SSO with AD FS Setup

AD FS SSO is only prompted when logging in on new browsers/devices or when logged out from an active Business Account session (the session lasts 30 days on the same browser/device where you are already logged in).

Here's a step-by-step guide on how to set up a single sign-on (SSO) method in the NordPass Admin Panel using Microsoft Active Directory Federation Services (AD FS) as an Identity Provider (IdP).

 

1. Open the AD FS management console and select Add Application Group… in the Actions panel.
 
1.png

2. Enter the desired Application Group name, choose Server application from the template list, and select Next.

2.png

3. Copy and save the self-generated value from the Client Identifier field; you will need to use it later on in the NordPass Admin Panel. In the Redirect URI field enter URL and select Add:

If your organization is created in the U.S. data center: ttps://api.nordbusinessaccount.com/v1/oauth/adfs/callback 

If your organization is created in the EU data center:
https://business-auth.eu.nordpass.com/v1/oauth/adfs/callback 

3.png

4. Select Next.

4.png

5. Select Generate a shared secret. Copy and save that value; you will need to use it later on in the NordPass Admin Panel. Select Next.

5.png

 

6. Select Next on the Summary screen.

6.png

7. Select Close on the Finish/Complete screen.

7.png

8. Select Application Groups in the AD FS management console, choose the newly created Application Group and select Properties in the Actions panel.

8.png

9. Select Add application…

9.png

10. Choose Web API from the template list and select Next.

10.png

11. Enter https://api.nordbusinessaccount.com in the Identifier field and select Add.

11.png

12. Select Next.

12.png

13. Choose to Permit everyone from the access control policy list and select Next.

13.png

14. Ensure OpenID is selected in the Permitted scopes list and select Next.

14.png

15. Select Next on the Summary screen.

15.png

16. Select Close on the Finish/Complete screen.

16.png

17. Select OK.

17.png

18. The last step in the AD FS management console is to copy and save the domain URL (Federation Service name); you will need to use it later on in the NordPass Admin Panel.

Go to Service and select Edit Federation Service Properties… in the Actions panel. Copy the Federation Service name value from the newly opened window.

18.png

19. To be able to validate OAuth and OpenID Connect credentials, you need to allow the NordPass API to make requests to your Federation Service instance. This URL {FEDERATION_SERVICE_DOMAIN_NAME}/adfs/oauth2/authorize/ should be accessible. Port 443 should be opened, and TCP protocol should be allowed. If you need IP to open access please contact our support team and we will provide it. 

 

20. Open the NordPass Admin Panel at https://panel.nordpass.com and go to the Settings tab.

20.png

21. Select Single Sign-On (SSO) and Authentication.

21.png

22. Select Microsoft Active Directory Federation Services (AD FS).

22.png

23. Add and verify your company's domain by selecting Add Domain.

1.png

24. Enter your company's domain name and select Continue. Copy the generated DNS TXT entry and add it to your domain's DNS TXT configuration. Once added, return to the AD FS setup and select Verify.

Please note that it can take up to 72 hours to verify the domain.

2.png

25. Enter the Client Identifier (ID), Client Secret and the AD FS Domain URL that you copied and saved from the previous steps in the AD FS management console and select Test Connection.

3.png

26. Once the connection is established, you can select Turn On.

24.png

27. In the confirmation window, select Turn On to enable organization members to log in to NordPass via AD FS.

25.png

You've now successfully configured single sign-on with your on-premises AD FS as Identity Provider and NordPass as Service Provider.

26.png

Was this article helpful?