SAML2 auth of users, not in local AD

[EmilS]

Hi.

 

I'm trying to design a solution with the following properties:

Manage accounts in a local AD - i.e. password change and account unlock/lock on check out/check in of passwords

Passwordstate users coming from another (Azure) AD - and not managed locally in passwordstate

 

Is this possible to archive? I imagine doing SAML auth for passwordstate users and regular AD integration for the "protected" accounts.

 

And how is this licensed? Since there will be no locally created users in Passwordstate?

[support]

Hello EmilS,

 

With our SAML Authentication, you still need to have "matching" accounts in Passwordstate - they don't need to be AD Accounts, and instead you can create Local Accounts. I've provided a screenshot below for this.

And with your SAML Configuration, you need to select which field you want to match against back in Passwordstate, once the SAML Authentication completes successfully i.e. UserID or EmailAddress - most customers pick EmailAddress.

As you want a mixture of AD Accounts and Local Accounts in Passwordstate, you may need to use SAML Authentication for all of them. The only way to work around this is to disable 'Anonymous' Authentication for the site in IIS, and then use a User Account Policy (in the Admin area), to specify a different Auth option for the AD Users.