Sitemap

SAML SSO

(Versions 7.9.9+, Enterprise+SSO)

Password Server allows Single Sign-On (SSO) from your trusted Identity Providers such as: Azure, Office 365, and AD FS.

KeePass SSO simplifies login for users and allows integration with other applications. 

Users can sign-in once to these systems and not be prompted again while retrieving passwords. 

SAML is a standard, popular security framework for Single Sign-On and there are many notable services which are compatible as Identity Providers (IdP). Authentication tokens are exchanged using SAML 2.0.

Have Questions?  Contact Us!

Supported Identify Providers

Are there other integrations you use, would like to use, or that you have questions about? Contact Us!

  • Azure
  • AD FS
  • Office 365
  • Google Apps
  • AWS
  • OKTA
  • Ping Identity
  • OneIdentity
  • Shibboleth 2.0
  • Salesforce
  • OneLogin
  • Centrify
  • Entrust
  • MicroFocus (NetIQ)
  • SecureAuth
  • Oracle Identity Federation
  • RSA Federated Identity
  • Gluu Server (open source)
  • ... as well as many other compatible SAML Identity Provider services!

References:

SSO Configuration

Available guides through some popular integrations, and additional guides will be added in the future:

SSO Features

SSO for KeePass

  • KeePass users will not be re-prompted to login when already signed-in to a trusted identity provider.

SSO for Web Application

  • Web application users will not be re-prompted to login when already signed-in to a trusted identity provider.

Enforce SSO Authentication

  • Require interaction with a Trusted Provider before accessing Password Server.

Separate Local Emergency Access

  • Administrators still have a local method to sign-in.

Restricting SSO Login

Password Server can restrict and enforce users to sign-in only by SAML SSO authentication to a configured provider.

Both Web application and KeePass users can use single sign-on authentication.

This feature is beneficial when requiring MFA authentication or requiring other identity verification factors specified outside of Password Server.

Enforce Single Sign-On

Settings for Enforcing SSO partner sign in can be found under Policy Administration Global Settings page:

Allowing Local Access for Admins

Enforcing sign in through a partner can be great for managing everyday user sign in but in some instances we may want for admin users to have an exception and be able to sign in directly to the Password Server.

This can be set in either the Default Policy or individually or role managed policies. When the above "Enforce Partner Sign in" is set to true, we can set to "Allow Exception for Direct Sign in" in one of these policies.

  • User and Roles > Policies > New or Edit Policy > Authentication Policy 
    • From here we can set the "Allow Exception for Direct Sign in" to True and users or roles who have been assigned this policy will have the option to sign in directly to the Password Server application.

Direct Sign In

In order to login locally and bypass SSO Partner sign-in, you will need to access to the direct sign-in URL which will look something like this:

  • localhost:10001/Account/SignIn/Direct

Replacing the localhost value with the correct server domain.