Configuring SSO

Configure Single Sign-On (SSO) for Pro Self-Hosted — connect Microsoft Entra ID, Google, or other identity providers so users sign in with your directory.

This article applies to: Pro Self-Hosted

Configuring SSO

Single Sign-On (SSO) lets users sign in to Password Pusher Pro with your organization’s identity provider (IdP) instead of a local password. Pro Self-Hosted supports several providers; you configure each one in Admin → Settings → Auth and by creating an app (or client) in the IdP’s portal.

This page covers Microsoft Entra ID (Azure AD). Other providers (e.g. Google, Okta) will be documented as needed.

Where to configure SSO in Password Pusher

  1. Sign in as an administrator.
  2. Open Admin → Settings and go to the Auth section.
  3. Enter the Client ID, Client secret, and any provider-specific fields (e.g. Tenant ID for Microsoft) for the provider you want to enable.
  4. Save settings. The application will restart to apply changes.

The exact field names and values come from your IdP’s app registration. Below is how to set that up for Microsoft Entra ID.

Microsoft Entra ID (Azure AD)

To let users sign in with their Microsoft 365 or Entra ID accounts, you create an App registration in the Azure Portal and then paste the app’s Client ID, Client secret, and (for single-tenant) Tenant ID into Password Pusher.

1. Create an app registration

  1. In Azure Portal, go to Microsoft Entra ID (formerly Azure Active Directory).
  2. Select App registrationsNew registration.
  3. Name: e.g. Password Pusher or Password Pusher Pro.
  4. Supported account types:
    • Accounts in this organizational directory only — Single-tenant; only your organization. You must provide the Tenant ID (or tenant domain) in Password Pusher.
    • Accounts in any organizational directory — Multi-tenant; leave Tenant ID blank in Password Pusher.
  5. Redirect URI: leave blank for now; you’ll add it in the next step.
  6. Click Register.

2. Add a Web redirect URI (required)

Password Pusher is a server-side web app and must use a Web redirect URI and a client secret. Do not register it as a “Single-page application” or “Public client,” or you may see errors such as AADSTS700025 (client is public; client secret must not be sent).

  1. In your app registration, open Authentication.
  2. Under Platform configurations, click Add a platformWeb.
  3. Redirect URI:
    https://<your-password-pusher-domain>/users/auth/microsoft_graph/callback
    Example: https://pwp.yourcompany.com/users/auth/microsoft_graph/callback
  4. Under Advanced settings, set Allow public client flows to No (so the app is treated as a confidential client).
  5. Click Configure.

3. Create a client secret

  1. In the app registration, open Certificates & secrets.
  2. Client secretsNew client secret.
  3. Add a description (e.g. Password Pusher Pro) and choose an expiry.
  4. Click Add, then copy the Value immediately (it is shown only once). This is the Client secret you will paste into Password Pusher.

4. Note Application (client) ID and Directory (tenant) ID

  1. On the app registration Overview page, copy:
    • Application (client) ID → this is the Client ID in Password Pusher.
    • Directory (tenant) ID → needed only for single-tenant apps; enter this (or your tenant domain, e.g. contoso.onmicrosoft.com) in the Tenant ID field in Password Pusher. Leave Tenant ID blank for multi-tenant apps.

5. Enter values in Password Pusher

  1. In Password Pusher Pro: Admin → Settings → Auth.
  2. In the Microsoft section:
    • Client ID: paste the Application (client) ID.
    • Client secret: paste the client secret value.
    • Tenant ID (optional):
      • Single-tenant app: enter your Directory (tenant) ID (a GUID) or your tenant domain (e.g. contoso.onmicrosoft.com or a custom verified domain like contoso.com). If you omit this for a single-tenant app, sign-in may fail with an error about the app not being multi-tenant.
      • Multi-tenant app: leave blank.
  3. Save. The app will restart.

Troubleshooting

Error or behavior What to do
AADSTS50194 — “Application is not configured as a multi-tenant application” / “Use a tenant-specific endpoint” Your app is single-tenant. In Password Pusher, set Tenant ID to your Directory (tenant) ID or tenant domain (e.g. contoso.onmicrosoft.com).
AADSTS700025 — “Client is public so neither client_assertion nor client_secret should be presented” The app is registered as a public client. In Azure, under Authentication, add a Web platform with your redirect URI and set Allow public client flows to No. Ensure you are not using “Single-page application” or “Mobile and desktop” as the only platform.
Sign-in works but then fails with a message about email domain Ensure user accounts in Entra ID have an email (or the mail attribute) set if your organization requires it for account creation.

See Also