How to use SSO with Proton VPN for Business

Reading
4 mins
Category
Proton VPN for Business

Our VPN Professional and VPN Enterprise plans support single sign-on (SSO). In this article, we look at what SSO is, how to set up and manage it for your business or organization, and how staff members can use it.

We now have dedicated SSO setup guides for using Proton VPN with the following IdPs:

What is SSO?

Single sign-on technology allows you to access multiple applications and websites with a single username and password. The primary goal of SSO is to simplify the user experience by eliminating the need to remember and enter different usernames and passwords for each application you use to access your company’s resources and services. 

What is SSO?

In a typical SSO scenario, once you log in to one of the connected applications, you’re automatically granted access to other applications without needing to log in again. This is not only convenient, but it enhances security by encouraging the use of stronger, unique passwords. It also reduces the likelihood of people resorting to insecure practices, such as using the same password across multiple services.

SSO is currently used mainly in business contexts, providing a convenient yet secure way for staff to access multiple SaaS(new window) applications. Network administrators can also  use it to provide segmented access to company resources (that is, to restrict access to resources based on, for example, a user’s role or seniority within your organization). 

SSO login credentials are typically managed by an identity provider (IdP) who verifies your credentials and, upon successful authentication, generates a token that your browser will use to automatically sign you in to websites and other services. Popular identity providers include Okta.

Proton VPN currently supports SSO using Security Assertion Markup Language(new window) (SAML) 2.0, an XML(new window)-based open standard for transferring data that verifies your identity between an identity provider and SaaS applications. 

How to set up SSO for Proton VPN

Before you start, you’ll need the following: 

  • An account with an identity provider such as Okta(new window)
  • Once you have an account with an identity provider, you’ll need to configure it for Proton VPN. Your identity provider should then be able to provide the information required to configure SAML on your Proton VPN Professional and VPN Enterprise account.

How to configure SAML SSO on your VPN Professional or VPN Enterprise account

1. Log in to your VPN Professional and VPN Enterprise administrator account at account.protonvpn.com and go to Single sign-onSAML authenticationConfigure SAML

Configure SAML

2. Add the domain name provided by your identity provider and click Add domain

Add domain

3. Verify the domain for your identity provider. To do this, log in to your domain provider’s web portal and enter the DNS TXT record(new window) displayed on this screen. 

Click Continue once you’ve done this. 

Verify domain

4. Import the SAML metadata for Proton VPN from your identity provider. You can import this data via URL, XML file, or by manually filling out Text fields. Select your preferred method (which may be determined by your IdP) and input or upload the requested data.

Click Continue when you’re done. 

Enter SAML metadata

5. Provide the endpoints shown to your identity provider. If your IdP asks for an Assertion Consumer Service (ACS) URL and Issuer ID, simply copy and paste the information from this screen into your identity provider fields. 

Once you’ve done this, click Done

Enter IdP endpoints

SSO should now be configured on your VPN Professional and VPN Enterprise account. Click See details for an overview of your SSO settings.  

Overview of SAML settings

How to manage SSO

Your organization’s users can now log in to Proton VPN apps using the username and password provided by your identity provider. To view which users can do this, log in to your VPN Professional or VPN Enterprise administrator account at account.protonvpn.com and go to OrganizationAll users. To manage access to your Proton VPN organization, log in to your identity provider. Note: SSO users will only appear here once they have signed in at least once. 

You can manage individual users using the dropdown menu in the Edit column of the user you wish to manage SSO access for

Manage individual users

How to use SSO to sign in to Proton VPN

If an administrator for your organization has configured SSO for Proton VPN and enabled the feature for your user account, you can sign in to Proton VPN apps using your SSO password. To do this, click or tap Sign in with SSO when you sign into your account at account.proton.me/vpn/login, or when you sign in to a Proton VPN app. 

Sign in with SSO