Skip to main content
Version: latest

Configure SSO federation

Single sign-on (SSO) federation lets your users log in to VaultPAM using your existing identity provider (IdP). VaultPAM supports SAML 2.0 and OIDC.

Prerequisites

  • VaultPAM: Org Admin role
  • Identity provider: Admin access in your Entra ID tenant or Okta organisation
  • Protocol: SAML 2.0 or OIDC supported by your IdP

Microsoft Entra ID (Azure AD)

This procedure uses SAML 2.0. Complete all steps in order.

  1. In the Azure portal, go to Entra ID > Enterprise applications > New application.
  2. Select Create your own application, name it VaultPAM, and choose Integrate any other application you do not find in the gallery.
  3. Go to Single sign-on and select SAML.
  4. Under Basic SAML Configuration, set:
    • Entity ID (Identifier): copy from VaultPAM console at Organisation settings > SSO > Entity ID.
    • Reply URL (ACS URL): copy from VaultPAM console at Organisation settings > SSO > ACS URL.
  5. Download the Federation Metadata XML file from Entra ID.
  6. In the VaultPAM console, go to Organisation settings > SSO > Upload metadata. Upload the XML file.
  7. Assign users or groups to the VaultPAM enterprise application in Entra ID.
  8. Test the login by clicking Test in the Entra ID SAML configuration screen, then opening a private browser window and navigating to app.vaultpam.com.

Success state: Users assigned in Entra ID can log in to VaultPAM using their Microsoft credentials. The VaultPAM console shows the SSO provider name on the login page.

Okta

This procedure uses SAML 2.0. Complete all steps in order.

  1. In the Okta Admin Console, go to Applications > Applications > Create App Integration.
  2. Select SAML 2.0 and click Next.
  3. Name the application VaultPAM and click Next.
  4. Under SAML Settings, set:
    • Single sign-on URL: copy from VaultPAM console at Organisation settings > SSO > ACS URL.
    • Audience URI (SP Entity ID): copy from VaultPAM console at Organisation settings > SSO > Entity ID.
  5. Click Next, select I am an Okta customer adding an internal app, and click Finish.
  6. Go to the Sign On tab and click View SAML setup instructions or download the Identity Provider metadata.
  7. In the VaultPAM console, go to Organisation settings > SSO > Upload metadata. Upload the Okta metadata file.
  8. In Okta, go to the Assignments tab and assign users or groups to VaultPAM.
  9. Test the login: open a private browser window, go to app.vaultpam.com, and click Sign in with Okta.

Success state: Assigned Okta users can log in to VaultPAM. The audit log records their SSO-authenticated sessions.

Troubleshooting SSO issues

If users receive an authentication error or are redirected back to the login page, see SSO login failing for common causes and fixes.