This document contains conceptual, procedural, and scenario information about enabling Single Sign-On authentication for your ExactTarget account. You can enable a third-party identity provider to authenticate your users to both your internal systems and your ExactTarget application.

Note that this document covers only the steps related to integrating your existing system and third-party identity provider with the Single Sign-On feature offered by ExactTarget. You remain responsible for enabling and maintaining your own system and acquiring the third-party identity provider for use with Single Sign-On.

3Sixty Link: Security 101

Prerequisites

You must provision your own third-party identity provider for use with this feature before you can enable Single Sign-On for your account. You must also have Single Sign-On enabled in your account. Please contact your ExactTarget representative for more information on enabling this feature.

ExactTarget also recommends configuring an administrative user in your account for use in changing or maintaining your Single Sign-On configuration information. These changes occur when you change your internal system information or acquire a new security certificate. View the recommended configuration steps and create this user for all necessary changes or maintenance needs. Performing this step helps to ensure that you experience no interruption in your Single Sign-On implementation.

Scenario

Northern Trail Outfitters wants internal users to utilize a single authentication source to access their email and network services, third-party applications in their infrastructure, as well as the ExactTarget application and other SaaS products. To accomplish this, Northern Trail Outfitters implements a single identity provider that handles identity authentication for individuals that wish to access these services. Northern Trail Outfitters configure in their ExactTarget account to trust and use this identity provider as the authentication source for the users. Once the configuration has been enabled, Northern Trail Outfitters users can use a single means of authentication to access both their internal systems and the Northern Trail Outfitters ExactTarget account.

What Is Single Sign-On Authentication via SAML 2.0

Security Assertion Markup Language (SAML) permits system administrators to engage a third-party identity provider to grant users access to multiple systems. In this case, ExactTarget permits you to configure your account to authenticate users from your chosen identity provider and use those authentications to gain access to your ExactTarget account. The authentication requires you to enter the appropriate configuration information from the identity provider in the ExactTarget account to enable this integration. This mechanism also requires that the identity provider be configured to enable integration to the ExactTarget product. This configuration establishes the trust between the identity provider and the ExactTarget product.

Once the configuration is complete, the identity provider receives the appropriate authentications. The user then receives access to the ExactTarget product using the SAML 2.0 protocol. The figure below demonstrates that protocol using the HTTP POST binding:

 

/Global/Documentation/6724/SAML.jpg

Once the process above is completed, the ExactTarget application provides access to the appropriate account and permissions.

Note that your configuration must also support a single logout procedure where all accounts successfully log out based on a single command. Ensure that your configuration supports single logout when you implement your authentication procedures.

How to Enable Single Sign-On Authentication Via SAML

ExactTarget must enable this feature for use in your account. Please contact your ExactTarget representative for more information.

Implementing the Identity Provider

ExactTarget supports identity providers that utilize the SAML 2.0 specification, such as Shibboleth, PingFederate, and Active Directory Federation Services (ADFS). The configuration for the identity provider must trust the ExactTarget product as a service provider (sometimes called a "relying party"). Most commonly, you accomplish this task by importing an XML-based metadata document. You can find the metadata document for ExactTarget at https://auth.s1.exacttarget.com/Shibboleth.sso/Metadata

ExactTarget requires uses the SAML 2.0 for Single Sign-On authentication. SAML 1.1 is not supported.

The metadata document describes a service provider to an identity provider, including the following elements:

  • The endpoint addresses for communication
  • the X.509 certificates being used to encrypt and sign SAML assertions
  • the SAML bindings supported by the service provider

Alternatively, some identity providers allow you to configure these settings manually. For ExactTarget, the metadata describes the following elements:

  • Audience (expected inside the AudienceRestriction tag of the SAML assertion): https://sp.exacttarget.com/shibboleth-sp
  • Service Provider Identifier (Relying Party Identifier): https://sp.exacttarget.com/shibboleth-sp
  • SAML Assertion Consumer Endpoints:
    • HTTP POST: https://auth.s1.exacttarget.com/Shibboleth.sso/SAML2/POST
    • HTTP Artifact: https://auth.s1.exacttarget.com/Shibboleth.sso/SAML2/Artifact
  • SAML Logout Endpoints:
    • HTTP POST: https://auth.s1.exacttarget.com/Shibboleth.sso/SLO/POST
    • HTTP Artifact: https://auth.s1.exacttarget.com/Shibboleth.sso/SLO/Artifact

SAML Bindings

ExactTarget supports the HTTP POST and HTTP Artifact bindings.

Relay State

ExactTarget also supports both identity provider-initiated and service provider-initiated login. For identity provider-initiated logins must include a defined relay state. The relay state defines the target application that the user wishes to access within the <Response> message posted to ExactTarget when initiating identity provider-initiated login. The valid relay state values are:

  • ExactTarget Email S1: https://auth.s1.exacttarget.com/secure/?service=https://members.exacttarget.com/?hh=true
  • ExactTarget Email S2: https://auth.s1.exacttarget.com/secure/?service=https://members.poc.exacttarget.com/?hh=true
  • ExactTarget Email S4: https://auth.s1.exacttarget.com/secure/?service=https://members.s4.exacttarget.com/?hh=true
  • ExactTarget Email S5: https://auth.s1.exacttarget.com/secure/?service=https://members.boa.exacttarget.com/?hh=true
  • ExactTarget Email S6: https://auth.s1.exacttarget.com/secure/?service=https://members.s6.exacttarget.com/?hh=true
  • ExactTarget ExactTarget Marketing Cloud: https://auth.s1.exacttarget.com/secure/?service=https://mc.exacttarget.com/cloud/

Name Identifier

The identity provider must be configured to define a unique identifier for the users that will be using ExactTarget. The <NameID> tag in the <Response> SAML assertions sent to ExactTarget must include this unique identifier. This unique identifier represents the shared identifier between the identity provider and ExactTarget. This identifier can include any string value. Common values include the email address or the login name at the identity provider. You must specify the format of the <NameID> tag in the metadata of the identity provider (through the use of a <NameIDFormat> tag) and in the <Response> requests sent on login. ExactTarget supports the following name ID formats:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:2.0:nameid-format:entity
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Key Descriptors

Key descriptors define keys used for encryption and signing of SAML assertions. ExactTarget requires that all SAML assertions are signed by an X.509 certificate. In metadata documents, this is defined with the <KeyDescriptor> tag.

Configuring ExactTarget as a Service Provider

Once you have engaged and configured your identity provider, you must configure the ExactTarget to use that identity provider. Follow these instructions to create a new SAML key. This describes the identity provider to ExactTarget.

Once you have created the new key, follow the steps below to enable Single Sign-On authentication on your account:

  1. Click the Admin tab in your ExactTarget account.
  2. Select Security Settings.
  3. Click Edit.
  4. Under the Single Sign-On Settings heading, click the Single Sign-On checkbox.
  5. Click Save.

You must enable this feature in the parent account for all Enterprise and Enterprise 2.0 accounts.

Users are configured to use Single Sign-On on a user-by-user basis. Test your SAML enablement on one user before enabling multiple users on your account. You can better resolve any configuration issues or errors when dealing with a single user. To define users that will use Single Sign-On to gain access to ExactTarget:

  1. Navigate to My Users.
  2. Select the user you wish to enable for Single Sign-On.
  3. Click Edit.
  4. Click the Single Sign-On Enabled checkbox.
  5. Enter the shared identifier used to identify the specific user for Single Sign-On authentication in the Federation ID field. This is the identifier used to uniquely identify the user. This is the value that is passed in the <NameID> tag in the SAML assertions sent to ExactTarget when a user logs in.
  6. Click Save.

Once this procedure is completed, the individual can sign in to your ExactTarget account via the identity provider. If the individual only has one ExactTarget user account in the ExactTarget system, that individual enters the application directly. If the individual is mapped to more than one user account, the individual must choose the user account desired on a pop-up dialog box before proceeding to the application.

If you choose to turn off Single Sign-On functionality in your account and then re-enable it, you must perform the entire configuration process again.

Error Resolution

You can use the error message presented within the ExactTarget account to better resolve issues with enabling Single Sign-On functionality. Your ExactTarget account displays this error message every time the application receives an incorrect SAML assertion (which can occur during your initial integration configuration or subsequent modifications), including detailed error information and information on past SAML requests (including successful and failed SAML assertions):

/Global/Documentation/6724/SAMLError.jpg

Possible error sources include the following:

  • Trying to log in with existing ExactTarget credentials instead of the assigned Single Sign-On credentials
  • Using the wrong SAML authorization context
  • Using the wrong SAML name ID

When you receive an error message, please review all available error information and ensure you correctly followed the steps outlined in this document to better resolve the issue.

How to Maintain or Change Existing Single Sign-On Information

This action applies to any instance where you make changes to your existing Single Sign-On configuration, including:

  • Any changes in your internal system
  • Any changes to your security certificate (either new or renewal)
  • Any changes to your third-party identity provider

Follow the steps below to change your ExactTarget configuration to match any changes made in your system or the third-party identity provider:

  1. Create a user with administrator-level permissions in your ExactTarget account:
    • Do not configure this administrator for Single Sign-On authentication.
    • Disable this user after you complete the creation process.
  2. Before you perform any changes to your Single Sign-On configuration, enable the administrator user account.
  3. Reset the administrator user password.
  4. Log in to the administrator user account to test the new password.
  5. Update the existing SAML metadata. Refer to the encryption key directions if necessary. You can either paste the new SAML metadata into the appropriate field or perform the guided configuration.
  6. Click Save.
  7. Log out of the administrator user account created in step 1.
  8. Log into your normal administrative account to test the new Single Sign-On authentication configuration.
    • If you log in successfully, you successfully implemented your new Single Sign-On configuration. Disable the administrator user account created in step 1 until you need to perform additional maintenance.
    • If your normal administrator account fails to log in, log in to the account using the administrator user account created in step 1. Change the Single Sign-On configuration and repeat steps 6 through 10 until you successfully implement your configuration changes.
Was This Page Helpful?
Last updated by ryan.williams at 14:58, 10 Apr 2014