This documentation will guide you through setting up Tresorit SSO with Azure AD. You’ll have to create and configure a new application on the Azure Portal in your Azure Active Directory configuration page. During this configuration, you will acquire GUIDs that you’ll have to set in Tresorit’s Admin Center. Once you have the GUIDs, you can set up the policy groups and users and enable SSO policy for them, as a last step.
How to set up SSO in Tresorit
Configuring a new application in Azure Active Directory
App registrations
Click on App registrations and create a New registration.
Register an application
Provide a name and select Single tenant. We will configure the Redirect URIs later, as we need to set multiple values.
Configuration - Branding (Optional)
Optionally you may set some basic URLs:
- Home page URL: https://web.tresorit.com
- Terms of service URL: https://tresorit.com/terms-of-use
- Privacy statement URL: https://tresorit.com/privacy-policy
Configuration - Authentication
On the Authentication page, you can add new platforms using Add a platform.
Web platform
First, you need to add a Web platform. Configure the following URIs:
- Redirect URIs: https://web.tresorit.com/sso-login
- Logout URL: https://web.tresorit.com/sso-logout
📝 Note: the SSO logout feature is not yet implemented.
Also check both Access tokens and ID tokens.
Mobile and desktop applications
You’ll need to add another platform for the Mobile and desktop applications. Set the following custom redirect URIs:
Configuration - Token configuration
Tresorit needs to have some information included in the tokens during authentication, which are required for user identification and user creation.
These can be added via Add optional claim. Select ID as token type and check the following items:
- email (required to identify the user)
- preferred_username (required to identify the user)
- family_name (required for user creation)
- given_name (required for user creation)
- xms_pl (required for user creation)
Configuration - API permissions
Make sure to also set the following permissions by clicking Add a permission, then selecting Microsoft Graph, then Delegated permission:
- openid
- profile
- User.ReadWrite
Also click Grant admin consent for Your AD.
Required GUIDs
Now that the configuration is done, you will need two GUIDs from the Azure Portal. These are the following:
- Application (client) ID
- Directory (tenant) ID
These can be found on your application’s Overview page.
Setting up SSO in Tresorit’s Admin Center
Step 1. On the Settings tab
On the Settings tab, make sure that Advanced Control is enabled. Then click Enable SSO under the Single Sign-On section.
The following window will come up, prompting you to accept Tresorit's SSO specific Terms.
Once you accepted the Terms, select Azure Active Directory and paste in the previously acquired IDs.
You might need to enter your password again if your session has expired. If you’re successful, a gentle notification should appear.
Step 2. On the Policies tab
Under the Policies tab, you can either create a new policy or edit an existing one. Set the Single Sign-On policy to Enabled, so the users with that policy will have to use the configured Azure AD server for signing in. Don’t forget to Save the changes to your policy.
The 2-Step Verification policy will be turned off for this group, as in case of SSO, this feature is handled by Azure AD. Your users will have to use 2-Step Verification via their configured method in their Azure AD profile.
Using SSO in Tresorit
- Please note that If you're using SSO, Internet Explorer 11 and all versions of Microsoft Edge until 44.19041 are not supported.
Activation
For existing users in the policy group, a migration dialog will appear in the Tresorit applications. They will have to confirm their current password before being redirected to the company login page. After they log in there as well, their Tresorit password will no longer be valid, and they’ll only be able to sign in through the SSO option.
In case of the subscription owner, the Tresorit password remains, because it is still required for Advanced Control functionality.
Deactivation
When you disable the SSO policy for a user, they will be required to set a password again. In some cases, SSO authentication might not be available, so this process includes an email confirmation before letting them set their new password.
Sign up without an invitation
You can also verify that certain domains are in your control. In such cases, the new users in your company can perform their registration with SSO right away, and they won’t need to click on the invitation link. This provides a user friendly first sign-in experience. Learn how to verify your domain via this article.
Still have questions left? Drop us a line