SSO with Microsoft Entra ID for Vault
Overview
This guide details how to configure Single Sign-On (SSO) in Vault using Microsoft Entra ID (formerly Azure AD) as a SAML 2.0 Identity Provider.
Benefits:
Centralized access control via Entra ID
Seamless user authentication into Vault
Simplified account management from the Azure portal
Prerequisites
An active Entra ID subscription
Admin privileges in both Vault and Entra ID
Vault added as a non-gallery application
Configure Entra ID
Steps:
Sign in to Azure Portal.
Go to Entra ID > Enterprise Applications > New Application
Click + Create your own application
Name it
VAULT
, select Non-gallery application, and click Create

After creation, click Set up single sign on > SAML
In Basic SAML Configuration:
Identifier (Entity ID):
<instanceURL>/ARVault/saml/metadata
Reply URL:
<instanceURL>/ARVault/saml/SSO

In User Attributes & Claims:
Delete all Additional claims
Add these claims manually:
firstname
Attribute
user.givenname
lastname
Attribute
user.surname
customerid
Attribute
Vault Customer ID (from your Vault Profile section)
restrictAutoCreationOfUser
Attribute
Yes
or No
(controls auto user creation in Vault)

In SAML Signing Certificate, download the Federation Metadata XML

Configure Vault
Log in to Vault
Navigate to Settings > SSO Configurations
Enter your Azure username
Choose Metadata File, upload the XML file from Azure
Click Update and then Activate


Sign out and test login via SSO:
On the login page, click Login with SSO
Enter your Customer ID and click Sign In


Troubleshooting
Error: "Your user is not available in the account with provided customer ID. Please contact the administrator to create a user for you in the account."
Causes:
User not assigned in Azure to the Vault app
restrictAutoCreationOfUser
claim is set toYes
and user not pre-created in Vault
Last updated
Was this helpful?