This documentation will guide you through setting up Tresorit SSO with Azure AD. You’ll have to create and configure a new application on the Azure Portal in your Azure Active Directory configuration page. During this configuration, you will acquire GUIDs that you’ll have to set in Tresorit’s Admin Center. Once you have the GUIDs, you can set up the policy groups and users and enable SSO policy for them, as a last step.

🎓 You might be interested:
Introduction to SSO
Managing SSO users

How to set up SSO in Tresorit

Configuring a new application in Azure Active Directory

App registrations

Click on App registrations and create a New registration.

Register an application

Provide a name and select Single tenant. We will configure the Redirect URIs later, as we need to set multiple values.

Configuration - Branding (Optional)

Optionally you may set some basic URLs:

• Home page URL: https://web.tresorit.com
• Terms of service URL: https://tresorit.com/terms-of-use
• Privacy statement URL: https://tresorit.com/privacy-policy

Configuration - Authentication

On the Authentication page, you can add new platforms using Add a platform.

Web platform

First, you need to add a Web platform. Configure the following URIs:

• Redirect URIs: https://web.tresorit.com/sso-login
• Logout URL: https://web.tresorit.com/sso-logout

📝 Note: the SSO logout feature is not yet implemented.

Also check both Access tokens and ID tokens.

Mobile and desktop applications

You’ll need to add another platform for the Mobile and desktop applications. Set the following custom redirect URIs:

• https://tresor.it/sso
• tresorit://sso

Configuration - Token configuration

Tresorit needs to have some information included in the tokens during authentication, which are required for user identification and user creation.

These can be added via Add optional claim. Select ID as token type and check the following items:

• email (required to identify the user)
• family_name (required for user creation)
• given_name (required for user creation)
• xms_pl (required for user creation)

Configuration - API permissions

Make sure to also set the following permissions by clicking Add a permission, then selecting Microsoft Graph, then Delegated permission:

• email
• openid
• profile
• User.ReadWrite

Also click Grant admin consent for Your AD.

Required GUIDs

Now that the configuration is done, you will need two GUIDs from the Azure Portal. These are the following:

• Application (client) ID
• Directory (tenant) ID

These can be found on your application’s Overview page.

Setting up SSO in Tresorit’s Admin Center

Step 1. On the Settings tab

On the Settings tab, make sure that Advanced Control is enabled. Then click Enable SSO under the Single Sign-On section.

The following window will come up, prompting you to accept Tresorit's SSO specific Terms.

Once you accepted the Terms, select Azure Active Directory and paste in the previously acquired IDs.

You might need to enter your password again if your session has expired. If you’re successful, a gentle notification should appear.

Step 2. On the Policies tab

Under the Policies tab, you can either create a new policy or edit an existing one. Set the Single Sign-On policy to Enabled, so the users with that policy will have to use the configured Azure AD server for signing in. Don’t forget to Save the changes to your policy.

The 2-Step Verification policy will be turned off for this group, as in case of SSO, this feature is handled by Azure AD. Your users will have to use 2-Step Verification via their configured method in their Azure AD profile.

Using SSO in Tresorit

• Please note that If you're using SSO, Internet Explorer 11 and all versions of Microsoft Edge until 44.19041 are not supported.

Activation

For existing users in the policy group, a migration dialog will appear in the Tresorit applications. They will have to confirm their current password before being redirected to the company login page. After they log in there as well, their Tresorit password will no longer be valid, and they’ll only be able to sign in through the SSO option.

In case of the subscription owner, the Tresorit password remains, because it is still required for Advanced Control functionality.

Deactivation

When you disable the SSO policy for a user, they will be required to set a password again. In some cases, SSO authentication might not be available, so this process includes an email confirmation before letting them set their new password.

Sign up without an invitation

You can also verify that certain domains are in your control. In such cases, the new users in your company can perform their registration with SSO right away, and they won’t need to click on the invitation link. This provides a user friendly first sign-in experience. To enable this, please contact support.

Still have questions left? Drop us a line