SAML with Azure AD

Website Documentation for your KeePass client and Pleasant Password Server

The following steps can be used to setup an configure SAML SSO with Azure AD.

This will allow your users to be authenticated once using Azure credentials and not be prompted again if they are already signed in.

Applies to: Versions 7.9.9+, Enterprise+SSO

Related (similar configuration steps):


  • Install & register Password Server Enterprise+SSO
  • Import AD/LDAP Directory users

Setup Overview

  • Step 1 - Configure SAML in Pleasant Password Server
  • Step 2 - Add a new App in Azure AD
  • Step 3 - Configure the Single Sign-On Method
  • Step 4 - Configure a new SAML Partner
  • Step 5 - Assign Group to the new App

Step 1 - Configure SAML in Pleasant Password Server

  1. Open the Authentication Services configuration page from the Users & Roles menu.

  2. Click Add SAML Configuration
  3. Provide an Issuer Name value

    • This value identifies your Pleasant Password Server application to the Identity Provider (Azure AD)
      • e.g. PleasantPasswordServer
      • "Issuer Name" = Azure AD Identifier (Entity ID)
      • Suggestion: Do not use any spaces when typing the "Issuer Name"
    • This value will be needed during Part 3
  4. Adjust the SSO Session Lifetime
    • If using Single Log Out (SLO), this value should be increased so the the session data is kept longer
    • However, if users are signing out often, i.e. daily, this value does not need to be larger
  5. (optional) Provide a certificate for digitally signing SAML requests and responses

    • Single Log Out (SLO) on Azure requires that the requests be signed
    • See the certificate section for instructions on creating and configuring a signing certificate
      • Note: only .pfx or .p12 formats are accepted currently. Use the steps mentioned here to convert (Option A, step 2).

    • This certificate can be a self-signed certificate for Azure
    • The Azure provided certificate may need to be downloaded and setup on the Password Server machine as a trusted certificate
    • Be sure that your IIS user account (or AppPool) has read permissions to the imported certificate
  6. Save the configuration

    • azure saml sso config
  7. Copy the values for Issuer Name, Assertion Consumer Service URL, and Single Log Out Service URL
    • Assertion Consumer Service URL = Reply URL (needed in the new Azure AD Enterprise Application)
    • If using a certificate for signing you will also need to export the public key
      • Note: only .pfx or .p12 format is accepted currently. Use the steps mentioned here to convert if needed.
    • If the URLs are directed to localhost, but this is not the URL you intend to use then you should sign in via that URL first

Step 2 - Add a new App in Azure AD

Follow these Azure configuration steps which appear to best document the process from this Microsoft Guide:

  1. Create a new "Non-gallery application"
    • Use a convenient name

add an app in azure ad

Step 3 - Configure the Single Sign-On Method

  1. Open the new App and click on "Single Sign-On"
  2. Select SAML protocol
    • Select SAML SSO to Azure
  3. Use the "Identifier (Entity ID)" as "Issuer Name"
  4. Paste the reply URL and then Save
    • Azure Basic SAML Config
  5. Write down the "Azure AD Identifier" and the "Login URL"

Step 4 - Configure a new SAML Partner

  1. Add a new SAML Partner Configuration from the "Authentication Services" in Pleasant Password Server
  2. Paste the "Azure AD Identifier" as Name
    • Example:

  3. Use a friendly display name to identify service
    • Example: Azure SSO
    • Add Azure SAML Partner
  4. Download the Base64 SAML Signing Certificate from Azure, which has been generated automatically for your application.

    • Azure AD SAML Signing Certificate
    • Then upload this Azure Signing certificate with the public key into the Password Server Application.

    • Signature Validation Certificate
  5. Review the configuration
    • Azure saml Partner Config
  6. Click on "Single Sign-on" tab

    • Enter the Service URL

      • Example:
    • Single sign-on options for Azure
  7. Click on "Single Sign-out" tab

    • You must have followed the optional steps in parts 1 and 2 to configure Single Log Out
    • Enter the same value for Service URL as you did for Single Sign On
      • Example:

    • Leave Service Response URL blank
    • Select Post as the Binding Method
    • Check both Sign Log Out Request and Sign Log Out Response
  8. Save Configuration

Part 5 - Restrict SSO Login (Optional)

  • Option to restrict sign-in with your trusted Identity Provider, and only allow sign-in locally in the case of emergencies by admins:

Step 6 - Assign Group to the new App

  1. Add federated group "Pleasant Password Users" as User of the new App

Add federated group to the Azure App

  1. Test connection from Pleasant Password Server
    • Connect with Azure AD SSO
  2. Review Sign-in Activity from the Azure AD Portal

Password Server Sign-In activity