Marigold ID SSO Integration

Marigold ID supports SAML Single Sign-On; it streamlines user access by requiring a single authentication with your company’s IDP, granting access to Marigold ID and Marigold products without the need to manage additional credentials.

As a Marigold customer, you can configure SSO for Marigold ID app by following the guide below.

IdP Mapping

Okta

If your company is using Okta Workforce Identity Cloud as your IdP, please follow the steps below to obtain the SAML certificate and metadata and pass them to your Marigold Representative.

Create “Marigold ID” app with SAML 2.0 and configure the values as below:
1. Single sign-on URL: <any URL>
2. Audience URI (SP Entity ID) : <any URL>
3. Name ID format: EmailAddress
4. Attribute Statements (optional):

Download SAML Certification and metadata and pass to your Marigold representative.
Once Marigold’s IdP is configured, Marigold will provide their Okta IdP Metadata and the information below for configuring your Identity Provider to communicate with the Marigold ID Application.

Client IDP	Marigold Values
Single sign-on URL	Assertion Consumer URL
Audience URI (SP Entity ID)	Audience URL
Default Relay State	Default RelayState URL

AZURE - SAML Signing Certificate

If your company is using Azure IdP, please follow the steps below to obtain the SAML certificate and metadata.

Create “Marigold Id” Application in your Azure interface.

Setup Single Sign-On by clicking app → Single Sign-on
Configure the values as below:
1. Identifier (Entity ID): <any URL>
2. Reply URL (Assertion Consumer Service URL): <any URL>
3. Attributes and claims are configured as below key
  1. email: user.userprincipalname
  2. firstName: user.givenname
  3. lastName: user.surname
From the same Single Sign screen, note and pass the following details to Marigold :
1. Certificate
2. Federation Metadata XML
3. Login URL
4. Microsoft Entra ID Identifier

Once Marigold’s IdP is configured, Marigold will provide their Okta IdP Metadata and the information below for configuring your Identity Provider to communicate with the Marigold ID Application.

Client IDP	Marigold Values
Single sign-on URL	Assertion Consumer URL
Audience URI (SP Entity ID)	Audience URL
Default Relay State	Default RelayState URL

Please note that the default RelayState is needed for your company’s IDP to directly forward to the Marigold ID application when your user logs into MarigoldId Okta.

When the above is completed, please get in touch with the Marigold team so that a meeting can be arranged to test the integration.

Additional Information

SSO Group Mapping allows you to map groups in your internal user directory to User Groups in Marigold Products. This feature will be available in Q1, 2024.

If you wish to enable SSO to access Marigold ID and Marigold products before Q1 2024, please note the limitations and additional steps below:

The steps for SSO implementation in Marigold ID are different between existing and new customers as explained as follows:

Existing Customer

New Customer

If you are an existing Marigold customer using Engage+, Loyalty and/or Platform (EDP), Marigold team will do a pre-migration for your existing users so that their existing access (e.g. roles in Engage+, Loyalty, or EDP ) are retained.

Subsequently, new users will be granted access to Marigold ID via your company’s IDP.

Please note that when the new users access Marigold ID from your company’s IDP, their accounts will be created via Just-In-Time (JIT) in Marigold ID, but will not have access to Marigold products yet.

Please follow the steps below to grant Marigold product access to the new users.

If you are a new customer, or your company does not have user accounts created in Marigold Engage+, Loyalty or Platform (EDP) yet, users will be granted access to Marigold ID via your company’s IDP. When they access Marigold ID from your company’s IDP, their accounts will be created via Just-In-Time (JIT) in Marigold ID, but will not have access to Marigold products yet.