SSO with AD FS Setup

Introduction

This article explains how to set up single sign-on (SSO) in the NordPass Admin Panel using Microsoft Active Directory Federation Services (AD FS) as an identity provider.

AD FS SSO is only prompted when logging in on new browsers or devices, or when you are logged out of an active NordPass Business Account session. An active session lasts up to 30 days on the same browser or device.

DISCLAIMER: In the near future, we plan to discontinue ADFS SSO support. We recommend migrating to Entra ID. Check out the Microsoft ADFS decommission guide.

Before you start:

• You need to have permission to add DNS TXT records for domain verification
• You have a network access allowing HTTPS (TCP port 443) to your AD FS federation service

Here's what to do

1. Open the AD FS Management console and click "Add Application Group…" in the Actions panel.
2. Enter an application group name, select "Server application" from the template list, and click "Next".
3. Copy and save the Client Identifier value.
4. Enter the appropriate Redirect URI and click "Add":
   • US data center: https://api.nordbusinessaccount.com/v1/oauth/adfs/callback 
   • EU data center: https://business-auth.eu.nordpass.com/v1/oauth/adfs/callback
      
5. Click "Next", select "Generate a shared secret", copy and save the generated value, and finish the application group setup.
6. Open Application Groups, select the newly created group, click "Properties", then click "Add application…".
7. Select "Web API", click "Next", enter https://api.nordbusinessaccount.com as the identifier, click "Add", and continue.
8. Select "Permit everyone" as the access control policy, ensure "OpenID" is selected under permitted scopes, and complete the setup.
9. Go to Service in the AD FS Management console, click "Edit Federation Service Properties…", and copy the Federation Service name (AD FS domain URL).
10. Make sure the following endpoint is accessible over HTTPS (TCP port 443):
    {FEDERATION_SERVICE_DOMAIN_NAME}/adfs/oauth2/authorize/
     
11. Log in to the NordPass Admin Panel and go to “Authentication”.
12. Select "Microsoft Active Directory Federation Services (AD FS)".
13. Click "Add Domain", enter your company’s domain name, and click "Continue".
14. Add the generated DNS TXT record to your domain, and then click "Verify" (verification can take up to 72 hours).
15. Enter the Client Identifier, Client Secret, and AD FS Domain URL saved earlier, and click "Test Connection".
16. Once the connection is successful, click "Turn On", and in the confirmation window, click "Turn On" again.

Additional tips

• If your firewall restricts access to the AD FS authorization endpoint, contact NordPass support by clicking one of the buttons below this article to obtain the required IP address.
• SSO authentication is only requested again when the session expires, the user logs out, or a new browser or device is used.
• Keep all generated identifiers and secrets stored securely for future reference.