Estimated time to complete: 15 minutes
Dashlane offers deep integration with Okta, with the ability to integrate SSO, SCIM user provisioning for plan members, and group provisioning with SAML.
More about SSO and SCIM
More about SAML-based SSO on the Okta support website
Prerequisites
To complete this setup, you need admin permission for:
- Dashlane Admin Console
- Okta Admin permission (Identity Provider)
- Your Public DNS provider (for domain verification)
Table of contents
- Step 1: Register a new application in Okta
- Step 2: Download Okta Metadata
- Step 3: Configure Dashlane with Okta Metadata
- Step 4: Verify your domain in DNS Provider
- Step 5: Assign Users and Groups in Okta
- Step 6: Test your SSO configuration
- Step 7: Enable SSO for all users
- Step 1: Generate SCIM API Token in Dashlane
- Step 2: Configure SCIM API Token in Okta
- Step 3: Start Provisioning
Set up Group SAML Provisioning
- Step 1: Set up Group Provisioning with SAML in Okta
- Step 2: Set up Group Provisioning with SAML in Dashlane
Set up SSO
Step 1: Register a new application in Okta
- Open your Okta Admin Console and expand the Applications menu. Select Applications and Create App Integration.
- On the Create a new app integration page, select the SAML 2.0 option and select Next.
- In General Settings, enter "Dashlane" for the App name.
- Upload the Dashlane logo for the App logo and select Next.
https://www.pngrepo.com/svg/331360/dashlane-v2
- On Configure SAML, enter "https://sso.nitro.dashlane.com/saml/callback" for the Single sign-on URL field and "dashlane-nitro-sso" for the Audience URI (SP Entity ID) field.
- Scroll to the bottom of the page and select Next.
- On the Help Okta Support page, select I'm an Okta customer adding an internal app and select Finish.
Step 2: Download Okta Metadata
- Select Sign On and then select View SAML setup instructions.
- In the Optional section, select and copy all of your IdP metadata.
Step 3: Configure Dashlane with Okta Metadata
- Log in to the Dashlane Admin Console
- In the Integrations section of the left menu, select Single sign-on. If you've already started the setup, select Edit. Otherwise, select Set up Confidential SSO.
- Navigate to Step 2: Save your IdP metadata and paste the metadata copied earlier.
- Select Save.
Step 4: Verify your domain in DNS Provider
- In Step 3: Verify your domain(s) on the Admin Console, enter your company email domain and select Verify domain. Note the copy buttons you'll use to copy the hostname and TXT values to your public DNS provider.
- In a new browser tab, navigate to your Public DNS provider and Add a TXT Record. The exact steps vary depending on your provider.
- Paste the Host Name and TXT Value from the Dashlane Admin Console into the new TXT record, and select Save.
- After you've entered the record, wait a few minutes, and in the Dashlane Admin Console, select Verify domain.
Public DNS changes can take up to 24 hours, but most new records take five minutes or less. If it doesn't work the first time, wait a few minutes and select Verify domain again.
After the domain is verified, a green checkmark appears. Repeat the steps for any additional domains in your SSO tenant you want to enable for SSO. We don't support linking multiple SSO providers to a single Dashlane plan.
(Optional) Just In Time Provisioning
You can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
Before you turn on Just in Time Provisioning, ensure your plan members have already been added to the Dashlane SAML application in your IdP.
After you turn it on, they can install the Dashlane browser extension and create their account.
If your plan is out of seats, members won’t be able to log in until you buy more seats.
If you’re using Just in Time Provisioning along with another automatic provisioning method, like SCIM or AD sync, make sure to add all of your plan members to your synced groups. Otherwise, plan members who aren’t added to synced groups will be removed the next time the directory syncs.
More about Just in Time Provisioning
Step 5: Assign Users and Groups in Okta
- Go to the Dashlane app in the Okta Admin Console, select Assignments and then Assign. Select Assign to People to test.
Step 6: Test your SSO configuration
- Return to the Dashlane Admin Console and perform a Test connection.
- A success message appears if SSO was set up as expected.
If you see an error message, you can open a ticket through our support chatbot.
Step 7: Enable SSO for all users
- After testing is successful, activate SSO in Dashlane Step 4:Activate SSO for verified domains.
- Notify users about the new SSO login method. Users with an account created with a Master Password must do a final login with the Master Password before activating SSO. To see how the process works for users, refer to this article:
- Ensure that users can log in with their Microsoft credentials.
Set up User SCIM Provisioning
Step 1: Generate SCIM API Token in Dashlane
- Log in to the Dashlane Admin Console
- In the Integrations section, select Provisioning and then Confidential Provisioning.
- Select Set up or Edit if you've already started the setup.
If this option is grayed out and unavailable, you either need to set up Confidential SSO first, or you've already set up Self-hosted SSO, SCIM, or Active Directory.
- In Step 1: Generate SCIM API token, select Generate Token.
- Copy the SCIM API token in Step 2: Copy token.
- Turn on the toggle for Step 3: Activate automatic user provisioning.
Step 2: Configure SCIM API Token in Okta
- In your Dashlane SAML application in Okta, select the General tab, and select Edit.
- Select the checkbox: Enable SCIM provisioning and select Save.
- Select the Provisioning tab and select Edit.
- Paste the SCIM values from the Dashlane Admin Console to the Okta text fields.
- For SCIM connector base URL, copy and paste the URL from Dashlane.
- In the Unique identifier field for users field enter "email."
- Enable all the Supported provisioning actions except Push Groups and Import Groups.
- For Authentication Mode, select HTTP Header.
- For Authorization, copy and paste the SCIM token from Dashlane and the Bearer field.
- In the Test Connector Configuration pop-up, you should receive a success message.
- Save the Configuration.
Step 3: Start Provisioning
- In the Provisioning tab, select Settings, To App, and Edit.
- Enable Create Users, Update User Attributes, Deactivate Users, and select Save.
Set up Group SAML Provisioning
Step 1: Set up Group Provisioning with SAML in Okta
- In your Dashlane SAML application in Okta, select the General tab and in the SAML Settings section, select Edit.
- Go to the Group Attribute Statements (optional) section:
- For Name, enter "dashlaneSharingGroups"
- For Name format, select Unspecified from the drop-down list
- For Filter, select Matches regex from the drop-down list
- For Value, enter .*
Important: The Okta group attribute statement filter suggested in the guidelines above will sync all groups in your Okta tenant to Dashlane. Dashlane reads the SAML Attribute Statement containing the groups, and Okta decides which groups the SAML assertion contains. With Okta, it's only possible to filter groups based on the group name.
Alternatives
- Include only groups whose names start with Dashlane_ (or any other substring)
- For Name, enter "dashlaneSharingGroups"
- For Name format, select Unspecified from the drop-down list
- For Filter, select Start with from the drop-down list
- For Value, enter Dashlane_
- If you don't want to sync all your groups or use the attribute filter, we suggest you create Dashlane sharing groups directly in the Admin Console.
Step 2: Set up Group Provisioning with SAML in Dashlane
- Log in to the Dashlane Admin Console
- Go to Integration, select Provisioning settings in the Integrations section, and select Confidential Provisioning.
- Select Set up or Edit if you've already started the setup.
- Scroll down to the Group Provisioning session.
- Turn on Group Provisioning in Step 2: Activate group syncing.
- Your plan members may need to log in to Dashlane to see if changes will be reflected in the Admin Console.
- As a plan admin, you won't be added to the groups. You'll continue to use your primary password to log in.
- To see the changes in the Groups tab in the Dashlane Admin Console, force log in to the Admin Console if you don't see the groups.
- Your plan members can accept group invitations through the invite email or by selecting the Notifications icon, shown as a bell, in the Dashlane app.
Troubleshoot Dashlane with Okta
(SSO) Entity ID Error
This error appears when the Audience URI (SP Entity ID) has a value other than dashlane-nitro-sso.
How to fix
- Confirm you have entered “https://sso.nitro.dashlane.com/saml/callback” for Single sign-on URL and "dashlane-nitro-sso" for the Audience URI (SP Entity ID). All other fields can be left alone unless you have a custom configuration that you know to be different.
(SSO) Login error from Okta tile
The error below is usually received when trying to access Dashlane outside of the Dashlane extension.
How to fix
The SSO login has to be completed using the Dashlane extension.
You can use an alternative option if you want your users to access Dashlane without going directly through the extension. It will need to be installed in the browser to work:
- Open the Dashlane app in your Okta admin portal.
- Open the General tab and in the App Settings section, select Do not display application icon to users and Save.
- Expand the Applications drop-down in the left pane, and then select Applications.
- Select Browse App Catalog.
- Search for "Bookmark App," select it from the list of results, and select Add in the left pane.
- Add https://app.dashlane.com in the URL box and Dashlane for the Application label.
- Select Done.
(SSO) Error message: We couldn't verify your SSO connection
Error when testing the connection with Dashlane in the Admin Console. You might also see this error when trying to save the metadata.
How to fix
- Confirm you're opening and logging in to the Admin Console from the Dashlane extension.
- If you have your IdP's admin portal open, log out from your admin account in Okta and close the browser tab before testing the connection with Dashlane again.
(SCIM) Error: SCIM_ERROR_CANNOT_UPDATE_IMMUTABLE_ATTRIBUTE
An attempt is being made to change an unmodifiable attribute (the Dashlane username/email). On-prem Active Directory is the Identity Provider, and Okta is the SSO provider synced to on-prem Active Directory. Your team already had existing Dashlane users before configuring SCIM, so the "immutable attribute" error references the UUID.
How to fix
- Confirm the schema in Okta is set to "username" and "email."
- Confirm that the user’s email address in Okta and their Dashlane email address are a match.
(SSO) Renew a SAML signing certificate for the Dashlane application
- Log in to the Okta Admin Console.
- Access Applications, select the Dashlane app, and then select Sign on.
- Under SAML Signing Certificates, select Actions for the new certificate.
- Select View IdP metadata. It will open a new browser window.
- Save the metadata on your desktop.
- Open the downloaded file in a text editor, select all of the text, and copy it to your clipboard.
- Open the Dashlane Admin Console. In the Integrations section of the side menu, select Single sign-on, and then Edit Confidential SSO.
- Go to Step 2: Save your Metadata and delete all of that text.
- Paste the new file you copied to your clipboard in step 6.
- Select Save.
- Select Test the SSO connection to confirm the update was successful.
- Ask a team member to test the login.
Contact Support
Please contact our Support team if you encounter any issues or have questions about this process.