided configuration.
  6. Click Save.
  7. Log out of the administrator user account created in step 1.
  8. Log into your normal administrative account to test the new Single Sign-On authentication configuration.
    • If you log in successfully, you successfully implemented your new Single Sign-On configuration. Disable the administrator user account created in step 1 until you need to perform additional maintenance.
    • If your normal administrator account fails to log in, log in to the account using the administrator user account created in step 1. Change the Single Sign-On configuration and repeat steps 6 through 10 until you successfully implement your configuration changes.
Was This Page Helpful?
Last updated by ryan.williams at 10:21, 2 Sep 2015