SSO with Microsoft Entra ID for Vault

Overview

This guide details how to configure Single Sign-On (SSO) in Vault using Microsoft Entra ID (formerly Azure AD) as a SAML 2.0 Identity Provider. This enables orgs to restrict login IPs via SSO.

Benefits:

• Centralized access control via Entra ID

• Seamless user authentication into Vault

• Simplified account management from the Azure portal

Prerequisites

• An active Entra ID subscription

• Admin privileges in both Vault and Entra ID

• Vault added as a non-gallery application

Configure Entra ID

Steps:

1. Sign in to Azure Portal.

2. Go to Entra ID > Enterprise Applications > New Application

3. Click + Create your own application

4. Name it VAULT, select Non-gallery application, and click Create

1. After creation, click Set up single sign on > SAML

2. In Basic SAML Configuration:

   • Identifier (Entity ID): <instanceURL>/ARVault/saml/metadata

   • Reply URL: <instanceURL>/ARVault/saml/SSO

1. In User Attributes & Claims:

   • Delete all Additional claims

   • Add these claims manually:

1. In SAML Signing Certificate, download the Federation Metadata XML

Configure Vault

1. Log in to Vault

2. Navigate to Settings > SSO Configurations

3. Enter your Azure username

4. Choose Metadata File, upload the XML file from Azure

5. Click Update and then Activate

1. Sign out and test login via SSO:

   • On the login page, click Login with SSO

   • Enter your Customer ID and click Sign In

Troubleshooting

Error: "Your user is not available in the account with provided customer ID. Please contact the administrator to create a user for you in the account."

Causes:

1. User not assigned in Azure to the Vault app.

2. restrictAutoCreationOfUser claim is set to Yes and user not pre-created in Vault.

Here is a sample document from Microsoft Entra on how to set up network zones that restrict access to apps registered in Microsoft Entra: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network.