UserLock Single Sign-On (SSO)

UserLock extends Single Sign-On (SSO) to cloud and Microsoft 365 applications while keeping Active Directory (AD) as the authoritative Identity Provider. Hosted on-premises or in a virtual network, UserLock SSO delivers secure, seamless, and centralized authentication by combining SSO with Multi-Factor Authentication (MFA) and contextual access restrictions.

Published August 22, 2025

Why UserLock SSO matters

  • One identity source: Users authenticate with their existing AD credentials. No need for duplicate directories or external identity repositories.

  • Stronger security: Built on SAML 2.0 federation, reinforced with MFA prompts and granular access policies.

  • Continuity: Fast deployment without disrupting existing on-premises access.

  • Resilience: Automatic certificate renewal and support for backup SSO servers.

  • Centralized control: Unified monitoring, auditing, and reporting for SSO sessions, including successful and denied logons.

How UserLock SSO works (general case)

UserLock SSO is hosted on premise and retains Active Directory as authoritative Identity Provider.

For access to SaaS Applications, the user is authenticated with their existing on premise credentials. Users may also be prompted for Two-factor Authentication, depending on the conditions that are set.

  1. The user connects to a SaaS application (Service Provider, SP).

  2. Authentication is delegated to UserLock SSO, acting as the Identity Provider (IdP), via a SAML request.

  3. UserLock authenticates the user against on-premises AD credentials.

  4. If successful, UserLock checks whether MFA is required and enforces contextual restrictions (location, IP address, time).

  5. UserLock returns a signed SAML assertion to the SP, with the decision (access granted or denied).

  6. The SP allows or denies the user’s session accordingly.

Microsoft 365 with Active Directory

  • UserLock SSO keeps on-premises AD as the authoritative identity source.

  • Azure AD is no longer used for authentication. Instead, Microsoft 365 is redirected to UserLock SSO.

  • Azure AD Connect remains required to synchronize certain attributes (e.g., ImmutableID) across both directories.

  • UserLock applies MFA and contextual restrictions on Microsoft 365 logins, just as it does for other SaaS applications.

Microsoft 365 with Azure AD Domain Services (Entra ID)

UserLock SSO can also be hosted in a virtual network and use Azure AD Domain Services (AAD DS) as the authoritative identity source.

In this case, users authenticate with their Azure AD credentials, but UserLock enforces MFA and contextual restrictions before granting access to Microsoft 365.

The same SAML-based workflow applies: UserLock validates the session, checks restrictions, and issues a signed assertion to Microsoft 365.

Key requirements for deployment

  1. Install the UserLock SSO service on a Windows Server 2012 R2 or higher.

  2. Use a valid SSL certificate and a registered public domain name (e.g., sso.mydomain.com).

  3. Configure DNS (split-DNS for internal and external resolution).

  4. Manage SaaS applications in the SSO console, with preconfigured templates or custom SAML profiles.

  5. Activate MFA for SSO connections (handled as “server logons” in MFA settings).

Note

For more details, follow the installation and configuration guide.

Summary

UserLock SSO provides organizations with:

  • Seamless SSO across SaaS and Microsoft 365 applications.

  • On-premises AD as the authoritative Identity Provider, with optional Azure AD Domain Services support.

  • Stronger security through MFA and contextual access rules.

  • Centralized visibility and reporting for all SSO activity.

  • Resilience and continuity with certificate management and backup server support.

This makes UserLock SSO a secure, flexible, and efficient way to extend Active Directory authentication to the cloud.