Our VPN Business and VPN Enterprise plans support single sign-on (SSO) as an early access (beta) feature. In this article, we look at what SSO is, how to set up and manage it for your business or organization, and how staff members can use it.
- What is SSO?
- How to set up SSO for Proton VPN
- How to manage SSO for Proton VPN
- How to use SSO to sign in to Proton VPN
What is SSO?
Single sign-on technology allows you to access multiple applications and websites with a single username and password. The primary goal of SSO is to simplify the user experience by eliminating the need to remember and enter different usernames and passwords for each application you use to access your company’s resources and services.
In a typical SSO scenario, once you log in to one of the connected applications, you’re automatically granted access to other applications without needing to log in again. This is not only convenient, but it enhances security by encouraging the use of stronger, unique passwords. It also reduces the likelihood of people resorting to insecure practices, such as using the same password across multiple services.
SSO is currently used mainly in business contexts, providing a convenient yet secure way for staff to access multiple SaaS applications. Network administrators can also use it to provide segmented access to company resources (that is, to restrict access to resources based on, for example, a user’s role or seniority within your organization).
SSO login credentials are typically managed by an identity provider (IdP) who verifies your credentials and, upon successful authentication, generates a token that your browser will use to automatically sign you in to websites and other services. Popular identity providers include Okta.
Proton VPN currently supports SSO using Security Assertion Markup Language (SAML) 2.0, an XML-based open standard for transferring data that verifies your identity between an identity provider and SaaS applications.
How to set up SSO for Proton VPN
Before you start, you’ll need the following:
- A VPN Business or VPN Enterprise account with Administrator privileges
- An account with an identity provider such as Okta.
- Once you have an account with an identity provider, you’ll need to configure it for Proton VPN. Your identity provider should then be able to provide the information required to configure SAML on your Proton VPN Business and VPN Enterprise account.
How to configure SAML SSO on your VPN Business or VPN Enterprise account
1. Log in to your VPN Business and VPN Enterprise administrator account at account.protonvpn.com and go to Single sign-on → SAML authentication → Configure SAML.
2. Add the domain name provided by your identity provider and click Add domain.
3. Verify the domain for your identity provider. To do this, log in to your domain provider’s web portal and enter the DNS TXT record displayed on this screen.
Click Continue once you’ve done this.
4. Import the SAML metadata for Proton VPN from your identity provider. You can import this data via URL, XML file, or by manually filling out Text fields. Select your preferred method (which may be determined by your IdP) and input or upload the requested data.
Click Continue when you’re done.
5. Provide the endpoints shown to your identity provider. If your IdP asks for an Assertion Consumer Service (ACS) URL and Issuer ID, simply copy and paste the information from this screen into your identity provider fields.
Once you’ve done this, click Done.
SSO should now be configured on your VPN Business and VPN Enterprise account. Click See details for an overview of your SSO settings.
How to manage SSO
Your organization’s users can now log in to Proton VPN apps using the username and password provided by your identity provider. To view which users can do this, log in to your VPN Business or VPN Enterprise administrator account at account.protonvpn.com and go to Organization → All users. To manage access to your Proton VPN organization, log in to your identity provider. Note: SSO users will only appear here once they have signed in at least once.
You can manage individual users using the dropdown menu in the Edit column of the user you wish to manage SSO access for
How to use SSO to sign in to Proton VPN
If an administrator for your organization has configured SSO for Proton VPN and enabled the feature for your user account, you can sign in to Proton VPN apps using your SSO password. To do this, click or tap Sign in with SSO when you sign into your account at account.proton.me/vpn/login, or when you sign in to a Proton VPN app.
