SSO with Microsoft Entra ID for Vault

Overview

This step-by-step guide explains how to set up Single Sign-On in Vault with Microsoft Entra ID—formerly Microsoft Azure Active Directory (AD)—as your SAML 2.0 Identity Provider (IdP).

When you integrate Vault with Entra ID, you can:

1. Control in Entra ID who has access to Vault

2. Enable your users to be automatically signed in to Vault with their Entra ID accounts

3. Manage your accounts in one central location - the Azure portal.

Prerequisites

To get started, you need the following items:

1. An Entra ID subscription.

2. You will need to be an Administrator in Vault and in Entra ID to configure SSO.

3. Add Vault as a non-gallery application.

In Entra ID

1. Sign in to your Azure management portal.

1. Select the Entra ID service from the left sidebar. Click Enterprise applications.

2. Click on + New application.

3. On the next screen, click on the + Create your own application button.

4. Enter the name of the app as VAULT and choose the third option i.e., Integrate any other application you don't find in the gallery (Non-gallery).

5. Click Create.

1. Once the VAULT application is created, click on Set up single sign on.

2. On the Select a Single sign-on method dialog, select SAML mode to enable single sign-on.

3. On the Set up Single Sign-On with SAML page, click the Edit (pencil) icon for Basic SAML Configuration to edit the settings.

4. On the Basic SAML Configuration section, perform the following steps:

   • In the Identifier (Entity ID) field, enter the URL in the following format: <instanceURL>/ARVault/saml/metadata. For example- If your instance is https://xyz.com, then the Identifier (Entity ID) would be: https://xyz.com/ARVault/saml/metadata

   • In the Reply URL field, enter the URL in the following format: <instanceURL>/ARVault/saml/SSO. For example- If your instance is https://xyz.com, then the payload URL would be: https://xyz.com/ARVault/saml/SSO

5. Click Save.

1. Click the Edit (pencil) icon for User Attributes & Claims to edit the attributes settings.

1. On the User Attributes & Claims section, delete the auto-generated claims available in the Additional claims section.

2. Next, click on +Add New Claim.

3. In the Manage Claim page, fill in the below details:

1. Click Save.

2. Follow similar steps to add two more claims as mentioned in the below table:

   Name

   Source

   Source Attribute

   Lastname

   Attribute

   user.surname

   customerid

   Attribute

   Enter your Vault's Customer Id. (You'll find your Customer ID under the Profile section in your Vault account.

   restrictAutoCreationOfUser

   Attribute

   For Yes, a new user account won't be created within Vault even if the user is already registered with the OKTA service provider. The user is not permitted access to Vault if the account is not created in Vault. For No, the restriction is revoked, and a new user account gets created in Vault, and the user will be able to access the Vault feature.

   
3. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and click Download to download the XML file and save it on your computer.

In Vault

Now that your Azure SSO implementation is set up, you’ll need to follow just a few more steps to configure SSO in your Vault account.

1. Login to your Vault account.

2. Go to Settings > SSO Configurations.

3. Enter the username with which you accessed your Azure account.

4. Choose the Configure Using as Metadata File. Browse for the metadata XML file that you have downloaded previously in your local machine and upload them.

1. Click Update.

2. Click on Activate to enable the SSO feature with your Vault account.

1. Now, sign out from your Vault account.

2. Go to the Vault login page. This time you need to login via SSO, so, therefore, click on Login with SSO.

1. Enter the Customer ID linked for your account and click on Sign In.