Estimated time to complete: 15 minutes
Dashlane offers comprehensive integration with Microsoft Entra ID for SSO, SCIM user provisioning for plan members, and Group Provisioning with SAML.
More about SSO and SCIM
More about SAML-based SSO on the Microsoft support website
Important: Confidential SSO does not support device-based Conditional Access policies on mobile devices. If your organization requires this policy, consider setting up SSO using the self-hosted option instead.
Prerequisites
To complete this setup, you need admin permission for:
- Dashlane Admin Console
- Azure admin permission (Azure/ Microsoft Entra ID)
- Your Public DNS provider (for domain verification)
Table of contents
- Step 1: Register a new application in Azure
- Step 2: Configure Azure for SAML SSO
- Step 3: Download Azure Metadata
- Step 4: Configure Dashlane with Azure Metadata
- Step 5: Verify your domain in DNS Provider
- Step 6: Assign Users and Groups in Azure
- Step 7: Test your SSO configuration
- Step 8: Enable SSO for all users
- Step 1: Generate SCIM API Token in Dashlane
- Step 2: Configure SCIM API Token in Azure
- Step 3: Start Provisioning
Set up Group SAML Provisioning
- Step 1: Set up Group Provisioning with SAML in Azure
- Step 2: Set up Group Provisioning with SAML in Dashlane
Set up SSO
Step 1: Register a new application in Azure
- Open Azure Portal and sign in with your admin credentials.
- In the Azure services section, locate and select Enterprise applications. If enterprise applications aren't listed, you can use the search.
- Select + New application at the top of the page.
- Select Create your own application and name it something relevant to it, like "Dashlane SSO." Then select the option: Integrate any other application you don't find in the gallery.
- Select Create.
Step 2: Configure Azure for SAML SSO
- In the new application created in Step 1, select Single sign-on in the left menu, then select SAML.
- Select Edit the Basic SAML Configuration.
- Enter these two items and then save:
- Identifier (Entity ID): dashlane-nitro-sso
- Reply URL (Assertion Consumer Service URL): https://sso.nitro.dashlane.com/saml/callback
Step 3: Download Azure Metadata
- Download Federation Metadata XML from the SAML Certificate section.
- Open Federation Metadata XML in Notepad or a plain text editor and copy the entire XML file to your clipboard. Don't open the XML using Safari, as it may break the format for the XML when copying.
Step 4: Configure Dashlane with Azure Metadata
- Log in to the Dashlane Admin Console
- In the Integrations section of the left menu, select Single sign-on. If you've already started the setup, select Edit. Otherwise, select Set up Confidential SSO.
- Go to Step 2: Save your IdP metadata and paste the metadata copied earlier.
- Select Save.
Step 5: Verify your domain in DNS Provider
- In Step 3: Verify your domain(s) in the Admin Console, enter your company email domain, and select Verify domain. Note the copy buttons you'll use to copy the hostname and TXT values to your public DNS provider.
- In a new browser tab, navigate to your Public DNS provider and Add a TXT Record. The exact steps vary depending on your provider.
- Paste the Host Name and TXT Value from the Dashlane Admin Console into the new TXT record, and select Save.
- After you've entered the record, wait a few minutes, and in the Dashlane Admin Console, select Verify domain.
Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less. If it doesn't work the first time, wait a few minutes and select Verify domain again.
After the domain is verified, a green checkmark appears. Repeat the steps for any additional domains in your SSO tenant you want to enable for SSO. We don't support linking multiple SSO providers to a single Dashlane plan.
(Optional) Just In Time Provisioning
You can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
Before you turn on Just in Time Provisioning, ensure your plan members have already been added to the Dashlane SAML application in your IdP.
After you turn it on, they can install the Dashlane browser extension and create their account.
If your plan is out of seats, members won't be able to log in until you buy more seats.
If you’re using Just in Time Provisioning along with another automatic provisioning method like SCIM or AD sync, make sure to add all of your plan members to your synced groups. Otherwise, plan members who aren’t added to synced groups will be removed the next time the directory syncs.
More about Just in Time Provisioning
Step 6: Assign Users and Groups in Azure
- Open Azure Portal and sign in with your admin credentials.
- Go to your Dashlane Enterprise application and select Users and Groups.
- To assign the users to your Dashlane SAML app, select +Add user/group.
Step 7: Test your SSO configuration
- Return to the Dashlane Admin Console and perform a Test connection.
- A success message appears if SSO was set up as expected.
If you see an error message, you can open a ticket through our support chatbot.
Step 8: Enable SSO for all users
- After testing is successful, activate SSO in Dashlane Step 4: Activate SSO for verified domains.
- Notify users about the new SSO login method. Users with an account created with a Master Password must do a final login with the Master Password before activating SSO. To see how the process works for users, refer to this article:
- Ensure that users can log in with their Microsoft credentials.
Set up User SCIM Provisioning
Step 1: Generate SCIM API Token in Dashlane
- Log in to the Dashlane Admin Console
- In the Integrations section, select Provisioning and then Confidential Provisioning.
- Select Set up or Edit if you've already started the setup.
If this option is grayed out and unavailable, you either need to set up Confidential SSO first, or you've already set up Self-hosted SSO, SCIM, or Active Directory.
- In Step 1: Generate SCIM API token, select Generate Token.
- Copy the SCIM API token in Step 2: Copy token.
- Turn on the toggle for Step 3: Activate automatic user provisioning.
Step 2: Configure SCIM API Token in Azure
- In the Azure serviced section, locate and select Enterprise applications. If enterprise applications aren't listed, you can use the search.
- Find and open the Dashlane app.
- In the left menu, select Provisioning, then Get Started.
- Set Provisioning Mode to Automatic.
- Paste the SCIM API token under the Secret Token.
- Copy the endpoint value from the Admin Console, and paste it under the Tenent URL.
- Test the connection to ensure it works and select Save.
- Under Attribute Mappings, review the default settings.
- For Provisioning Azure Active Directory Groups, set No for Enabled and Save.
Step 3: Start Provisioning
- Select Provisioning in the left menu.
- Start Provisioning.
Set up Group SAML Provisioning
Step 1: Set up Group Provisioning with SAML in Azure
- Open the Dashlane Enterprise app on Azure and select Single sign-on.
- Select Edit for Attributes & Claims.
- Select + Add a group claim.
- Select Groups assigned to the application.
- In the Source attribute drop-down list, select sAMAaccountName.
- Select the checkbox: Emit group name for cloud-only groups.
- Expand Advance options and select Customize the name of the group claim.
- In the Name field, add "dashlaneSharingGroups" and select Save.
Step 2: Set up Group Provisioning with SAML in Dashlane
- Log in to the Dashlane Admin Console
- Go to Integration, select Provisioning settings in the Integrations section, and select Confidential Provisioning.
- Select Set up or Edit if you've already started the setup.
- Scroll down to the Group Provisioning section.
- Turn on Group Provisioning in Step 2: Activate group syncing.
- Your plan members may need to log in to Dashlane to see if changes will be reflected in the Admin Console.
- As a plan admin, you won't be added to the groups. You'll continue to use your primary password to log in.
- To see the changes in the Groups tab in the Dashlane Admin Console, force log in to the Admin Console if you don't see the groups.
- Your plan members can accept group invitations through the invite email or by selecting the Notifications icon, shown as a bell, in the Dashlane app.
Troubleshoot Dashlane with Azure
(SSO) Renew a SAML signing certificate for the Dashlane enterprise app
- In a new browser tab, open the Azure Portal and search for or select Enterprise Applications.
- Select your Dashlane app from the list of applications.
- Select Single sign-on from the menu.
- Select Edit the SAML Certificates and then select New Certificate.
- A new certificate appears in the list with the Status.
- Select Save. A notification appears that your certificate has been updated, and the status for the new certificate will be updated to "Inactive."
- Select the 3-dot menu for the new "Inactive" certificate, select Make certificate active, and then select Yes to confirm.
- Select the 3-dot menu for the "Inactive" certificate, select Delete Certificate, and then select Yes to confirm. A notification appears that your certificate has been deleted.
- Return to the Single sign-on page and dismiss the pop-ups. Scroll to SAML Certificates and select Download for the Federation Metadata XML.
- Open the downloaded file in a text editor, select all of the text, and copy it to your clipboard.
- Select the Dashlane D icon in your browser’s toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
- In the Integrations section of the side menu, select Single sign-on, and then Edit Confidential SSO.
- Select Edit for SSO settings.
- Optional: Copy and save the text in the Add identity provider metadata text box for your records.
- Then delete all of that text and paste the text you copied earlier.
- Select Save changes.
If more than one certificate is contained in the metadata, the Dashlane Admin Console displays an error message. If an error appears when saving the new metadata, double-check that you deleted the inactive certificate in step 8.
- Select Test the SSO connection to confirm the update was successful.
- Ask a team member to test the login.
After you renew your certificate, test the connection by asking a plan member to log in.
(SSO) Error message: AADSTS700016
The application with the identifier https://domain-sso.azurewebsites.net/saml was not found in the directory domain. This can happen if the application still needs to be installed by the tenant's administrator or, consequently, by any user in the tenant. You may have sent your authentication request to the wrong tenant.
- Open Azure Portal with your admin account.
- Check the Dashlane Enterprise app to ensure that the Entity ID and ACS URL are the same as those in the Dashlane Admin Console.
(SSO) Error message: AADSTS50105
Your administrator configured the application Dashlane (application code) to block users unless they are specifically granted (‘assigned’) access to the application. The signed-in user is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
How to fix
- Log in to Azure Portal with your admin account.
- Check the Dashlane Enterprise app Users and Groups: Add the users you want to access Dashlane with SSO.
- Test the login again.
- If it's still not working, test the SSO login from a different browser profile so that it's not synced to your admin account to exclude any browser profile issues.
(SCIM) Error message: An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response
You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.
How to fix
- Confirm that you've enabled the toggle button Activate automatic user provisioning enabled in Dashlane Admin Console.
- Return to the Azure Dashlane Enterprise app and test the connection again.
If you select “re-generate token,” you'll need to update it in Azure.
(SSO) Error message: We couldn't verify your SSO connection
Error when testing the connection with Dashlane in the Admin Console. You might also see this error when trying to save the metadata.
How to fix
- Confirm you're opening and logging in to the Admin Console from the Dashlane extension.
- If your IdP's admin portal is open, log out of your admin account on Azure and close the browser tab before testing the connection with Dashlane again.
(SSO) Username change (UPN) in Dashlane
For your team members to log in to their accounts, their UPN (user principal name) in your identity provider must match their Dashlane ID (the email addresses you see in the Admin Console). You should only update their UPN to the new email address after they've exported their data from the original Dashlane account.
How to fix
- If the UPN has already been changed to the new email address, you'll need to change it back to the old email address to allow the affected members to log back into their old accounts.
- Turn off the Smart Spaces options in the Admin Console, so your team members can export the data from the Business Space. If your team isn't using Spaces, Turn on the Allow Export policy
- Ask your team members to export their data from the existing accounts and then log out from Dashlane: Select My account and then Log out.
- Update the user profiles in the IdP with the new email addresses.
- Remove the old accounts from your Dashlane team.
- Invite the new accounts to the Dashlane team using the new email addresses. For more information on how to manage the team members in your plan, you can refer to this article:
- Ask your team members to create their new accounts by selecting the link in the email with the team invitation.
- Ask your team members to import the backup file to recover their data.
- Turn on Smart Spaces again or turn off the Allow Export policy, depending on your team setting.
- If you've turned on SCIM provisioning, contact Dashlane Support for the last step.
Contact Support
Please contact our Support team if you encounter any issues or have questions about this process.