Skip to main content

Configure SSO federation

Single sign-on (SSO) federation lets your users log in to VaultPAM using your existing identity provider (IdP). VaultPAM routes SSO through Keycloak, and the upstream provider is configured there. VaultPAM does not use SAML metadata uploads for this flow.

Prerequisites

  • VaultPAM: Org Admin role
  • Identity provider: Admin access in your Entra ID tenant or Okta organisation
  • Keycloak: Access to the realm that brokers sign-in for your environment
  • Protocol: OIDC / OAuth 2.0 supported by your IdP and Keycloak

Microsoft Entra ID (Azure AD)

This procedure uses OIDC through Keycloak. Create an OAuth 2.0 app registration in Azure, not a SAML enterprise application.

  1. In the Azure portal, go to Entra ID > App registrations > New registration.
  2. Name the application VaultPAM, choose the account type that matches your tenant boundary, and register it.
  3. Add the Keycloak broker redirect URI for your environment. Use the callback URL for the realm and provider, for example https://keycloak.<env>.euwarden.com/realms/<realm>/broker/<provider>/endpoint.
  4. Create a client secret and record the Application (client) ID, Directory (tenant) ID, and client secret value.
  5. In the Keycloak admin console, open the realm that brokers sign-in for your environment and add or update the Microsoft OIDC identity provider with the Azure issuer or discovery URL, client ID, client secret, and tenant restriction.
  6. Save the IdP configuration and test sign-in from the VaultPAM login page.
  7. Confirm the login completes and the user lands in VaultPAM after the Keycloak redirect.

Success state: Users from the allowed Entra ID tenant can log in to VaultPAM through Keycloak with their Microsoft credentials.


Okta

This procedure also uses OIDC through Keycloak. Create an OIDC app integration in Okta, not a SAML integration.

  1. In the Okta Admin Console, go to Applications > Applications > Create App Integration.
  2. Select OIDC - OpenID Connect, choose Web Application, and click Next.
  3. Name the application VaultPAM and add the Keycloak broker redirect URI for your environment.
  4. Record the Client ID, Client Secret, and issuer URL shown by Okta.
  5. In the Keycloak admin console, add or update the Okta OIDC identity provider with those values and any required claim or domain restrictions.
  6. Save the IdP configuration and test sign-in from the VaultPAM login page.

Success state: Assigned Okta users can log in to VaultPAM through Keycloak, and the audit log records the SSO-authenticated session.


Troubleshooting SSO issues

If users receive an authentication error or are redirected back to the login page, see SSO login failing for common causes and fixes.