Sitemap

SAML with Microsoft Entra ID (formerly Azure AD)

Website Documentation for your KeePass client and Pleasant Password Server

The following steps can be used to setup an configure SAML SSO with Microsoft Entra ID (formerly Azure AD).

This will allow your users to be authenticated once using Microsoft Entra credentials and not be prompted again if they are already signed in.

Applies to: Versions 7.9.9+, Enterprise+SSO

Related (similar configuration steps):

Pre-Requirement:

  • Install & register Password Server Enterprise+SSO
  • Import AD/LDAP Directory users

Setup Overview

  • Step 1 - Configure SAML in Pleasant Password Server
  • Step 2 - Add a new App in Microsoft Entra ID
  • Step 3 - Configure the Single Sign-On Method
  • Step 4 - Configure a new SAML Partner
  • Step 5 - Assign Group to the new App

Step 1 - Configure SAML in Pleasant Password Server

  1. Open the Authentication Services configuration page from the Users & Roles menu.

  2. Click Add SAML Configuration
  3. Provide an Issuer Name value

    • This value identifies your Pleasant Password Server application to the Identity Provider (Microsoft Entra ID | Azure AD)
      • e.g. PleasantPasswordServer
      • "Issuer Name" = Microsoft Entra Identifier (Entity ID)
      • Suggestion: Do not use any spaces when typing the "Issuer Name"
    • This value will be needed during Part 3
  4. Adjust the SSO Session Lifetime
    • If using Single Log Out (SLO), this value should be increased so the the session data is kept longer
    • However, if users are signing out often, i.e. daily, this value does not need to be larger
  5. (optional) Provide a certificate for digitally signing SAML requests and responses

    • Single Log Out (SLO) on Microsoft Entra requires that the requests be signed
    • See the certificate section for instructions on creating and configuring a signing certificate
      • Note: only .pfx or .p12 formats are accepted currently. Use the steps mentioned here to convert (Option A, step 2).

    • This certificate can be a self-signed certificate for Microsoft Entra
    • The Microsoft Entra provided certificate may need to be downloaded and setup on the Password Server machine as a trusted certificate
    • Be sure that your IIS user account (or AppPool) has read permissions to the imported certificate
  6. Save the configuration

    • azure saml sso config
  7. Copy the values for Issuer Name, Assertion Consumer Service URL, and Single Log Out Service URL
    • Assertion Consumer Service URL = Reply URL (needed in the new Microsoft Entra Enterprise Application)
    • If using a certificate for signing you will also need to export the public key
      • Note: only .pfx or .p12 format is accepted currently. Use the steps mentioned here to convert if needed.
    • If the URLs are directed to localhost, but this is not the URL you intend to use then you should sign in via that URL first

Step 2 - Add a new App in Microsoft Entra 

Follow these Microsoft Entra configuration steps which appear to best document the process from this Microsoft Guide:

  1. Create a new "Non-gallery application"
    • Use a convenient name

add an app in azure ad

Step 3 - Configure the Single Sign-On Method

  1. Open the new App and click on "Single Sign-On"
  2. Select SAML protocol
    • Select SAML SSO to Azure
  3. Use the "Identifier (Entity ID)" as "Issuer Name"
  4. Paste the reply URL and then Save
    • Azure Basic SAML Config
  5. Write down the "Microsoft Entra Identifier" and the "Login URL"

Step 4 - Configure a new SAML Partner

  1. Add a new SAML Partner Configuration from the "Authentication Services" in Pleasant Password Server
  2. Paste the "Microsoft Entra Identifier" as Name
    • Example: https://sts.window.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/

  3. Use a friendly display name to identify service
    • Example: Microsoft Entra SSO
    • Add Azure SAML Partner
  4. Download the Base64 SAML Signing Certificate from Microsoft Entra, which has been generated automatically for your application.

    • Azure AD SAML Signing Certificate
    • Then upload this Microsoft Entra Signing certificate with the public key into the Password Server Application.

    • Signature Validation Certificate
  5. Review the configuration
    • Azure saml Partner Config
  6. Click on "Single Sign-on" tab

    • Enter the Service URL

      • Example: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
    • Single sign-on options for Azure
  7. Click on "Single Sign-out" tab

    • You must have followed the optional steps in parts 1 and 2 to configure Single Log Out
    • Enter the same value for Service URL as you did for Single Sign On
      • Example: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/

    • Leave Service Response URL blank
    • Select Post as the Binding Method
    • Check both Sign Log Out Request and Sign Log Out Response
  8. Username format: by default the username format that is used in Pleasant Password Server is SAMAccountName. To use UPN or email as a format to synchronize with Microsoft Entra, then you can: 

    • Set the User Discovery (dropdown) = By Subject
    • Set the User Property (dropdown) = Email
    • Then in the Microsoft Entra application modify a Claim, and set the following values:
      • Name: nameidentifier
      • Name identifier format: Email address
      • Source attribute: user.mail 
  9. Save Configuration

Part 5 - Restrict SSO Login (Optional)

  • Option to restrict sign-in with your trusted Identity Provider, and only allow sign-in locally in the case of emergencies by admins:

Step 6 - Assign Group to the new App

  1. Add federated group "Pleasant Password Users" as User of the new App

Add federated group to the Azure App

  1. Test connection from Pleasant Password Server
    • Connect with Azure AD SSO
  2. Review Sign-in Activity from the Microsoft Entra Portal

Password Server Sign-In activity

 

References:

Troubleshooting