Provision and Set up Single Sign-On

There are three parts to configuring single sign-on between Password Safe and Microsoft Entra ID (formerly Microsoft Azure AD):

Create an Enterprise Application for Password Safe

You can use this document as an alternative to this section:

To create an application in Entra ID:

Browse to Enterprise applications in Microsoft Entra ID to add Password Safe as an app.

  1. From Enterprise applications, create an application, and then select Create your own application.


  1. Provide a name for the application, and select the Non-gallery option.

Assign a logo to the Password Safe app in Entra ID.

  1. Once the application is created, on the Properties page, assign a logo.


Configure Authentication and Authorization

To configure authentication and authorization:

  1. Configure a service account for the Entra ID instance.
  2. Create an app registration for your application.


In Entra ID, the client ID and tenant ID when adding the Password Safe app.

  1. Note the Application (client) ID and Directory (tenant) ID. You will copy these values later in Password Safe during the SAML configuration.


In Entra ID, create a client secret for the Password Safe application.

  1. On the Certificates & secrets page, under the application registration, create a client secret. Take note of the Value (client secret).


In Entra ID, add API permissions for the Password Safe application.

  1. Add API permissions to application registration.


Create a directory credential in Password Safe.

  1. After a service account is created, store the credentials in a Directory Credential object in Password Safe. Use the client and tenant IDs, and the client secret.


In Password Safe, create a group for Entra ID.

  1. At this point, test the credential. Under User Management, create an Entra ID group.


In Password Safe, browse and import Entra ID groups.

  1. With the previously created directory credential, browse and import Entra ID groups.


In Password Safe, group members synchronized with Entra ID users.

  1. Members in Entra ID and Password Safe are synchronized. Adding a new member to the group in Entra ID creates a new account in Password Safe with the permissions associated to the provisioning group.


In Password Safe, new account provisioned when new user created in Entra ID.

  1. The screen capture shows a new account provisioned in Password Safe when an Entra ID user is added to Entra ID group after the group is imported.


Adding or removing users in Entra ID updates access in Password Safe.

  1. Adding and removing members in Entra ID results in provisioning or deprovisioning of access in Password Safe.


In Password Safe, screen capture shows member removed after sync with Entra ID.

  1. After scheduled or manual synchronization, the removed member is removed from the group.


In Password Safe, view user details and attributes.

  1. The account remains in Password Safe, but the removed user cannot access their account and cannot start a Password Safe session.


Entra ID group memberships for a user are synchronized every time the user logs in. For example, a user that has been removed from all Groups can no longer log in to Password Safe.

Configure Single Sign-On Using Entra ID SAML Identity Provider

Now go to the application created for Password Safe in Entra ID, under Enterprise applications.  You must configure SAML in Password Safe, and the corresponding single sign-on configuration in the Entra ID application.

SAML configuration in Password Safe.

  1. The screen capture shows SAML configuration in Password Safe (BeyondInsight). Take note of Entity ID and Assertion Consumer Service URL
  2. Set User Mapping to Entra ID.


Single sign-on configuration for Password Safe in Entra ID.

  1. The screen capture shows single sign-on configuration for Entra ID App.  Enter the Password Safe Entity ID and Assertion Consumer Service URL.


In Entra ID, enter group attributes and download certificates.

  1. Add the group (user.groups) to Attributes.
  2. Download Certificate (Base64) to import in Password Safe SAML configuration.


  1. Take note of the Login URL, Entra ID Identifier, and Logout URL.


Password Safe SAML configuration for Entra ID.

  1. Complete the configuration in Password Safe by entering the Identifier (Entra ID Identifier), Single Sign-On Service URL(login URL) and Single Logout Service URL (logout URL).


Test SSO

To test SSO with a test user:

Log in to Entra ID to test the SSO access.

  1. Log in as a test user and access the Enterprise applications.
  2. Click Test sign in to open a new browser tab for Password Safe.  SAML assertion is sent to authenticate the user.


Password Safe Accounts Page

  1. The test user is authenticated (SSO) in Password Safe.


This completes the configuration of provisioning and SSO between Entra ID and BeyondTrust Password Safe and Password Safe Cloud.

For more information or to send comments, please send to