Proton

How to set up SSO for Proton Pass using Microsoft Entra ID

Reading
4 min
Categories
Proton Pass
Proton Pass for Business

Our Proton Pass Professional and Proton Business Suite plans support single sign-on (SSO). SSO allows you to securely access multiple web services and SaaS applications using one set of login credentials. In this article, you will learn how to set up SSO on Proton Pass using Microsoft Entra ID as your identity provider (IdP).

Learn more about SSO

Learn how to set up SSO for Proton Pass using Google

Proton Pass supports SSO using Security Assertion Markup Language(new window) (SAML) 2.0, an XML(new window)-based open standard used to transfer authentication data verifying your identity between an IdP and a SaaS application. 

Before you start, you’ll need the following: 

  • A Proton Pass account with administrator privileges

Get Proton Pass Professional.

You can then configure SAML on your Proton Pass for Business account. In this support article, we’ll explore:

  • How to configure Proton Pass on Microsoft Entra ID
  • How to configure SAML SSO on your Proton Pass account
  • How to add SSO users in Microsoft Entra ID
  • How to use SSO to sign in to Proton Pass
  • How to manage SSO for Proton Pass
  • Troubleshooting

How to configure Proton Pass on Microsoft Entra ID

1. Sign in to the Microsoft Entra (new window)ID admin center(new window) using a Cloud Application Administrator(new window) account and go to ApplicationsEnterprise applications New application.

Add a new application in Microsoft Entra

2. Click Create your own application.

Create your own application

3. Give your app a name, select Integrate any other application you didn’t find in the gallery (Non-gallery), and click Create.

4. In the application overview tab, click 2. Set up single sign on.

5. Go to 1. Basic SAML Configuration✎ Edit.

6. Go to:

Click Save when you’re done, followed by X to close the Basic SAML Configuration window.

Fill in the required fields

7. Go to 3. SAML Certificates✎ Edit.

8. Go to Signing Option and select Sign SAML response and assertion from the dropdown menu. 

Click Save when you’re done, followed by X to close the SAML Certificate window.

Select Sign SAML response and assertion

9. Go to 3. SAML CertificatesFederation Metadata XML → Download to download an XML configuration file for your application. You’ll need this file to set up SAML SSO on your Proton Pass for Business account (see below).

How to configure SAML SSO on your Proton Pass admin panel

1. Log in to your Proton Pass for Business admin(new window) panel and go to Single sign-onSAML authenticationConfigure SAML.

2. Add your organization’s domain name (the domain that you have authority over as a business) and click Add domain

Add domain

3. Verify the domain for your identity provider. To do this, log in to your domain provider’s web portal and enter the DNS TXT record(new window) displayed on this screen.

On your Proton Pass account page(new window), click Continue.

Verify domain

4. A screen will show you the endpoints needed by Microsoft Entra ID. However, we’ve already entered these (see step 4 of Configure Proton Pass on Microsoft), so just click Continue.

5. Import the metadata file you downloaded from Microsoft Entra ID in step 9(new window) of Configure Proton Pass on Microsoft Entra ID. To do this, select XML file and either drag the XML file to the field provided or click Select file and locate the file using your system’s default file manager.

Click Done when you’re ready.

SSO using Microsoft Entra ID should now be configured on your Proton Pass for Business account. Click See details for an overview of your SSO settings. 

How to use SSO to sign in to Proton Pass using SSO

As a user with a new SSO account configured on Microsoft, go to your Proton Pass account.

1. Click Sign in with SSO on any Proton Pass login screen. 

2. Enter your email address (as configured on Microsoft) and click Sign in.

3. Enter your Microsoft SSO password (this will be supplied by your manager, or see step 2(new window) in the “How to add SSO users in Microsoft” section above), and click Sign in.

How to manage SSO users for Proton Pass

Your organization’s users can now log in to Proton Pass apps using their IdP login

To view which users who have started using Pass, log in to your Proton Pass for Business admin panel and go to OrganizationAll users. (Note: SSO users will only appear here once they have signed in at least once.)

You can manage individual users by going to the Users section, find the row of the user in question, and using the dropdown menu in the Edit column.

To turn off SSO for your whole organization, go to Single sign-onRemove single sign-on Stop using single sign-on.

Please note that doing this deletes all configurations and users associated with your domain. We therefore strongly recommend against turning off SSO for your whole organization.

Remove single sign-on

Troubleshooting

In case you see the following message, there are steps you can take to resolve the issue:

There is an error in the single sign-on configuration, please contact your organization administrator.

  1. Confirm that the certificate you uploaded on the Proton Pass SAML configuration page matches the one provided by the Microsoft IdP.
  2. Confirm that the Single sign-on entity ID on the Proton Pass SAML configuration page is the same as the Issuer.

Didn’t find what you were looking for?

General contactcontact@proton.me
Media contactmedia@proton.me
Legal contactlegal@proton.me
Partnerships contactpartners@proton.me