Configure Vault as a broker for AD FS SSO

hello, is it possible to integrate Vault with cloud Active Directory in order to allow users proceed with single-sign on for the internal services?

basically, i don’t want my app to authorize users directly on AD FS due to security restrictions. I want Vault to communicate with AD FS by its own, users should authorized on Vault, but Vault should check the users groups / roles and password in AD FS as per SSO procedure).


Vault is not a SSO server but is designed for storing & managing secrets. You integrate AD with Vault, allowing users to login to Vault via Azure SSO and then you could use the Vault token generated within your application. That would be pretty clunky (users having to login to Vault initially and then somehow pass the token to your app) and isn’t really what Vault is designed for.