Testimonials
What our customers say about Team Password Manager

Configuring SAML Authentication for Microsoft Azure Active Directory

Current Team Password Manager version: 12.162.284

This document describes how you can configure SAML Single Sign-On Authentication in Team Password Manager using Microsoft Azure Active Directory as the Identity Provider (IdP). Read the SAML Authentication document to learn how SAML Authentication works in Team Password Manager.

Follow these steps:

1. Log into Azure Portal: https://portal.azure.com

2. Open the "burger menu" on the left and select "Active Directory", and then "Enterprise Applications":

Azure AD Enterprise Applications

3. In "Enterprise Applications" click on "Overview", then "+ New application":

Azure AD New Application

4. Select "+ Create your own application":

5. Enter the name of the application (Eg. Team Password Manager) and click on "Add":

Azure AD Create your own application and Application Name

6. You'll be taken to your new application overview. Click on "2. Set up single sign on" and then select "SAML" as the single sign-on method:

Azure AD Setup Single Sign On

7. Copy the Service Provider (Team Password Manager) details to "Basic SAML Configuration" in Azure:

7.1 Log into your installation of Team Password Manager and go to Settings (top menu), then "SAML Authentication".

Click on "Edit" in the "Basic SAML Configuration" in Azure.

7.2 Copy the "Entity Id" value in the "Service Provider Settings" in Team Password Manager to the "Identifier (Entity ID)" field in Azure, and mark "Default".

7.3 Copy the "Assertion Consumer Service URL" value in the "Service Provider Settings" in Team Password Manager to the "Reply URL (Assertion Consumer Service URL)" field in Azure<./p>

7.4 Copy the "Single Logout Service URL" value in the "Service Provider Settings" in Team Password Manager to the "Logout Url" field in Azure.

7.5 Save in Azure.

SP details in Team Password Manager

Team Password Manager SP details in Azure AD

8. In Azure, click on "Edit" in the "User Attributes & Claims" section. You'll see this:

Azure AD SAML User Attributes & Claims

Click on the "Unique User Identifier (Name ID)", the "Manage Claim" screen will open.

In the Source Attribute (last field), select "user.mail", then "Save":

Azure AD SAML User Manage Claim

9. Copy the Azure AD SAML certificate to the "Identity Provider Settings" in Team Password Manager:

9.1 In Team Password Manager, click on "Edit Identity Provider SAML Settings".

9.2 In Azure click on "Copy to Clipboard" the "App Federation Metadata Url".

Azure AD SAML Certificate

9.3 Open a new browser tab (or window) and paste the recently copied Url, you'll see something like this:

Azure AD SAML Certificate

9.4 Scroll down all the contents of the page until the end and you'll see the a "X509Certificate" entry:

Azure AD SAML Certificate

9.5 Copy to clipboard the contents of the "X509Certificate" entry (it's a long string) and paste it into the "Certificate" field in the "Edit Identity Provider SAML Settings" in Team Password Manager:

Azure AD SAML Certificate in Team Password Manager

Do not close the "Edit Identity Provider SAML Settings" screen, we'll need it in the next steps.

10. Copy the Identity Provider details in your installation of Team Password Manager:

10.1 Copy the "Login URL" value in Azure AD and paste it in the "Single Sign On URL" field in Team Password Manager.

10.2 Copy the "Azure AD Identifier" value in Azure AD and paste it in the "Entity Id" field in Team Password Manager.

10.3 Copy the "Logout URL" value in Azure AD and paste it in the "Single Logout Service URL" field in Team Password Manager. Note: using this field will make the user log out of all the service providers authenticated using Azure AD when the user logs out of Team Password Manager. If you don't want this to happen (so, only log out of Team Password Manager), leave this field empty.

Azure AD SAML IdP details

Azure AD SAML IdP details in Team Password Manager

11. Assign users and groups to the application. From the application overview screen, click on "Assign users and groups" and grant access to the application to those users/groups that need to access Team Password Manager.


SAML authentication for Azure Active Directory is now configured. To test, do this:

  • Make sure you have an Admin/IT normal user in Team Password Manager. If anything goes wrong you'll be able to log in normally.
  • Create a SAML user in Team Password Manager, using an email address that matches an email address of a user that has access to the Azure application just created.
  • Log out of Team Password Manager and Azure.
  • Click on "Sign In via SAML" in Team Password Manager. You'll be taken to Microsoft login screen and you'll need to authenticate using the email address of the user just created in Team Password Manager.
  • If all goes well, you'll automatically log into Team Password Manager.

Troubleshooting

A common issue you may get with Azure is this one:

"AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Team Password Manager application owner."

If you get this message, enter the following in the SAML Custom Settings:

security.requestedAuthnContext=false

Go to Settings | SAML Authentication, click on the "Edit other SAML Settings" button and enter this line in the Custom Settings textbox.


Document changelog

Aug 24, 2022: Adapt steps 4, 5 and 6 to the changed interface
May 27, 2021: Troubleshooting section
May 5, 2021: Document created
Questions or Problems? Please contact our support department