Bypassing SAML Authentication For Selected Users

We often get asked if it’s possible to bypass SAML Authentication and have an alternative fall back method of Authentication enabled for Passwordstate Users.  The requested use case typically being that SAML Authentication is set globally with an alternative, such as Manual AD Authentication,being available in case of an outage with the SAML provider.

This use case isn’t possible, but with a few changes you can achieve a similar result.

Why Can’t You Have Both With SAML As Default?

By default, when Passwordstate is installed, your Internet Information Server (IIS) is set to Anonymous Authentication.  This means that IIS does not send through your logged in credentials to Passwordstate, and when SAML Authentication is set globally, you are directing all users that browse to your Passwordstate Login URL to first authenticate with the SAML Provider.

Using a simplistic, high level diagram as an example, let’s say your SAML Identity Provider is based in Azure, and you Passwordstate instance is hosted on premise.  The following is the high-level sequence of events when accessing Passwordstate under this use case,

  1. The user browses to the Passwordstate login URL,
  2. Passwordstate redirects the request to the SAML Identity Provider (IDP) as configured in Passwordstate,
  3. The SAML IDP send’s a Login Request to the User,
  4. The User receives a Login Request screen (not a Passwordstate Login Screen),
  5. The User fills out their SAML Response’s Name Identifier (NameID) and Password and hits enter,
  6. The credential set is checked against the IDP’s directory, and,
  7. If authorized, the SAML response is then passed through to Passwordstate.

While this is a very simplistic explanation, it does show that all traffic to the Passwordstate Login URL is redirected to the SAML Identity Provider to obtain User Authorization.  When setting the SAML Authentication globally, and using Anonymous Authentication, Passwordstate is unable to validate and choose an authentication option based on User Account Policies (and that’s part of the trick).

What’s The Alternative?

The alternative involves a number of steps.  You’ll need to disable Anonymous Authentication in IIS, set the global Authentication Option in Passwordstate to SAML (if that is what the majority of your users will be authenticating with), create a User Account Policy (UAP) and assign this to all users you want to be authenticated by your chosen alternative Authentication option (in this case Manual AD Authentication).  This may sound complex so let’s break it down. 

Disable Anonymous Authentication

First, let’s disable Anonymous Authentication in IIS.  In doing this you are passing your domain Username through to IIS, so the UAP can be applied, and then the user fills out the login screen details.

As stated above, the default setup during Passwordstate’s installation is to set IIS to Anonymous Authentication.  To disable this, you’ll need to open IIS on your webserver, select your Passwordstate website and double click Authentication,

Now right click Anonymous Authentication and select disable.  The results should look like the screen image below,

Now you’re ready to make the required changes in your Passwordstate Instance.

Set Your Global Authentication Option in Passwordstate

Login to your Passwordstate instance and navigate to Administration TAB->System Settings->Authentication Options->Web Authentication Options and select SAML2 Authentication (the global option we’re using for this example) from the Choose Authentication Options drop down list and click Save,

If you need assistance on configuring your SAML2 Authentication settings please refer to our Security Administrators Manual located under Support->Documentation on our Website.

Now Create A User Account Policy For Manual Login Authentication Users

Now we’ll create a User Account Policy for Manual Login Authentication by navigating to Administration->User Account Policies and clicking on Add.  This will take you to the Add User Account Policy screen.  We’ve previously created a policy for this so we’ll edit it instead by clicking on the name Default Manual AD,

Here you can see we’ve selected the A6 Setting ID that controls Authentication Options and selected Manual Login Authentication from the drop down list,

Once this has been saved, you’re ready to apply it to the users that will be using their AD Accounts to authenticate with Passwordstate.

Apply The UAP to the Selected Users

While still on Administration->User Account Policies you’ll need to click on the Action Icon next to the Default Manual AD Policy you’ve created and select Apply Policy to Users,

From here, you need to search for the Users or Groups you want to add to the Policy.  While you can search for, and assign users to the Policy, we’d always recommend making the assignment based on Group Membership.

You now have the majority of your users being authenticated via SAML and a select number of users being authenticated via their AD Accounts.

By using this alternative, you can achieve a similar result to the use case of SAML Authentication set globally with an alternative authentication being used for select users.  The only caveat is this only works for users logging in from Windows based machines.

If you’d like to share your feedback please send it through to