SSO with Microsoft Azure AD for Vault
This step-by-step guide explains how to set up Single Sign-On in Vault with Microsoft Azure Active Directory (AD) as your SAML 2.0 Identity Provider (IdP).
When you integrate Vault with Azure AD, you can:
- Control in Azure AD who has access to Vault
- Enable your users to be automatically signed in to Vault with their Azure AD accounts
- Manage your accounts in one central location - the Azure portal.
To get started, you need the following items:
- An Azure AD subscription.
- You will need to be an Administrator in Vault and in Azure AD to configure SSO.
- Add Vault as a non-gallery application.
In Azure AD
- Sign in to your Azure management portal.
- Select the Azure Active Directory service from the left sidebar. Click Enterprise applications.
- Click on + New application.
- On the next screen, click on the + Create your own application button.
- Enter the name of the app as VAULT and choose the third option i.e., Integrate any other application you don't find in the gallery (Non-gallery).
- Click Create.
- Once the VAULT application is created, click on Set up single sign on.
- On the Select a Single sign-on method dialog, select SAML mode to enable single sign-on.
- On the Set up Single Sign-On with SAML page, click the Edit (pencil) icon for Basic SAML Configuration to edit the settings.
- On the Basic SAML Configuration section, perform the following steps:
- In the Identifier (Entity ID) field, enter the URL in the following format: <instanceURL>/ARVault/saml/metadata. For example- If your instance is https://xyz.com, then the Identifier (Entity ID) would be: https://xyz.com/ARVault/saml/metadata
- In the Reply URL field, enter the URL in the following format: <instanceURL>/ARVault/saml/SSO. For example- If your instance is https://xyz.com, then the payload URL would be: https://xyz.com/ARVault/saml/SSO
- Click Save.
- Click the Edit (pencil) icon for User Attributes & Claims to edit the attributes settings.
- On the User Attributes & Claims section, delete the auto-generated claims available in the Additional claims section.
- Next, click on +Add New Claim.
- In the Manage Claim page, fill in the below details:
Name Source Source Attribute firstname Attribute user.givenname
- Click Save.
- Follow similar steps to add two more claims as mentioned in the below table:
Name Source Source Attribute Lastname Attribute user.surname customerid Attribute Enter your Vault's Customer Id. (You'll find your Customer ID under the Profile section in your Vault account. restrictAutoCreationOfUser Attribute For Yes, a new user account won't be created within Vault even if the user is already registered with the OKTA service provider. The user is not permitted access to Vault if the account is not created in Vault.
For No, the restriction is revoked, and a new user account gets created in Vault, and the user will be able to access the Vault feature.
- On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and click Download to download the XML file and save it on your computer.
Now that your Azure SSO implementation is set up, you’ll need to follow just a few more steps to configure SSO in your Vault account.
- Login to your Vault account.
- Go to Settings > SSO Configurations.
- Enter the username with which you accessed your Azure account.
- Choose the Configure Using as Metadata File. Browse for the metadata XML file that you have downloaded previously in your local machine and upload them.
- Click Update.
- Click on Activate to enable the SSO feature with your Vault account.
- Now, sign out from your Vault account.
- Go to the Vault login page. This time you need to login via SSO, so, therefore, click on Login with SSO.
- Enter the Customer ID linked for your account and click on Sign In.
Vault throws the following error when a user tries to log into Vault via SSO: "Your user is not available in the account with provided customer id. Please contact the administrator to create a user for you in the account"
The error usually occurs if:
- The user details are not assigned inside Azure to login into the Vault application.
- The administrator has set the restrictAutoCreationOfUser to Yes inside Attribute Statements while configuring Azure AD SSO. If it is set to Yes, the user is not permitted access to Vault if the account is not created in Vault.