# SSO with Microsoft Entra ID for Vault ## Overview This guide details how to configure **Single Sign-On (SSO)** in Vault using **Microsoft Entra ID** (formerly Azure AD) as a **SAML 2.0 Identity Provider**. This enables orgs to restrict login IPs via SSO. Benefits: * Centralized access control via Entra ID * Seamless user authentication into Vault * Simplified account management from the Azure portal ## Prerequisites * An active **Entra ID** subscription * Admin privileges in both Vault and Entra ID * Vault added as a **non-gallery application** ## Configure Entra ID ### Steps: 1. Sign in to [Azure Portal](https://portal.azure.com). 2. Go to **Entra ID > Enterprise Applications > New Application** 3. Click **+ Create your own application** 4. Name it `VAULT`, select **Non-gallery application**, and click **Create**
Create non-gallery application in Azure
5. After creation, click **Set up single sign on** > **SAML** 6. In **Basic SAML Configuration**: * **Identifier (Entity ID):** `/ARVault/saml/metadata` * **Reply URL:** `/ARVault/saml/SSO`
Basic SAML Configuration
7. In **User Attributes & Claims**: * Delete all **Additional claims** * Add these claims manually: | Name | Source | Source Attribute | | -------------------------- | --------- | ---------------------------------------------------- | | firstname | Attribute | `user.givenname` | | lastname | Attribute | `user.surname` | | customerid | Attribute | Vault Customer ID (from your Vault Profile section) | | restrictAutoCreationOfUser | Attribute | `Yes` or `No` (controls auto user creation in Vault) |
Claims configuration
8. In **SAML Signing Certificate**, download the **Federation Metadata XML**
Download SAML Metadata
## Configure Vault 1. Log in to Vault 2. Navigate to **Settings > SSO Configurations** 3. Enter your Azure username 4. Choose **Metadata File**, upload the XML file from Azure 5. Click **Update** and then **Activate**
Upload metadata in Vault
Activate SSO in Vault
6. Sign out and test login via SSO: * On the login page, click **Login with SSO** * Enter your **Customer ID** and click **Sign In**
SSO Login screen
Customer ID prompt
## Troubleshooting **Error**:\ \&#xNAN;*"Your user is not available in the account with provided customer ID. Please contact the administrator to create a user for you in the account."* **Causes**: 1. User not assigned in Azure to the Vault app. 2. `restrictAutoCreationOfUser` claim is set to `Yes` and user not pre-created in Vault. Here is a sample document from Microsoft Entra on how to set up network zones that restrict access to apps registered in Microsoft Entra: .