Jump to content

SAML2 auth of users, not in local AD


Recommended Posts



I'm trying to design a solution with the following properties:

Manage accounts in a local AD - i.e. password change and account unlock/lock on check out/check in of passwords

Passwordstate users coming from another (Azure) AD - and not managed locally in passwordstate


Is this possible to archive? I imagine doing SAML auth for passwordstate users and regular AD integration for the "protected" accounts.


And how is this licensed? Since there will be no locally created users in Passwordstate?

Link to comment
Share on other sites

Hello EmilS,


With our SAML Authentication, you still need to have "matching" accounts in Passwordstate - they don't need to be AD Accounts, and instead you can create Local Accounts. I've provided a screenshot below for this.

And with your SAML Configuration, you need to select which field you want to match against back in Passwordstate, once the SAML Authentication completes successfully i.e. UserID or EmailAddress - most customers pick EmailAddress.

As you want a mixture of AD Accounts and Local Accounts in Passwordstate, you may need to use SAML Authentication for all of them. The only way to work around this is to disable 'Anonymous' Authentication for the site in IIS, and then use a User Account Policy (in the Admin area), to specify a different Auth option for the AD Users.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...