How to set up SSO for Proton VPN using Okta

Reading
7 mins
Category
Get started

Our Proton VPN for Business plans support single sign-on (SSO) as an early access (beta) feature. In this article, we look at how to set up SSO on Proton VPN for Business using Okta as your identity provider (IdP).

Learn more about SSO(new window)

SSO for Proton VPN supports the following features:

  • IdP-initiated SSO
  • Service provider (SP) initiated SSO

For more information on these, please visit the Okta Glossary(new window). In this support article, we’ll look at:

  • How to configure Proton VPN on Okta
  • How to configure SAML SSO on your Proton VPN for Business account
  • How to add SSO users in Okta

How to set up SSO for Proton VPN using Okta

Proton VPN currently supports SSO using Security Assertion Markup Language(new window) (SAML) 2.0, an XML(new window)-based open standard for transferring data that verifies your identity between an IdP and SaaS applications. 

Before you start, you’ll need the following: 

Once you have an account with Okta, you’ll need to configure it for Proton VPN. You can then configure SAML on your Proton VPN for Business account.

Here’s what we’ll cover next:

How to configure Proton VPN on Okta

Option 1. Use the official integration

This option uses the official Proton VPN Okta SSO application, and is the recommended option if you don’t plan to use SCIM. If you do plan to use SCIM, for now, you’ll need to create your own Proton VPN Okta SSO application instead (see option 2 below).

1. Log in to your Okta account(new window) and go to Applications Browse App Catalog

Browse app category

2. Search for Proton VPN SAML.

3. Click Add Integration

Add Integration

4. You’ve now created a SAML integration for Proton VPN. Go to SAML 2.0Metadata detailsMetadata URLCopy.

Option 2. Create your own integration

If you want to use SCIM, you’ll need to create your own Proton VPN Okta SSO application.

1. Sign in to your Okta account(new window) and go to Applications Create App Integration

Create App Integration

2. Select SAML 2.0 and then click Next

Select SAML 2.0

3. Give your app a name and upload a logo for it (optional). Click Next when you’re ready.

Give your app a name

4. Under section A SAML SettingsGeneral, enter the following information:

Now scroll down to the bottom of the page and click Save

Create a SAML integration

5. Answer the question Help Okta Support understand how you configured this application as best describes the use of your app. This answer is simply feedback for the Okta support team, and doesn’t affect your setup in any way. Click Finish when you’re ready.

Provide feedback

6. You’ve now created a SAML integration for Proton VPN. Go to SAML 2.0Metadata detailsMetadata URLCopy.

How to configure SAML SSO on your Proton VPN for Business account

1. Log in to your Proton VPN for Business administrator account at account.protonvpn.com and go to Single sign-onSAML authenticationConfigure SAML

Configure SAML

2. Add your organization’s domain name and click Add domain

Add domain

3. Verify the domain for your identity provider. To do this, log in to your domain provider’s web portal and enter the DNS TXT record(new window) displayed on this screen. 

Back at account.protonvpn.com, click Continue once you’ve done this. 

Verify domain

4. A screen will show you the endpoints needed by Okta. However, this has already been automatically configured in the official Proton VPN SSO application for Okta that you set up above. So just click Continue.

5. Import the SAML metadata for Proton VPN from Okta. Select URL and paste in the URL you copied in step 4 of Configure Proton VPN on Okta (above). To find this page again in your Okta console, go to ApplicationsApplications → [the application you just created] → Sign-on tab. 

Click Done when you’re ready. 

Import SAML metadata fro URL

SSO using Okta should now be configured on your Proton VPN for Business account. Click See details for an overview of your SSO settings. 

SAML configured

How to add SSO users in Okta

Before your users can sign in to our organization using SSO, you’ll need to add them in Okta. 

1. Log in to your Okta account(new window) and go to DirectoryPeopleAdd person

Add person

2. Go to User type and select User from the dropdown menu. Now fill in their details. The username and primary email address must use your organization’s domain. Click Save or Save and Add Another when you’re done. 

Fill in their details

3. When you’re done, go to DirectoryPeople to see a list of users you’ve added. Click on a name.

Go to the People Directory

4. In the Applications tab, click Assign Applications.

Assign Applications

5. Click Assign next to the Proton VPN application you created above., followed by Done.

Assign

6. Re-enter the user’s User Name, then click Save and Go Back

Re-enter the user’s User Name

7. Click Done.

Click Done

8. Repeat the process for as many SSO users as you like. When you’re done, click Set Password & Activate

9. At the confirmation screen, click Set Password & Activate

Set Password & Activate

10. Create a temporary password and make a note of it (there’s a copy button to copy it to your device’s clipboard). Each new user will use this password just once to sign in to Proton VPN via SSO for the first time. Click Close when you’re ready. 

Reset pasword

How to use SSO to sign in to Proton VPN for the first time

As a user with a new SSO account configured on Okta, go account.proton.me/vpn.

1. Click Sign in with SSO on any Proton VPN login screen. 

Sign in with SSO

2. Enter your email address (as configured on Okta) and hit Sign in

Enter your email address (as configured on Okta)

3. Enter your temporary SSO password (this will be supplied by your manager, or see steps 9 and 10 in the “How to add SSO users in Okta” section above), and click Sign in.

Enter your temporary SSO password

4. You’ll now be asked to create a new permanent password (that will replace the single-use temporary password you were provided). Once you’ve done this, click Change password and you’ll log in to your Proton Account. 

Create a new permanent password

How to use SSO to sign in to Proton VPN

As a user, once you’ve created your SSO password, you can use it (together with your company username) to sign in to Proton VPN apps. To do this, click or tap Sign in with SSO on any Proton VPN login screen.

Sign in with SSO

How to manage SSO for Proton VPN

Your organization’s users can now log in to Proton VPN apps using the username and password they created (see above). To view which users can do this, log in to your Proton VPN for Business administrator account at account.protonvpn.com and go to OrganizationAll users. Note: SSO users will only appear here once they have signed in at least once. 

To manage access to your Proton VPN organization, log in to your identity provider.

You can manage individual users using the dropdown menu in the Edit column of the user you wish to manage SSO access for.

Manage SSO in your organization dashboard

To turn off SSO for your whole organization, go to Single sign-onRemove single sign-on Stop using single sign-on.

Please note that doing this deletes all configurations and users associated with your domain. We therefore strongly recommend against turning off SSO for your whole organization.

Troubleshooting

If you see the following message:

There is an error in the single sign-on configuration, please contact your organization administrator.

Please:

  1. Confirm that the certificate you uploaded on the Proton VPN SAML configuration page matches the one provided by the Okta IdP.
  2. Confirm that the Single sign-on entity ID on the Proton VPN SAML configuration page is the same as the Issuer.