SSO with Microsoft Entra ID for Vault

Overview

This guide details how to configure Single Sign-On (SSO) in Vault using Microsoft Entra ID (formerly Azure AD) as a SAML 2.0 Identity Provider.

Benefits:

  • Centralized access control via Entra ID

  • Seamless user authentication into Vault

  • Simplified account management from the Azure portal

Prerequisites

  • An active Entra ID subscription

  • Admin privileges in both Vault and Entra ID

  • Vault added as a non-gallery application

Configure Entra ID

Steps:

  1. Sign in to Azure Portal.

  2. Go to Entra ID > Enterprise Applications > New Application

  3. Click + Create your own application

  4. Name it VAULT, select Non-gallery application, and click Create

Create non-gallery application in Azure
  1. After creation, click Set up single sign on > SAML

  2. In Basic SAML Configuration:

    • Identifier (Entity ID): <instanceURL>/ARVault/saml/metadata

    • Reply URL: <instanceURL>/ARVault/saml/SSO

Basic SAML Configuration
  1. In User Attributes & Claims:

    • Delete all Additional claims

    • Add these claims manually:

Name
Source
Source Attribute

firstname

Attribute

user.givenname

lastname

Attribute

user.surname

customerid

Attribute

Vault Customer ID (from your Vault Profile section)

restrictAutoCreationOfUser

Attribute

Yes or No (controls auto user creation in Vault)

Claims configuration
  1. In SAML Signing Certificate, download the Federation Metadata XML

Download SAML Metadata

Configure Vault

  1. Log in to Vault

  2. Navigate to Settings > SSO Configurations

  3. Enter your Azure username

  4. Choose Metadata File, upload the XML file from Azure

  5. Click Update and then Activate

Upload metadata in Vault
Activate SSO in Vault
  1. Sign out and test login via SSO:

    • On the login page, click Login with SSO

    • Enter your Customer ID and click Sign In

SSO Login screen
Customer ID prompt

Troubleshooting

Error: "Your user is not available in the account with provided customer ID. Please contact the administrator to create a user for you in the account."

Causes:

  1. User not assigned in Azure to the Vault app

  2. restrictAutoCreationOfUser claim is set to Yes and user not pre-created in Vault

Last updated

Was this helpful?