How to set up SSO for Proton Pass using Microsoft Entra ID
Our Proton Pass Professional and Proton Business Suite plans support single sign-on (SSO). SSO allows you to securely access multiple web services and SaaS applications using one set of login credentials. In this article, you will learn how to set up SSO on Proton Pass using Microsoft Entra ID as your identity provider (IdP).
Learn how to set up SSO for Proton Pass using Google
Proton Pass supports SSO using Security Assertion Markup Language(nueva ventana) (SAML) 2.0, an XML(nueva ventana)-based open standard used to transfer authentication data verifying your identity between an IdP and a SaaS application.
Before you start, you’ll need the following:
- A Proton Pass account with administrator privileges
- A Microsoft Entra(nueva ventana) ID admin account.
You can then configure SAML on your Proton Pass for Business account. In this support article, we’ll explore:
- How to configure Proton Pass on Microsoft Entra ID
- How to configure SAML SSO on your Proton Pass account
- How to add SSO users in Microsoft Entra ID
- How to use SSO to sign in to Proton Pass
- How to manage SSO for Proton Pass
- Troubleshooting
How to configure Proton Pass on Microsoft Entra ID
1. Sign in to the Microsoft Entra (nueva ventana)ID admin center(nueva ventana) using a Cloud Application Administrator(nueva ventana) account and go to Applications → Enterprise applications → New application.
2. Click Create your own application.
3. Give your app a name, select Integrate any other application you didn’t find in the gallery (Non-gallery), and click Create.
4. In the application overview tab, click 2. Set up single sign on.
5. Go to 1. Basic SAML Configuration → ✎ Edit.
6. Go to:
- Identifier (Entity ID) → Add Identifier and enter: https://sso.proton.me/sp(nueva ventana)
- Reply URL (Assertion Consumer Service URL) → Add reply URL and enter: https://sso.proton.me/auth/saml(nueva ventana)
Click Save when you’re done, followed by X to close the Basic SAML Configuration window.
7. Go to 3. SAML Certificates → ✎ Edit.
8. Go to Signing Option and select Sign SAML response and assertion from the dropdown menu.
Click Save when you’re done, followed by X to close the SAML Certificate window.
9. Go to 3. SAML Certificates → Federation Metadata XML → Download to download an XML configuration file for your application. You’ll need this file to set up SAML SSO on your Proton Pass for Business account (see below).
How to configure SAML SSO on your Proton Pass admin panel
1. Log in to your Proton Pass for Business admin(nueva ventana) panel and go to ⚙ → Single sign-on → SAML authentication → Configure SAML.
2. Add your organization’s domain name (the domain that you have authority over as a business) and click Add domain.
3. Verify the domain for your identity provider. To do this, log in to your domain provider’s web portal and enter the DNS TXT record(nueva ventana) displayed on this screen.
On your Proton Pass account page(nueva ventana), click Continue.
4. A screen will show you the endpoints needed by Microsoft Entra ID. However, we’ve already entered these (see step 4 of Configure Proton Pass on Microsoft), so just click Continue.
5. Import the metadata file you downloaded from Microsoft Entra ID in step 9(nueva ventana) of Configure Proton Pass on Microsoft Entra ID. To do this, select XML file and either drag the XML file to the field provided or click Select file and locate the file using your system’s default file manager.
Click Done when you’re ready.
SSO using Microsoft Entra ID should now be configured on your Proton Pass for Business account. Click See details for an overview of your SSO settings.
How to use SSO to sign in to Proton Pass using SSO
As a user with a new SSO account configured on Microsoft, go to your Proton Pass account.
1. Click Sign in with SSO on any Proton Pass login screen.
2. Enter your email address (as configured on Microsoft) and click Sign in.
3. Enter your Microsoft SSO password (this will be supplied by your manager, or see step 2(nueva ventana) in the “How to add SSO users in Microsoft” section above), and click Sign in.
How to manage SSO users for Proton Pass
Your organization’s users can now log in to Proton Pass apps using their IdP login
To view which users who have started using Pass, log in to your Proton Pass for Business admin panel and go to Organization → All users. (Note: SSO users will only appear here once they have signed in at least once.)
You can manage individual users by going to the Users section, find the row of the user in question, and using the dropdown menu in the Edit column.
To turn off SSO for your whole organization, go to Single sign-on → Remove single sign-on → Stop using single sign-on.
Please note that doing this deletes all configurations and users associated with your domain. We therefore strongly recommend against turning off SSO for your whole organization.
Troubleshooting
In case you see the following message, there are steps you can take to resolve the issue:
There is an error in the single sign-on configuration, please contact your organization administrator.
- Confirm that the certificate you uploaded on the Proton Pass SAML configuration page matches the one provided by the Microsoft IdP.
- Confirm that the Single sign-on entity ID on the Proton Pass SAML configuration page is the same as the Issuer.