How to set up SSO for Proton Pass using Okta
Our Proton Pass Professional plan supports single sign-on (SSO). SSO allows you to securely access multiple web services and SaaS applications using one set of login credentials. In this article, we look at how to set up SSO on Proton Pass using Okta as your identity provider (IdP).
How to set up SSO for Proton Pass using Microsoft
How to set up SSO for Proton Pass using Google
How to set up SCIM for Proton Pass using Microsoft
Proton Pass supports SSO using Security Assertion Markup Language(ventana nueva) (SAML) 2.0, an XML(ventana nueva)-based open standard used to transfer authentication data verifying your identity between an IdP and a SaaS application.
Before you start, you’ll need the following:
- A Proton Pass Professional account with admin privileges.
- An account with Okta(ventana nueva).
Once you have an Okta account, you must configure it for Proton Pass. You can then configure SAML on your Proton Pass account.
Here’s what we’ll cover next:
- How to configure Proton Pass on Okta
- How to configure SAML SSO on your Proton Pass for Business account
- How to add SSO users in Okta
- How to use SSO to sign in to Proton Pass for the first time
- How to use SSO to sign in to Proton Pass
- How to manage SSO for Proton Pass
- Troubleshooting
How to configure Proton Pass on Okta
1. Sign in to your Okta account(ventana nueva) and go to Applications → Create App Integration.
2. Select SAML 2.0 and then click Next.
3. Give your app a name and upload a logo for it (optional). Click Next when you’re ready.
4. Under section A SAML Settings → General, enter the following information:
- Single sign-on URL: https://sso.proton.me/auth/saml(ventana nueva)
- Audience URI (SP Entity ID): https://sso.proton.me/sp(ventana nueva)
- Name ID Format: Select EmailAddress from the dropdown menu
Now scroll down to the bottom of the page and click Save.
5. Answer the question Help Okta Support understand how you configured this application as best describes the use of your app. This answer is simply feedback for the Okta support team and doesn’t affect your setup in any way. Click Finish when you’re ready.
6. You’ve now created a SAML integration for Proton Pass. Go to SAML 2.0 → Metadata details → Metadata URL → Copy.
How to configure SAML SSO on your Proton Pass for Business account
1. Log in to your Proton Pass for Business administrator account and go to ⚙ → Single sign-on → Okta
2. Add your organization’s domain name and click Add domain.
3. Verify the domain for your identity provider. To do this, log in to your domain provider’s web portal and enter the DNS TXT record displayed on this screen.
On your Proton Pass account, click Continue once you’ve done this.
4. A screen will show you the endpoints needed by Okta. However, this has already been automatically configured in the official Proton Pass SSO application for Okta that you set up above. So just click Continue.
5. Import the SAML metadata for Proton Pass from Okta. Select URL and paste in the URL you copied in step 4(ventana nueva) of Configure Proton Pass on Okta (above). To find this page again in your Okta console, go to Applications → Applications → [the application you just created] → Sign-on tab.
Click Done when you’re ready.
SSO using Okta should now be configured on your Proton Pass for Business account. Click See details for an overview of your SSO settings.
How to add SSO users in Okta
Before your users can sign in to our organization using SSO, you’ll need to add them in Okta.
1. Log in to your Okta account(ventana nueva) and go to Directory → People → Add person.
2. Go to User type and select User from the dropdown menu. Now fill in their details. The username and primary email address must use your organization’s domain. Click Save or Save and Add Another when you’re done.
3. When you’re done, go to Directory → People to see a list of users you’ve added. Click on a name.
4. In the Applications tab, click Assign Applications.
5. Click Assign next to the Proton Pass application you created above, followed by Done.
6. Re-enter the user’s User Name, then click Save and Go Back.
7. Repeat the process for as many SSO users as you like. When you’re done, click Set Password & Activate.
8. At the confirmation screen, click Set Password & Activate.
9. Create a temporary password and make a note of it (there’s a copy button to copy it to your device’s clipboard). Each new user will use this password just once to sign in to Proton Pass via SSO for the first time. Click Close when you’re ready.
How to use SSO to sign in to Proton Pass for the first time
As a user with a new SSO account configured on Okta, log into your Proton Pass account.
1. Click Sign in with SSO on any Proton Pass login screen.
2. Enter your email address (as configured on Okta) and hit Sign in.
3. Enter your temporary SSO password (this will be supplied by your manager, or see steps 9 and 10 in the “How to add SSO users in Okta” section above), and click Sign in.
4. You’ll now be asked to create a new permanent password (that will replace the single-use temporary password you were provided). Once you’ve done this, click Change password and you’ll log in to your Proton Account.
How to manage SSO users in Proton Pass
Your organization’s users can now log in to Proton Pass apps using their IdP login. To view which users have signed into Pass, log in to your Proton Pass account and go to Organization → Users.
Note: SSO users will only appear here after they have signed in at least once.
In the Users section in the Proton Pass admin panel, you can manage individual users using the dropdown menu in the Edit column of the user you wish to manage SSO access for.
To turn off SSO for your whole organization, go to Single sign-on → Remove single sign-on → Stop using single sign-on.
Please note that doing this deletes all configurations and users associated with your domain. We therefore strongly recommend against turning off SSO for your whole organization.
Troubleshooting
If you see the following message:
There is an error in the single sign-on configuration, please contact your organization administrator.
Take these steps:
- Confirm that the certificate you uploaded on the Proton Pass SAML configuration page matches the one provided by the Okta IdP.
- Confirm that the Single sign-on entity ID on the Proton Pass SAML configuration page is the same as the Issuer.