Configuring SAML Single Sign-On (SSO) for Microsoft Entra ID Users

You can set up SAML single sign-on (SSO) in PAM360 for Microsoft Entra ID users. This document also details steps to enable multi-factor authentication (MFA) in the Microsoft Azure portal. 

Note: PAM360 allows users to configure SAML SSO for the secondary server as a service provider, which allows users to log in to PAM360 using the secondary server when the primary server is down.

At the end of this document, you will have learned the following configuration concerning SAML SSO configuration for Microsoft Entra ID users and setting up MFA for the first login users.

  1. Prerequisite
  2. Steps to Configure SAML SSO for Microsoft Entra ID Users
    1. Adding PAM360 as an Enterprise Application in the Azure Portal
    2. Assigning Azure Users to the Enterprise Application
    3. Configuring SAML SSO with PAM360
  3. Steps to Enable MFA and Set up First Login for Microsoft Entra ID Users
    1. Enabling Multi-Factor Authentication for Azure Users
    2. Assigning Azure Users to the Enterprise Application
    3. Setting up the First Login for the MFA-Enabled Azure Users
  4. Troubleshooting Tips: PAM360 Azure SAML SSO Login Issues

1. Prerequisite

Before setting up SAML SSO, follow the steps provided here to import Microsoft Entra ID users into PAM360.

2. Steps to Configure SAML SSO for Microsoft Entra ID Users

Detailed below are the steps to configure SAML SSO in PAM360 for Microsoft Entra ID users in the Microsoft Azure portal.

2.i Adding PAM360 as an Enterprise Application in the Azure Portal

  1. Log in to the Microsoft Azure portal.
  2. Click Azure Active Directory below Azure services.
  3. In the window that opens, select Enterprise Applications under the Manage tab.
  4. Now, click New Application available at the top of the Enterprise applications page.
  5. You will be taken to the All Applications page, from which you can choose and add your desired applications. In the search bar, type 'SAML ' and press Enter.
  6. From the search results, click on SAML 1.1 Token enabled LOB App. The application will open in a minimized window on the right pane.
  7. Edit the application name as the desired name and click Create.

    Note: It is recommended to avoid the usage of special characters, spaces, or punctuation in the application name.

  8. Now, the application will be added as the Enterprise Application successfully.

2.ii Assigning Azure Users to the Enterprise Application

  1. Under the Manage section on the left pane, select Users and groups and click Add user/group at the top pane.
  2. In the Add Assignment page that opens, click on None Selected to open up a list of users. Select the required users and then click the Select button.
  3. After the required users have been selected, click Assign to assign them to the enterprise application.

2. iii Configuring SAML SSO with PAM360

  1. Under the Manage section on the left pane, click on Single sign-on. In the Select a single sign-on method section, select SAML.
  2. To set up a single sign-on with SAML, you need to provide basic SAML configuration details, such as Identifier, Reply URL, and Sign on URL.
  3. You can get all the required entities from the PAM360 interface. To do so,
    1. Log in to PAM360 and navigate to Admin >> Authentication >> SAML Single Sign On.
    2. Under Service Provider Details, you will find all the required URLs.
    3. Note:

      By default, the Assertion Consumer URL is the hostname of the server. To update this, follow the below steps:

      1. Navigate to Admin >> Settings >> Mail Server Settings.
      2. Under Access URL, update to the required URL and click Save.

      Now, the Assertion Consumer URL under Service Provider Details will be updated.

  4. Now, go back to the Microsoft Azure portal and click the edit icon to edit the Basic SAML Configuration details:
    1. For Non-MSP, enter the Entity Id (copied from PAM360) under Identifier. Enter your PAM360 web interface URL under the Sign on URL (e.g., https://<Host-Name-of-PAM360-Server OR IP address>:<Port>) and provide the Assertion Consumer Service URL under Reply URL.
    2. For MSP Client Organizations, enter the Entity Id (copied from PAM360) under Identifier. Enter the Assertion Consumer URL under the Reply URL and enter the Org URL (eg. https://<Host-Name-of-PAM360-Server OR IP address>:<Port>/<Org_name>) under Sign on URL.
    3. Now, click Save.
  5. To configure SAML Single Logout,
    1. Mention Single Logout Service URL (copied from PAM360) in the field next to Logout URL.
    2. Navigate to <PAM360_Installation_Directory\PAM360\conf\system_properties.conf> and append the following system property under the existing properties.
      • saml.logout.redirect.slo=true
    3. Note: SAML Single Logout is applicable from PAM360 build 5304 and above only.

  6. Now the SAML configuration details taken from PAM360 will be saved in the Azure portal.
  7. In the SAML Certificates section of the SAML configuration settings window, download the XML file named Federation Metadata XML or copy the Login URL, Microsoft Entra Identifier, and the Logout URL values and download the file named Certificate (Base64).
  8. Return to the PAM360 interface and navigate to Admin >> Authentication >> SAML Single Sign-On.
  9. Under Configure Identity Provider Details, you have to provide your Idp information via an XML file or manually.
  10. If you opt to update your Idp information via an XML file, select Upload IdP metadata file and click Browse to select the downloaded Federation Metadata XML file.
  11. If you opt to update your Idp information manually, enter the values copied from the SAML Certificates section - Issuer (Microsoft Entra ID), Idp Login URL (Login URL), and Idp Logout URL (Logout URL).
  12. Now, click Upload to save the Azure SAML SSO settings in PAM360.


  13. If you have added your Idp information using the Federation Metadata XML, refresh the current page in PAM360. Now, under Import IdP's Certificate, you will see the Current Certificate details such as Issuer, Subject, and Serial Number.
  14. If you have added the Idp information manually, upload the downloaded Certificate (Base 64) file using the Browse option and click Save.
  15. For Azure SAML to function properly, go to the path: <PAM360_Installation_Directory\PAM360\conf\system_properties.conf> and verify if the below-mentioned system properties are available in the conf file. If not, append them below the existing properties.
  16. saml.redirect.idpprotocolbindingpost=true
    saml.authcontext.comparison.exact=true
    saml.AuthreqForceAuthn=false
    saml.nameidFormat=unspecified
    saml.idp.version=1.1
    saml.authnContextClassRef=Password

  17. Once the properties are added, restart the PAM360 server for the changes to take effect.
  18. Finally, under Enable/Disable SAML Single Sign On, click Enable Now to activate the SAML SSO.
  19. To validate if the single sign-on works, go to the Azure portal, and in the Single sign on section under Manage, click Test.

3. Steps to Enable MFA and Set up First Login for Microsoft Entra ID Users

Below are detailed steps to activate MFA for Microsoft Entra ID users in the Microsoft portal and to set up their first login.

3.i Enabling MFA for Microsoft Entra ID Users

  1. Log in to the Microsoft Azure portal.
  2. Select Azure Active Directory under Azure services.
  3. Under the Manage section from the left pane, select Users.
  4. Here, click the Per-user MFA option at the top pane. Now you will see the list of users populating in a new browser window.
  5. Select the user(s) for whom you want to enable MFA and click the Enable option on the right pane.
  6. In the pop-up that opens, click the enable multi-factor auth button to complete the setup.

3.ii Assigning Azure Users to the Enterprise Application

  1. Click on Azure Active Directory and select Enterprise applications under the Manage tab.
  2. Search for your enterprise SAML application and then select it.
  3. Select Users and groups from the left pane and click the Add user/group option at the top pane.
  4. In the Add Assignment window that opens, click on None Selected to open up a list of users. Select the required users and then click the Select button at the bottom.
  5. After the required users have been selected, click Assign at the bottom-left corner to assign them to the enterprise application.

3.iii. Setting Up First Login for the MFA-Enabled Azure Users

a. Prerequisite

You need to have the Microsoft Authenticator app installed on your phone for additional security verification.

b. Steps Required

Below steps are for users to set up their first login and multi-factor authentication using the Microsoft Authenticator app.

  1. Log in to the Microsoft Azure portal.
  2. Once you log in, you will be redirected to the Keep your account secure screen. Then, click Next until you see a QR code.

  3. Open up the Microsoft Authenticator app on your phone and scan the QR code shown; click Next.
  4. Approve the notification that has been sent to the app by entering the number displayed on your computer screen. Once the notification is approved, click Next.

  5. Provide your phone number in the text field and choose either Text me a code or Call me. Click Next and complete the verification.
  6. You will get a "Success!" message. Click Done, and you will be asked to reset your password for security reasons.

  7. The first login setup is complete. Now, when you try to log in to your Azure account for the first time, you will get a notification on your mobile device to verify the authenticity of your login attempt.

Note: To bypass SAML Single Sign-On and use local authentication to access PAM360, use the following skip URL:
https://hostname:port/PassTrixMain.cc?skipsamlsso=true
where,
"hostname" - the hostname on which the PAM360 server is running.
"port" - the port number used for PAM360.


4. Troubleshooting Tips: PAM360 Azure SAML SSO Login Issues

The following are the few errors that can be encountered during PAM360 login via Azure SAML SSO. All of those can be resolved by following the respective troubleshooting steps that follow:

1. Error: AADSTS75011

Issue: PAM360 uses a Password for SAML authentication, but some browsers like Edge stores the previous session and use X509 certificates with Azure IDP, causing validation failure due to authRequest mismatch.

Solution:

To resolve this, remove AuthnRequest elements from Microsoft Entra ID by:

  1. Navigating to <PAM360_installation_directory>\conf folder.
  2. Adding the system property saml.AuthnContextRequired=false to system_properties.conf file with administrator privilege.
  3. Restarting the PAM360 server for changes to take effect.

2. Error: AADSTS750054

Issue: Incorrect configuration of SAML Single-Sign-On and SAML assertion consumer URL in the enterprise application.

Solution:

Update respective URLs with the valid input:

  1. Open the PAM360 enterprise application in Microsoft Azure.
  2. Go to Single Sign On under Manage.
  3. Ensure correct URLs are set for the Sign On URL (PAM360 web portal URL - https://hostname:port) and Reply URL (SAML assertion consumer URL - https://hostname:port/saml2).

3. Error: AADSTS7000218

Issue: SAML authentication failure due to the PAM360 enterprise application being created as a confidential client, preventing username/password authentication.

Solution:

Configure enterprise app as PUBLIC client:

  1. Log into the Microsoft Azure portal, and open the PAM360 enterprise application.
  2. Under Manage, click Authentication.
  3. Change from Web to Public client/Native.
  4. Note: If you have multiple redirect URLs, you need to make the necessary changes in all of them.

  5. Select Default Client Type as YES.
  6. Ensure required API permissions are granted and consent is given under the Permissions section.

4. Error: AADSTS75005 

Issue: Azure IdP doesn't support HTTPS REDIRECT binding protocol.

Solution:

Enable HTTP POST binding protocol:

  1. In the PAM360 console, go to Admin >> Authentication >> SAML Single Sign-On.
  2. Choose Configure IdP information manually under the Configure Identity Provider Details section.
  3. Change the Protocol Binding to HTTP-POST, then save the changes.

5. Error: ADSTS50105

Issue: The user lacks access to PMP/PAM360 app in Microsoft Entra ID.

Solution:

Ensure the user is assigned to the PAM360 enterprise application. The user must belong to an assigned group or be directly assigned to the PAM360 enterprise application. Refer to the relevant help section for steps to assign users to the app.

By following these steps, you can effectively troubleshoot and resolve common login errors when using PAM360 with Azure SAML SSO.

6. Error: [com.adventnet.passtrix.saml.SAMLResponseValidator]|[SEVERE]|[78]: SAML Signature could not be validated|
org.opensaml.xml.security.SecurityException: SAML Signature could not be validated

Issue: Could not able to validate the SAML signature

Solution:

Update the binding protocol in PAM360 to HTTP-POST:

  1. In the PAM360 console, go to Admin >> Authentication >> SAML Single Sign-On.
  2. Choose Configure IdP information manually under the Configure Identity Provider Details section.
  3. Change the Protocol Binding to HTTP-POST, then save the changes.

7. Error: [com.adventnet.passtrix.saml.SAMLServlet]|[SEVERE]|[56]: No user with name XXXXX@yyyyy.com configured|
org.opensaml.xml.security.SecurityException: No user with name XXXXX@yyyyy.com configured

Issue: SAML authentication fails due to a mismatch in user names. This occurs when the username stored in PAM360 does not match the login name configured in Azure SAML.

Solution:

To address this, the solution involves creating a new claim ID in Azure that aligns with the login name format stored in the PAM360 database. Refer to this help document to create a new claim and the complete the relevant configuration.

Top