The Click Studios Technical Support group is regularly asked if we support authentication between Passwordstate and Microsoft Azure AD. The simple answer is yes, and in order to do this you must be using SAML2 Authentication as your global authentication setting. This allows you to setup authentication to, and Single Sign-On for, Passwordstate.
In order to use SAML2 authentication in Passwordstate, you must specify a number of settings, each of which can be obtained within the ‘Application’ configured with your SAML2 Provider. The following is a summary of settings that are required;
- Specify the Certificate Type – either SHA1 or SHA256
- Details of your X.509 Certificate
- The IDP Target URL
- The IDP Issuer URL
- Audience Restriction
As the terminology isn’t always consistent between SAML2 Providers you should use the table below to map the Passwordstate SAML2 Authentication Settings to the information provided by Azure Active Directory,
| Passwordstate Field | Azure Active Directory Field |
| Audience Restriction | Identifier (Entity ID) |
| ‘Your Passwordstate URL’/logins/saml/default.aspx | Reply URL |
| ‘Your Passwordstate URL’ | Sign On URL |
| ‘Your Passwordstate URL’/logins/saml/default.aspx | Relay State |
| UserID or Email or UserPrincipleName | Unique User Identifier |
| X.509 Certificate (SHA256) | Certificate (Base64) |
| IDP Target URL | Login URL |
| IDP Issuer URL | Azure AD Identifier |
| Logout URL | Logout URL |
Note in the above table ‘Your Passwordstate URL’ is the URL of your Passwordstate Instance. In the examples used in this blog ‘Your Passwordstate URL’ is https://prbpasswordstate.halox.net
Create a Non-Gallery Application in Azure
In these examples we’re going to configure Passwordstate for SAML2 Authentication and Single Sign-On with Azure AD. First you need to login to Azure via the portal and navigate to your Azure Dashboard. From here we select Azure Services->Azure Active Directory as per the screen shot below,
Then select Enterprise applications from the menu on the left,
and click on New Application. This will present one of 2 screens depending on whether you’re using the old App Gallery or the New and Improved App Gallery,
If you’re using the old App Gallery, you’ll see the following screen and will need to click on Non-gallery application as per the image below,
If you’re using the New App Gallery, you’ll see this screen instead and will need to click on Create your own application, give it a name and select ‘integrate any other application you don’t find in the gallery’,
This will create the Enterprise Application with the name you have provided. In this example it’s called Azure Demo-Passwordstate.
Configure and Generate your SAML Single Sign-on Information
Now we need to configure Single Sign-on and generate your SAML Provider settings for use in Passwordstate. First, we click on Single sign-on,
and then click on SAML to be able to specify the settings you require,
this will open the SAML-based Sign-on screen, allowing you to configure settings, download your X.509 Certificate and provide the URLs for configuring your Passwordstate SAML2 Authentication settings,
edit 1 Basic SAML Configuration and 2 User Attributes & Claims by clicking on the pencil Edit icon, and use the basis of the information as per the table at the beginning of this blog. Then click on Download next to Certificate (Base64) under 3 SAML Signing Certificate. Please note, as stated in the image you’ll need to add your users before they are able to login. They can be added via Users and groups on the Left Hand side of the screen,
Configure the Passwordstate SAML2 Authentication Settings
To configure your Passwordstate SAML2 Authentication you’ll need to login to Passwordstate and navigate to Administration->System Settings->authentication options. From here you’ll need to set your Web Authentication Options to SAML2 Authentication, and under Primary Site’s SAML2 Authentication Settings enter the details as per the screen snapshot,
Note we’ve selected to use Email Address, or user.mail in the Azure settings as the unique identifier. You’ll need to open the X.509 Certificate you’ve downloaded previously, with something like Notepad, and copy the entire contents into the X.509 Certificate: field, making sure to include the Begin Certificate and End Certificate lines. The IDP Target URL:, IDP Issuer URL: and Audience Restriction: are all as per the Azure Enterprise Application (our example is Azure Demo-Passwordstate), SAML-based Sign-on screen. When finished click on the Save & Close button at the bottom of the screen.
Authentication via Azure AD SAML2
Now you should be able to log out of Passwordstate, and on browsing to your Passwordstate URL be directed to the Microsoft Azure Pick an account and Enter password challenge screens. Once you’ve logged into Azure Passwordstate should open up as normal.
We hope this makes it easier to understand how to authenticate Passwordstate with Azure AD using SAML2. Please send any comments or feedback to support@clickstudios.com.au