SSO with Microsoft Azure AD for Vault
  • 03 Oct 2022
  • 3 Minutes to read
  • Contributors
  • Dark
    Light

SSO with Microsoft Azure AD for Vault

  • Dark
    Light

Overview

This step-by-step guide explains how to set up Single Sign-On in Vault with Microsoft Azure Active Directory (AD) as your SAML 2.0 Identity Provider (IdP).

When you integrate Vault with Azure AD, you can:

  1. Control in Azure AD who has access to Vault
  2. Enable your users to be automatically signed in to Vault with their Azure AD accounts
  3. Manage your accounts in one central location - the Azure portal.

Prerequisites

To get started, you need the following items:

  1. An Azure AD subscription.
  2. You will need to be an Administrator in Vault and in Azure AD to configure SSO.
  3. Add Vault as a non-gallery application. 

In Azure AD

  1. Sign in to your Azure management portal.
  2. Select the Azure Active Directory service from the left sidebar. Click Enterprise applications.Azure Active Directory
  3. Click on + New application.New Application
  4. On the next screen, click on the + Create your own application button.Microsoft Azure
  5. Enter the name of the app as VAULT and choose the third option i.e., Integrate any other application you don't find in the gallery (Non-gallery).
  6. Click Create.vault
  7. Once the VAULT application is created, click on Set up single sign on.vault overview
  8. On the Select a Single sign-on method dialog, select SAML mode to enable single sign-on.single sign-on method
  9. On the Set up Single Sign-On with SAML page, click the Edit (pencil) icon for Basic SAML Configuration to edit the settings.Single Sign-On with SAML
  10. On the Basic SAML Configuration section, perform the following steps: 
    1. In the Identifier (Entity ID) field, enter the URL in the following format: <instanceURL>/ARVault/saml/metadata. For example- If your instance is https://xyz.com, then the Identifier (Entity ID) would be: https://xyz.com/ARVault/saml/metadata
    2. In the Reply URL field, enter the URL in the following format: <instanceURL>/ARVault/saml/SSO. For example- If your instance is https://xyz.com, then the payload URL would be: https://xyz.com/ARVault/saml/SSO
    3. Click Save.   basic saml configuration
  11. Click the Edit (pencil) icon for User Attributes & Claims to edit the attributes settings.saml signing certificate
  12. On the User Attributes & Claims section, delete the auto-generated claims available in the Additional claims section.Microsoft Azure
  13. Next, click on +Add New Claim.user attributes & claims
  14. In the Manage Claim page, fill in the below details: 
    NameSourceSource Attribute
    firstname
    Attributeuser.givenname
  15. Click Save.
  16. Follow similar steps to add two more claims as mentioned in the below table:
    NameSourceSource Attribute
    Lastname
    Attributeuser.surname
    customeridAttributeEnter your Vault's Customer Id. (You'll find your Customer ID under the Profile section in your Vault account.
    restrictAutoCreationOfUserAttributeFor Yes, a new user account won't be created within Vault even if the user is already registered with the OKTA service provider. The user is not permitted access to Vault if the account is not created in Vault.

    For No, the restriction is revoked, and a new user account gets created in Vault, and the user will be able to access the Vault feature.
    user attributes & claims
  17. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and click Download to download the XML file and save it on your computer.saml signing certificate

In Vault

Now that your Azure SSO implementation is set up, you’ll need to follow just a few more steps to configure SSO in your Vault account. 

  1. Login to your Vault account. 
  2. Go to Settings > SSO Configurations.
  3. Enter the username with which you accessed your Azure account.
  4. Choose the Configure Using as Metadata File. Browse for the metadata XML file that you have downloaded previously in your local machine and upload them.SSO Configuration
  5. Click Update.
  6. Click on Activate to enable the SSO feature with your Vault account.SSO feature
  7. Now, sign out from your Vault account.
  8. Go to the Vault login page. This time you need to login via SSO, so, therefore, click on Login with SSO.autorabit vault
  9. Enter the Customer ID linked for your account and click on Sign In.login with sso


Troubleshooting

Vault throws the following error when a user tries to log into Vault via SSO: "Your user is not available in the account with provided customer id. Please contact the administrator to create a user for you in the account"

The error usually occurs if:

  1. The user details are not assigned inside Azure to login into the Vault application.
  2. The administrator has set the restrictAutoCreationOfUser to Yes inside Attribute Statements while configuring Azure AD SSO. If it is set to Yes, the user is not permitted access to Vault if the account is not created in Vault. 

Was this article helpful?