Skip to content

Single Sign-On (SSO) Setup with Microsoft Azure Entra

This guide provides step-by-step instructions to configure Single Sign-On (SSO) with Microsoft 365 / Azure / Entra in Keystash. You will create a new application and enable the respective APIs in the Microsoft Admin Console to obtain the Client ID and Client Secret required for SSO configuration.

Note

Single Sign-On is only available on the Business plan. Please upgrade your account if you wish to use this feature.

Configure Microsoft 365 Admin Center

Go to the Microsoft 365 Admin Center.

  1. Click on Identity in the left-hand menu or Microsoft Entra in the main page

    Screenshot

  2. On the Microsoft Entra admin center page click on App registrations on the left-hand menu

  3. Click on New registration at the top of the page

    Screenshot

  4. Enter a name for the application, we suggest Keystash

  5. Select the Accounts in this organizational directory only (Single tenant) under Supported account types
  6. Select the Web option under Redirect URI
  7. Enter the Redirect URI from the Identity Provider Resources section below
  8. Click Register

    Screenshot

  9. On the Overview page, copy the Application (client) ID. You will need this detail for later

  10. Click on Endpoints in the top menu

    Screenshot

  11. In the Endpoints screen, copy the OpenID Connect metadata document URL. You will need this detail for later

  12. Then click Certificates & secrets in the left-hand menu

    Screenshot

  13. Click on New client secret in the middle of the page

  14. In the screen that opens, enter Keystash into the Description field
  15. Choose your appropriate Expires option
    • Note: You will need to create a new Client Secret and load it into Keystash when the current secret expires. Failure to maintain this will result in SSO not working.
  16. Click Add

    Screenshot

  17. Copy the Value of the newly created client secret. You will need this detail for later

    Screenshot

  18. Click on Branding & properties in the left-hand menu

  19. Enter Keystash in the Name field
  20. Upload the Keystash logo file from the Identity Provider Resources section below
  21. Enter the Home page URL from the Identity Provider Resources section below
  22. Enter the Terms of service URL from the Identity Provider Resources section below
  23. Enter the Privacy statement URL from the Identity Provider Resources section below
  24. Click Save

    Screenshot

Configure Keystash Single Sign-on Settings

  1. Navigate to Settings on the Keystash menu
  2. Click on Single Sign On (SSO) on the sub menu
  3. Toggle the Enable Single Sign On switch to activate SSO settings
  4. Select Microsoft Azure / Entra from the dropdown menu
  5. Enter in the Application (client) ID you obtained from the Microsoft 365 admin portal above in the Client ID field
  6. Enter in the Client Secret you obtained from the Microsoft 365 admin portal above
  7. Enter in the OpenID Connect metadata document value into the Discovery URL field from the Microsoft 365 admin portal above. (It usually looks like https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration)
  8. Enter an Organisation ID for your organisation. This can be any string your decide, for example demo-example. Your users can use this ID to login to Keystash on the main Keystash login page. However, it is easier for your users to use the Login URL below. See Logging In for more information
  9. The Login URL field will be automatically created based on your Organisation ID. NB: You need to provide this URL to your users to login to Keystash with Microsoft single sign-on
  10. If you would like Keystash to automatically create a user account for a new user who is attempting to login via Single Sign-on then toggle the Enable Auto User Provisioning switch to on
    • You will need to select a default Role that will be assigned to the new user account
  11. Click Save to complete the configuration.
    • You should now open up your Login URL in another browser to test the Single Sign-on configuration.

Note

Please check your Login URL after saving your settings. Keystash will automatically adjust the Login URL based on internal formatting rules.

Screenshot

Identity Provider Resources

These are the required resources for configuring and verifying the SSO setup in Microsoft 365. Copy and paste the following information into the respective fields in the Microsoft Admin Console.

  • Redirect URL: https://app.keystash.io/sso/callback

  • Keystash Application Homepage: https://www.keystash.io

  • Keystash Privacy Policy Link: https://www.keystash.io/privacy-policy.html

  • Keystash Terms of Service Link: https://www.keystash.io/terms-of-service.html

  • Keystash Logo Image: Click the Download button to download the Keystash logo image, which can be used in your Microsoft 365 configuration.

Screenshot

Logging In

Keystash with Microsoft 365 allows two main ways to login:

  1. Using the Login URL. This is the URL that you can provide to your users to login to Keystash with Microsoft 365 single sign-on. This URL is automatically generated based on your Organisation ID. For example, https://demo-example.sso.keystash.io
  2. Using the Organisation ID. This allows your users to login to Keystash on the main Keystash login page. Users will click on the Single Sign-On button and enter the Organisation ID in the field provided. For example: demo-example

    Screenshot

    Screenshot

Additional Resources