Info
KeePass Hub
J. User Administration
SAML Single Sign-On
SAML with Entra ID (formerly Azure AD)
SAML with ADFS
Troubleshooting SAML SSO
User Policies
Two-Factor Authentication
Change Password
Setup Password Reset
Privilege Elevation and Security Zones
A. Install
B. Server Configuration
C. Backup, Export, and Import your Passwords
D. User Access Basics
E. Access Levels
F. Best Practices
G. Logging
H. SSO Server
I. LDAP and AD
J. User Administration
K. Language Settings
L. Advanced Features
M. Programmatic Access
N. New Features in Version 7
O. Troubleshooting
R. Reports
W. Purchasing Pleasant Password Server
X. Common Issues
Y. End User License Agreement
Z. Release Notes
Sitemap
Info  >  KeePass Hub  >  J. User Administration  >  SAML Single Sign-On Page last modified Aug 06 2025, 10:51

SAMLĀ SSO

Share KeePass Passwords with your Team of multiple users

Password Server allows Single Sign-On (SSO) from your trusted Identity Providers such as: Azure AD | Microsoft Entra ID, Office 365, and ADFS.

KeePassĀ SSO simplifies login for users and allows integration with other applications.Ā Users can sign-in once to a Trusted Identity ProviderĀ and not be prompted again whenĀ using Password Server.Ā 

SAML is a standard, popular security framework for Single Sign-On and there are many notable services which are compatible as Identity Providers (IdP).Ā Authentication tokens are exchanged using SAML 2.0.

Applies to:Ā Versions 7.9.9+, Enterprise+SSO

Have Questions?Ā  Contact Us!

SupportedĀ Identity Providers

Microsoft Entra ID (formerly Azure AD) AWS
ADFS Office 365
OKTA Google Apps / G Suite
Shibboleth 2.0 F5
Ping Identity Salesforce
RSAĀ SecurID Access Entrust
OneLogin MicroFocus (NetIQ)
OneIdentity Gluu Server (open source)
SecureAuth Ā 

ā€¦ as well as many other compatible SAML Identity Provider services!

Are there other integrations you use, would like to use, or that you have questions about? Contact Us!

References:

SAML SSO Configuration

Available guides through some popular integrations, and additional guides will be added in the future:

SAML SSO Features

SSO forĀ KeePass

  • KeePass users will not be re-prompted to login when already signed-in to a trusted identity provider.

SSO for Web Application

  • Web application users will not beĀ re-prompted to login when already signed-in to a trusted identity provider.

SSOĀ for Auto-Fill Plugin

  • Chrome Auto-Fill plugin users will not beĀ re-prompted to login when already signed-in to a trusted identity provider.

Enforce SSO Authentication

  • Require interaction with a Trusted Provider before accessing Password Server.

Separate Local Emergency Access

  • Administrators still have a local method to sign-in.

Enforce SAML SSO Login

(Versions 7.10.9+)

Password ServerĀ can restrict and enforce users to sign-in only by SAML SSO authentication to a configured provider.

Both Web application and KeePass users can use single sign-on authentication.

This feature is beneficial whenĀ requiring MFA authentication or requiring other identity verification factors specified outside of Password Server.

Settings to Enforce Single Sign-OnĀ 

Settings forĀ Enforcing SSO partner sign-in can be found underĀ Policy Administration GlobalĀ SettingsĀ page:

  • User and Roles > Policies
    • When "Enforce Partner Sign-in" is set to true, users will be required to log in to Password Server through a configured SAML Authentication partner.

Ā 

SAML Single Sign-On:

Allow Exceptions for Direct Sign-in

Enforcing sign-in through a partner can be great for managing everyday user sign-in but in some instances we may want allow exceptions for admin users to be able to sign-in directly to the Password Server.

This can be set in either the Default Policy or individually or role managed policies. When the above "Enforce Partner Sign-in" is set to true, we can set to "Allow Exception for Direct Sign-in" in one of these policies.

  • User and Roles > Policies > New or Edit Policy > Authentication PolicyĀ 
    • From here we can set the "Allow Exception for Direct Sign-in" to True and users or roles who have been assigned this policy will have the option to sign-in directly to the Password Server application.

Bypass SAML SSO in an Emergency with Direct Sign-In

In order to login locally and bypass SSO Partner sign-in, you will first need to make the policy exceptions above, then you can access the direct sign-in URL:

  • https://localhost:10001/Account/SignIn/Direct

Replacing the localhost value with the correct server domain.

Changing SAML SSO Certificates

(Versions 7.11.9+)

Certificates include private encryption keys which help to generate the secure encrypted connection between the server and your other devices. It's important to keep the keys safe as they work to decrypt the encrypted connection andĀ safeguard access.

New certificates shouldĀ be generated periodically, which helpsĀ protect the system in the caseĀ the keys should be lost or stolen.

UploadĀ the Partner Configuration Certificate

UploadĀ the public certificate from yourĀ Identity Partner system by editing the SAML Partner Configuration and uploading the certificate file from your Identity Provider.Ā 

SAML SSO Partner Certificate

For more details on where to find this Certificate, see details in SAML Guides:

Ā 

Upload the SiteĀ Certificate

(Optional) UploadĀ your site'sĀ private certificate (.pfx file) by editing the SAML Configuration.

  • This is needed if using Single Log Out (SLO)

Ā SAML Configuration Certificate

Ā For more details onĀ about this Certificate, see details in SAML Guides (SAML with AD FS,Ā SAML with Microsoft Entra ID (formerly Azure AD)).

Ā