Configuring Single Sign-On


Only Domain Administrators with the SSO Settings: Read and SSO Settings: Edit permissions in their security profile can view and configure SSO settings for a domain. SSO enablement and configuration applies across all vaults in a multi-vault domain.

Learn more about Vault’s SSO options in Single Sign-On BasicsSingle Sign-On Details, and Single Sign-On FAQ.

To configure single-sign on, you must:

  1. Create an SSO profile, either SAML or OAuth2.0 / OIDC
  2. Create an SSO Security Policy with the Single Sign-on Authentication Type
  3. Provision users to use SSO

Create an SSO Security Policy

To complete SSO configuration, you must apply a security policy that enables user accounts to use SSO. You can do this by creating a new security policy or changing the settings for an existing policy. If you create a new security policy, you will have to apply the new policy to each user account individually. If you change an existing policy, you can bypass this step only if the existing policy is already in use, but you may have to enter the Federated ID for each user if your SSO configuration uses Federated ID rather than Vault User Name as the User ID Type.

To create a SSO security policy, set the Authentication Type to Single Sign-On in your security policy’s settings page. Then, you can assign up to one SAML Profile and one OAuth 2.0 / OpenID Connect Profile.

Example Single Sign-On Security Policy

Provision Users to Use SSO

When provisioning new users, you can set them to use SSO by assigning them to an SSO security policy. If you are using a User ID Type of Federated ID, you must set the Federated ID value in the user profile.


Last Updated: