SSO Setup Guide

Passwall supports enterprise Single Sign-On via SAML 2.0 and OpenID Connect (OIDC), plus automated user provisioning with SCIM 2.0. This guide walks you through configuring SSO for your organization.

Overview

Single Sign-On (SSO) lets your team members authenticate to Passwall using your existing identity provider (IdP)—such as Okta, Azure AD, Google Workspace, or OneLogin—instead of a separate username and password.

SSO provides three key benefits for enterprise teams:

  • Centralized access control — Manage who can access Passwall from your IdP. Disable an employee in your IdP and their Passwall access is revoked.
  • Reduced password fatigue — Team members authenticate with their corporate credentials, no extra password to remember.
  • Compliance and auditability — Meet regulatory requirements (SOC 2, ISO 27001, HIPAA) that require centralized identity management.
Plan requirement: SSO is available on Business and Enterprise plans. Compare plans →

Prerequisites

Before you begin, make sure you have:

  • A Passwall organization on a Business or Enterprise plan
  • Owner or Admin role in the organization
  • Admin access to your identity provider (Okta, Azure AD, Google Workspace, OneLogin, etc.)
  • Your IdP's metadata URL, or the SSO URL + Entity ID + Certificate (for SAML)

SAML 2.0 Setup

SAML 2.0 is the most widely supported SSO protocol in enterprise environments. Here's how to configure it:

1

Create a SAML app in your IdP

In your identity provider's admin console, create a new SAML 2.0 application. You'll need Passwall's service provider (SP) details:

ACS URLhttps://api.passwall.io/sso/callback
Entity IDhttps://api.passwall.io/sso/metadata/<conn_id>
Name ID formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

The exact Entity ID (with your connection ID) is shown in Passwall Vault after you create the SSO connection.

2

Configure the connection in Passwall

Go to Organization Settings → SSO & Provisioning in Passwall Vault and create a new SAML connection. Enter:

  • IdP SSO URL — The login URL from your IdP
  • IdP Entity ID — Your IdP's entity identifier
  • Certificate — The x509 certificate from your IdP (PEM or raw base64)
3

Configure assertion signing

Passwall cryptographically validates every SAML assertion against your IdP's certificate. Ensure your IdP is configured to sign assertions.

Enable Want Assertion Signed in Passwall to reject unsigned responses.

4

Test and activate

Use the Test Connection button in Passwall to verify the configuration. Once successful, activate the connection.

After activation, team members will see a Sign in with SSO option on the Passwall login page.

OpenID Connect Setup

OpenID Connect (OIDC) is a modern authentication protocol built on OAuth 2.0. It's supported by most cloud identity providers.

1

Register Passwall in your IdP

Create a new OIDC/OAuth 2.0 application in your IdP with these settings:

Redirect URIhttps://api.passwall.io/sso/callback
Grant typeAuthorization Code + PKCE
Scopesopenid email profile
2

Configure the connection in Passwall

In Organization Settings → SSO & Provisioning, create a new OIDC connection with:

  • Issuer URL — Your IdP's OIDC issuer (e.g., https://login.microsoftonline.com/<tenant>/v2.0)
  • Client ID — From your IdP application
  • Client Secret — From your IdP application
3

Test and activate

Test the connection, then activate. Passwall uses PKCE for additional security during the OAuth flow.

SCIM 2.0 Provisioning

SCIM (System for Cross-domain Identity Management) automates user provisioning and deprovisioning. When you add or remove users in your IdP, the changes sync automatically to Passwall.

1

Generate a SCIM token

In Organization Settings → SSO & Provisioning, scroll to the SCIM section and create a new bearer token. Copy the token immediately—it won't be shown again.

2

Configure your IdP directory sync

Enter these values in your IdP's provisioning settings:

SCIM Base URLhttps://api.passwall.io/scim/v2
Auth methodBearer Token
Supported opsUsers (create, update, deactivate), Groups (create, update, delete)
3

Assign users and groups

In your IdP, assign users or groups to the Passwall SCIM application. Assigned users will be provisioned into your Passwall organization automatically.

Note: SCIM-provisioned users are created with a "provisioned" status. An org admin must confirm them to complete the encryption key exchange. This step preserves Passwall's zero-knowledge security model.

User Lifecycle

When users are added to your organization via SSO or SCIM, they go through the following statuses:

StatusHow it happensVault access
ProvisionedCreated via SCIM push or SSO JIT provisioningCan sign in, but no access to shared collections until confirmed
InvitedManually invited by an org adminPending invitation acceptance
AcceptedUser accepted the invitationPending admin confirmation for key exchange
ConfirmedAdmin confirmed and completed key exchangeFull access to assigned collections
SuspendedDeactivated via SCIM or by adminNo access
Why is admin confirmation needed? Passwall uses zero-knowledge encryption. The organization's encryption key must be securely wrapped for each member using their public key. This client-side key exchange can only happen when an admin confirms the member in the Vault UI.

Troubleshooting

"SAML signature verification failed"

Passwall validates every SAML assertion cryptographically. Ensure your IdP is sending signed assertions and that the certificate in Passwall matches the signing certificate in your IdP. If you recently rotated your IdP certificate, update it in Passwall's SSO settings.

"User is not a member of this organization"

The user exists in Passwall but hasn't been added to your organization. Either enable JIT Provisioning to auto-add users on SSO login, or provision them via SCIM first.

SCIM user shows "provisioned" but can't access shared data

This is expected. An organization admin must confirm the user in Organization Settings → Members to complete the encryption key exchange. After confirmation, the user will have full access.

SCIM provisioning fails with "user does not have a Passwall account"

SCIM can only provision users who already have a Passwall account. The user must sign up for Passwall first, then SCIM will add them to your organization.

OIDC callback returns an error

Verify the Redirect URI in your IdP matches exactly: https://api.passwall.io/sso/callback. Also check that the Client ID and Client Secret are correct, and that the required scopes (openid, email, profile) are enabled.

Need more help?

If you run into issues configuring SSO, our team can help you set up and test the connection.

Contact support →Organizations & Teams docs →Security Model →