SSO with Microsoft Entra ID for Vault
Last updated
Last updated
This step-by-step guide explains how to set up Single Sign-On in Vault with Microsoft Entra ID—formerly Microsoft Azure Active Directory (AD)—as your SAML 2.0 Identity Provider (IdP).
When you integrate Vault with Entra ID, you can:
Control in Entra ID who has access to Vault
Enable your users to be automatically signed in to Vault with their Entra ID accounts
Manage your accounts in one central location - the Azure portal.
To get started, you need the following items:
An Entra ID subscription.
You will need to be an Administrator in Vault and in Entra ID to configure SSO.
Add Vault as a non-gallery application.
Sign in to your Azure management portal.
Select the Entra ID service from the left sidebar. Click Enterprise applications.
Click on + New application.
On the next screen, click on the + Create your own application button.
Enter the name of the app as VAULT and choose the third option i.e., Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.
Once the VAULT application is created, click on Set up single sign on.
On the Select a Single sign-on method dialog, select SAML mode to enable single sign-on.
On the Set up Single Sign-On with SAML page, click the Edit (pencil) icon for Basic SAML Configuration to edit the settings.
On the Basic SAML Configuration section, perform the following steps:
In the Identifier (Entity ID) field, enter the URL in the following format: <instanceURL>/ARVault/saml/metadata. For example- If your instance is https://xyz.com, then the Identifier (Entity ID) would be: https://xyz.com/ARVault/saml/metadata
In the Reply URL field, enter the URL in the following format: <instanceURL>/ARVault/saml/SSO. For example- If your instance is https://xyz.com, then the payload URL would be: https://xyz.com/ARVault/saml/SSO
Click Save.
Click the Edit (pencil) icon for User Attributes & Claims to edit the attributes settings.
On the User Attributes & Claims section, delete the auto-generated claims available in the Additional claims section.
Next, click on +Add New Claim.
In the Manage Claim page, fill in the below details:
firstname
Attribute
user.givenname
Click Save.
Follow similar steps to add two more claims as mentioned in the below table:
Lastname
Attribute
user.surname
customerid
Attribute
Enter your Vault's Customer Id. (You'll find your Customer ID under the Profile section in your Vault account.
restrictAutoCreationOfUser
Attribute
For Yes, a new user account won't be created within Vault even if the user is already registered with the OKTA service provider. The user is not permitted access to Vault if the account is not created in Vault. For No, the restriction is revoked, and a new user account gets created in Vault, and the user will be able to access the Vault feature.
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and click Download to download the XML file and save it on your computer.
Now that your Azure SSO implementation is set up, you’ll need to follow just a few more steps to configure SSO in your Vault account.
Login to your Vault account.
Go to Settings > SSO Configurations.
Enter the username with which you accessed your Azure account.
Choose the Configure Using as Metadata File. Browse for the metadata XML file that you have downloaded previously in your local machine and upload them.
Click Update.
Click on Activate to enable the SSO feature with your Vault account.
Now, sign out from your Vault account.
Go to the Vault login page. This time you need to login via SSO, so, therefore, click on Login with SSO.
Enter the Customer ID linked for your account and click on Sign In.
Troubleshooting:
Vault throws the following error when a user tries to log into Vault via SSO: "Your user is not available in the account with provided customer ID. Please contact the administrator to create a user for you in the account."
The error usually occurs if:
The user details are not assigned inside Azure to login into the Vault application.
The administrator has set the restrictAutoCreationOfUser to Yes inside Attribute Statements while configuring Entra ID SSO. If it is set to Yes, the user is not permitted access to Vault if the account is not created in Vault.