---
locale: "en"
updated_at: "2025-10-28T12:35:41.840Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/reference/modules/sso"
---

# UserLock Single Sign-On (SSO)

How it works and key requirements.

## Why UserLock SSO matters

- **One identity source**: Users authenticate with their existing AD credentials. No need for duplicate directories or external identity repositories.
- **Stronger security**: Built on SAML 2.0 federation, reinforced with MFA prompts and granular access policies.
- **Continuity**: Fast deployment without disrupting existing on-premises access.
- **Resilience**: Automatic certificate renewal and support for backup SSO servers.
- **Centralized control**: Unified monitoring, auditing, and reporting for SSO sessions, including successful and denied logons.

## How UserLock SSO works (general case)

UserLock SSO is hosted on premise and retains Active Directory as authoritative Identity Provider.

For access to SaaS Applications, the user is authenticated with their existing on premise credentials. Users may also be prompted for Two-factor Authentication, depending on the conditions that are set.

![](https://a.storyblok.com/f/122374/886x822/43504ee838/ul_sso_saasapp.png)

1. The user connects to a SaaS application (Service Provider, SP).
2. Authentication is delegated to UserLock SSO, acting as the Identity Provider (IdP), via a **SAML request**.
3. UserLock authenticates the user against on-premises AD credentials.
4. If successful, UserLock checks whether MFA is required and enforces contextual restrictions (location, IP address, time).
5. UserLock returns a signed **SAML assertion** to the SP, with the decision (access granted or denied).
6. The SP allows or denies the user’s session accordingly.

## Microsoft 365 with Active Directory

![](https://a.storyblok.com/f/122374/1021x906/6f7024be79/ul_sso_microsoft365.png)

- UserLock SSO keeps on-premises AD as the authoritative identity source.
- Azure AD is no longer used for authentication. Instead, Microsoft 365 is redirected to UserLock SSO.
- **Azure AD Connect** remains required to synchronize certain attributes (e.g., ImmutableID) across both directories.
- UserLock applies MFA and contextual restrictions on Microsoft 365 logins, just as it does for other SaaS applications.

## Microsoft 365 with Azure AD Domain Services (Entra ID)

UserLock SSO can also be hosted in a **virtual network** and use **Azure AD Domain Services (AAD DS)** as the authoritative identity source.

In this case, users authenticate with their Azure AD credentials, but UserLock enforces MFA and contextual restrictions before granting access to Microsoft 365.

The same SAML-based workflow applies: UserLock validates the session, checks restrictions, and issues a signed assertion to Microsoft 365.

![](https://a.storyblok.com/f/122374/1021x912/a3c0500ae9/ul_sso_withazureaddomainservices.png)

## Key requirements for deployment

1. Install the UserLock SSO service on a **Windows Server 2012 R2 or higher**.
2. Use a **valid SSL certificate** and a** registered public domain name** (e.g., `sso.mydomain.com`).
3. Configure DNS (split-DNS for internal and external resolution).
4. Manage SaaS applications in the SSO console, with preconfigured templates or custom SAML profiles.
5. Activate **MFA for SSO connections** (handled as “server logons” in MFA settings).

> **Note**
>
> For more details, follow the [installation and configuration guide](/userlock/docs/guides/sso-administration/install-configure).

## Summary

UserLock SSO provides organizations with:

- **Seamless SSO** across SaaS and Microsoft 365 applications.
- **On-premises AD as the authoritative Identity Provider**, with optional Azure AD Domain Services support.
- **Stronger security** through MFA and contextual access rules.
- **Centralized visibility and reporting** for all SSO activity.
- **Resilience and continuity** with certificate management and backup server support.

This makes UserLock SSO a secure, flexible, and efficient way to extend Active Directory authentication to the cloud.
