# SSO with Microsoft Entra ID for Vault ## Overview This guide details how to configure **Single Sign-On (SSO)** in Vault using **Microsoft Entra ID** (formerly Azure AD) as a **SAML 2.0 Identity Provider**. This enables orgs to restrict login IPs via SSO. Benefits: * Centralized access control via Entra ID * Seamless user authentication into Vault * Simplified account management from the Azure portal ## Prerequisites * An active **Entra ID** subscription * Admin privileges in both Vault and Entra ID * Vault added as a **non-gallery application** ## Configure Entra ID ### Steps: 1. Sign in to [Azure Portal](https://portal.azure.com). 2. Go to **Entra ID > Enterprise Applications > New Application** 3. Click **+ Create your own application** 4. Name it `VAULT`, select **Non-gallery application**, and click **Create**
Create non-gallery application in Azure
5. After creation, click **Set up single sign on** > **SAML** 6. In **Basic SAML Configuration**: * **Identifier (Entity ID):** `/ARVault/saml/metadata` * **Reply URL:** `/ARVault/saml/SSO`
Basic SAML Configuration
7. In **User Attributes & Claims**: * Delete all **Additional claims** * Add these claims manually: | Name | Source | Source Attribute | | -------------------------- | --------- | ---------------------------------------------------- | | firstname | Attribute | `user.givenname` | | lastname | Attribute | `user.surname` | | customerid | Attribute | Vault Customer ID (from your Vault Profile section) | | restrictAutoCreationOfUser | Attribute | `Yes` or `No` (controls auto user creation in Vault) |
Claims configuration
8. In **SAML Signing Certificate**, download the **Federation Metadata XML**
Download SAML Metadata
## Configure Vault 1. Log in to Vault 2. Navigate to **Settings > SSO Configurations** 3. Enter your Azure username 4. Choose **Metadata File**, upload the XML file from Azure 5. Click **Update** and then **Activate**
Upload metadata in Vault
Activate SSO in Vault
6. Sign out and test login via SSO: * On the login page, click **Login with SSO** * Enter your **Customer ID** and click **Sign In**
SSO Login screen
Customer ID prompt
## Troubleshooting **Error**:\ \&#xNAN;*"Your user is not available in the account with provided customer ID. Please contact the administrator to create a user for you in the account."* **Causes**: 1. User not assigned in Azure to the Vault app. 2. `restrictAutoCreationOfUser` claim is set to `Yes` and user not pre-created in Vault. Here is a sample document from Microsoft Entra on how to set up network zones that restrict access to apps registered in Microsoft Entra: . --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://knowledgebase.autorabit.com/product-guides/vault/configuring-vault/sso-configuration/sso-with-microsoft-azure-ad-for-vault.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.