Configuring SAML Single Sign-On (SSO) for Microsoft Entra ID Users16 minutes to read
You can set up SAML single sign-on (SSO) in PAM360 for Microsoft Entra ID users. This document also details steps to enable multi-factor authentication (MFA) in the Microsoft Azure portal. Note: PAM360 allows users to configure SAML SSO for the secondary server as a service provider, which allows users to log in to PAM360 using the secondary server when the primary server is down. At the end of this document, you will have learned the following configuration concerning SAML SSO configuration for Microsoft Entra ID users and setting up MFA for the first login users.
1. PrerequisiteBefore setting up SAML SSO, follow the steps provided here to import Microsoft Entra ID users into PAM360. 2. Steps to Configure SAML SSO for Microsoft Entra ID UsersDetailed below are the steps to configure SAML SSO in PAM360 for Microsoft Entra ID users in the Microsoft Azure portal. 2.i Adding PAM360 as an Enterprise Application in the Azure Portal
2.ii Assigning Azure Users to the Enterprise Application
2. iii Configuring SAML SSO with PAM360
saml.redirect.idpprotocolbindingpost=true 3. Steps to Enable MFA and Set up First Login for Microsoft Entra ID UsersBelow are detailed steps to activate MFA for Microsoft Entra ID users in the Microsoft portal and to set up their first login. 3.i Enabling MFA for Microsoft Entra ID Users
3.ii Assigning Azure Users to the Enterprise Application
3.iii. Setting Up First Login for the MFA-Enabled Azure Usersa. PrerequisiteYou need to have the Microsoft Authenticator app installed on your phone for additional security verification. b. Steps RequiredBelow steps are for users to set up their first login and multi-factor authentication using the Microsoft Authenticator app.
Note: To bypass SAML Single Sign-On and use local authentication to access PAM360, use the following skip URL: 4. Troubleshooting Tips: PAM360 Azure SAML SSO Login IssuesThe following are the few errors that can be encountered during PAM360 login via Azure SAML SSO. All of those can be resolved by following the respective troubleshooting steps that follow: 1. Error: AADSTS75011Issue: PAM360 uses a Password for SAML authentication, but some browsers like Edge stores the previous session and use X509 certificates with Azure IDP, causing validation failure due to authRequest mismatch. Solution: To resolve this, remove AuthnRequest elements from Microsoft Entra ID by:
2. Error: AADSTS750054Issue: Incorrect configuration of SAML Single-Sign-On and SAML assertion consumer URL in the enterprise application. Solution: Update respective URLs with the valid input:
3. Error: AADSTS7000218Issue: SAML authentication failure due to the PAM360 enterprise application being created as a confidential client, preventing username/password authentication. Solution: Configure enterprise app as PUBLIC client:
Note: If you have multiple redirect URLs, you need to make the necessary changes in all of them. 4. Error: AADSTS75005Issue: Azure IdP doesn't support HTTPS REDIRECT binding protocol. Solution: Enable HTTP POST binding protocol:
5. Error: ADSTS50105Issue: The user lacks access to PMP/PAM360 app in Microsoft Entra ID. Solution: Ensure the user is assigned to the PAM360 enterprise application. The user must belong to an assigned group or be directly assigned to the PAM360 enterprise application. Refer to the relevant help section for steps to assign users to the app. By following these steps, you can effectively troubleshoot and resolve common login errors when using PAM360 with Azure SAML SSO. 6. Error: [com.adventnet.passtrix.saml.SAMLResponseValidator]|[SEVERE]|[78]: SAML Signature could not be validated|
| |