Configuration Guide · Part 1 of 2

Marketing Center SAML 2.0 SSO

Configure SAML 2.0 single sign-on between Okta and the Ocozzio Marketing Center platform. This guide covers adding the integration from the OIN catalog, entering your tenant credentials, and providing the signing certificate to Ocozzio.

Protocol SAML 2.0 SSO Type IdP-initiated
01

Prerequisites

Before configuring SSO in Okta, ensure the following requirements are in place.

Obtain credentials from Ocozzio

Contact Ocozzio support before beginning configuration. You will be issued two values specific to your organization:

  • Customer ID — a unique identifier for your Marketing Center tenant, required in all SAML and SCIM endpoint URLs. You will enter this during the General Settings step.
  • Bearer Token — a static secret token used to authenticate SCIM provisioning requests. You will enter this when configuring SCIM provisioning in the SCIM Provisioning Guide.
Important
Store the Bearer Token securely. It grants full SCIM provisioning access to your Marketing Center tenant and should be treated as a credential. Do not share it or include it in support tickets.

Okta admin role

You must have the Super Admin or both the App Admin and Org Admin roles assigned in your Okta org to add and configure integrations from the OIN catalog.

Important
SSO will not function until Ocozzio has installed the Okta signing certificate on the Marketing Center server. Plan for this step, covered in Step 3 below, before scheduling your go-live.
Testing requires a provisioned user
SSO cannot be tested until at least one user has been provisioned in the Marketing Center. After completing this guide, proceed to the SCIM Provisioning Guide and provision yourself or a dedicated test user. Once provisioned, sign in via the Marketing Center tile in the Okta End-User Dashboard to confirm SSO is working end-to-end.
02

Supported SSO Features

The following SSO capabilities are supported by this integration.

🔐
IdP-initiated SSO
Users click the Marketing Center tile in their Okta End-User Dashboard to sign in
Supported
📋
SAML Attribute Statements
User profile data (name, email) passed in the SAML assertion
Supported
🔑
Sync Password
Authentication is handled exclusively via SAML — no password sync
Not Supported
↩️
SP-initiated SSO
Sign-in flow initiated from the Marketing Center application
Not Supported
User Provisioning
Creating, updating, and deactivating user accounts is handled by the SCIM 2.0 provisioning integration, not SAML. See the SCIM Provisioning Guide for those capabilities.
03

Configuration Steps

Complete the following steps in order in your Okta Admin Console.

1
Add the Marketing Center from the OIN catalog

In your Okta Admin Console, go to Applications → Applications and click Browse App Catalog. Search for Ocozzio Marketing Center and click Add Integration.

2
Enter General Settings

Give the integration a recognizable label (e.g., Marketing Center) and enter the following value provided by Ocozzio:

Customer ID
Your Marketing Center tenant Customer ID

The Customer ID uniquely identifies your tenant and is used across all SAML and SCIM endpoint URLs. Click Done.

3
Send the Okta signing certificate to Ocozzio

On the Sign On tab, locate the SAML Signing Certificates section. Click Actions → Download certificate next to the active SHA-2 certificate and send the downloaded file to Ocozzio. Ocozzio will install the certificate on the applicable server to complete the SAML trust configuration.

Note
SSO will not function until Ocozzio confirms the certificate has been installed. Allow time for Ocozzio to complete this step before testing. If you rotate the Okta signing certificate in the future, you must send the updated certificate to Ocozzio for reinstallation.
04

Attributes & Mapping

The following attributes are sent in the SAML assertion to identify and authenticate users in the Marketing Center.

SAML Attribute Okta Profile Field Marketing Center Field Required
LogonName user.userName LogonName (username) Required
FirstName user.firstName UserProfileFirstName Optional
LastName user.lastName UserProfileLastName Optional
PrimaryEmail user.email UserProfileEmailAddress Optional
DisplayName user.displayName UserProfileFullName Optional
05

Troubleshooting

SAML SSO fails with a certificate validation error
The Okta signing certificate must be installed on the Marketing Center server by Ocozzio before SSO will function. If SSO fails after Ocozzio has confirmed installation, verify that the certificate downloaded from Okta corresponds to the active signing certificate in the SAML Signing Certificates section of the Sign On tab. If you have rotated the Okta signing certificate since initial setup, send the updated certificate to Ocozzio for reinstallation.
User authenticates in Okta but receives an error when redirected to the Marketing Center
The LogonName attribute in the SAML assertion must exactly match the user's Marketing Center username. Verify the LogonName attribute statement is configured correctly (mapped to user.userName) and that the user has been provisioned in the Marketing Center. If the user account does not yet exist in the Marketing Center, it must be created via SCIM provisioning before SSO will succeed. See the SCIM Provisioning Guide. SCIM provisioning must be completed and the user assigned to the integration before SSO can authenticate them.
The Marketing Center tile does not appear in the user's Okta dashboard
The user has not been assigned to the Marketing Center integration. Go to the Assignments tab of the integration and assign the user individually or via a group. Changes take effect immediately.
Next: Configure SCIM Provisioning
SAML SSO is now configured. To provision users and enable them to sign in, proceed to the SCIM Provisioning Guide. User and group assignment is completed there, and once a user is provisioned they can sign in via the Marketing Center tile in their Okta End-User Dashboard.