Estimated time to complete: 15 minutes
Dashlane offers deep integration with PingID, with the ability to integrate SSO with SAML, plan member sync, and group sync using SCIM. It is possible to do only SSO or only SCIM provisioning, but we recommend doing both for the best experience.
More about SSO and SCIM
More about SAML-based SSO with PingID
Prerequisites
To complete this setup, you need admin permission for:
- Dashlane Admin Console
- Ping Identity Active Directory (Identity Provider)
- Your Public DNS provider (for domain verification)
Table of Contents
- Step 1: Register a New Application in PingID
- Step 2: Download PingID Metadata
- Step 3: Configure Dashlane with PingID Metadata
- Step 4: Verify your domain in DNS Provider
- Step 5: Assign Users in PingID
- Step 6: Test your SSO configuration
- Step 7: Enable SSO for all users
Set up Group SAML Provisioning
- Step 1: Set up Group Provisioning with SAML in PingID
- Step 2: Set up Group Provisioning with SAML in Dashlane
Set up SSO
Step 1: Register a new application in PingID
- Log in to your Ping Identity Admin Console.
- Navigate to Connections. Select + Add Application.
- Choose SAML as the connection type and set up the application name as Dashlane SSO.
- Select Configure.
- For SAML configuration, select Manually enter.
- For ACS URL enter "https://sso.nitro.dashlane.com/saml/callback" and for Entity ID, enter "dashlane-nitro-sso".
- For Default Relay State: Optional based on your setup.
- For NameID enter "Email" and map it to the user's email attribute.
- Select Save.
Step 2: Download PingID Metadata
- Export the SAML metadata from Ping Identity. This metadata will be used in the Dashlane SSO setup.
- Open Federation Metadata XML in Notepad or a plain text editor and copy the entire XML file to your clipboard. Don't open the XML using Safari, as it may break the format for the XML when copying.
Step 3: Configure Dashlane with PingID Metadata
- Log in to the Dashlane Admin Console
- In the Integrations section of the left menu, select Single sign-on. If you've already started the setup, select Edit. Otherwise, select Set up Confidential SSO.
- Go to Step 2: Save your IdP metadata and paste the metadata copied earlier.
- Select Save.
Step 4: Verify your domain in DNS Provider
- In Step 3: Verify your domain(s) in the Admin Console, enter your company email domain, and select Verify domain. Note the copy buttons you'll use to copy the hostname and TXT values to your public DNS provider.
- In a new browser tab, navigate to your Public DNS provider and Add a TXT Record. The exact steps vary depending on your provider.
- Paste the Host Name and TXT Value from the Dashlane Admin Console into the new TXT record, and select Save.
- After you've entered the record, wait a few minutes, and in the Dashlane Admin Console, select Verify domain.
Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less. If it doesn't work the first time, wait a few minutes and select Verify domain again.
After the domain is verified, a green checkmark appears. Repeat the steps for any additional domains in your SSO tenant you want to enable for SSO. We don't support linking multiple SSO providers to a single Dashlane plan.
(Optional) Just In Time Provisioning
You can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
Before you turn on Just in Time Provisioning, ensure your plan members have already been added to the Dashlane SAML application in your IdP.
After you turn it on, they can install the Dashlane browser extension and create their account.
If your plan is out of seats, members won't be able to log in until you buy more seats.
If you’re using Just in Time Provisioning along with another automatic provisioning method like SCIM or AD sync, make sure to add all of your plan members to your synced groups. Otherwise, plan members who aren’t added to synced groups will be removed the next time the directory syncs.
More about Just in Time Provisioning
Step 5: Assign Users in PingID
In Ping Identity, go to Users and assign the appropriate users or groups to the Dashlane SSO application.
Step 6: Test your SSO configuration
- Return to the Dashlane Admin Console and perform a Test connection.
- A success message appears if SSO was set up as expected.
If you see an error message, you can open a ticket through our support chatbot.
Step 7: Enable SSO for all users
- After testing is successful, activate SSO in Dashlane Step 4: Activate SSO for verified domains.
- Notify members about the new SSO login method. Members with an account created with a Master Password must do a final login with the Master Password before activating SSO. To see how the process works for members, refer to this article:
- Ensure that members can log in with their Microsoft credentials.
Set up User SCIM Provisioning
Step 1: Generate SCIM API Token in Dashlane
- Log in to the Dashlane Admin Console
- In the Integrations section, select Provisioning and then Confidential Provisioning.
- Select Set up or Edit if you've already started the setup.
If this option is grayed out and unavailable, you either need to set up Confidential SSO first, or you've already set up Self-hosted SSO, SCIM, or Active Directory.
- In Step 1: Generate SCIM API token, select Generate Token.
- Copy the SCIM API token in Step 2: Copy token.
- Turn on the toggle for Step 3: Activate automatic user provisioning.
Step 2: Configure SCIM API Token in PingID
- Set Up SCIM Provisioning in Ping Identity.
- Add SCIM connector settings in Ping Identity using the Dashlane SCIM endpoint and the token you generated in the Admin Console.
Set up Group Provisioning with SAML
Step 1: Set up Group Provisioning with SAML in PingID
- Select Identity Provider, then SP Connections, then Dashlane, and then Identity Mapping. Then select Next.
- For Extend the Contract, enter dashlaneSharingGroups. For Attribute Name Format enter basic.
- Select Next.
- Select Adapter Instance Name, then Description, then LDAP, and dashlaneSharingGroups:
- For Source, selectExpression from the drop-down list.
-
For Value, enter this code:
#groupName = new java.util.ArrayList(), #groups = #this.get("ds.memberOf")!=null ? #this.get("ds.memberOf").getValues() : {}, #i= 0, #groups.{ #group = new javax.naming.ldap.LdapName(#groups[#i]), #cn = #group.getRdn(#group.size() - 1).getValue().toString(), #group.toString().matches(".*INSERT-MATCHING.*") ? (#groupName.add("INSERT-GROUP-NAMES-YOU-WANT-TO-SYNC-HERE")): null, #i = #i + 1 }, new org.sourceid.saml20.adapter.attribute.AttributeValue(#groupName)
- Select Update the expression and then select Next.
Note: If you get an error message during this step, go back to Data Store. Select Next. Then select Show All Attributes and MemberOf from the drop-down lists. Then select Add Attribute, then Next three times, and then Save.
- Select Cluster Management. Then select Replicated Configuration and Done.
Step 2: Set up Group Provisioning with SAML in Dashlane
- Log in to the Dashlane Admin Console
- Go to Integration, select Provisioning settings in the Integrations section, and select Confidential Provisioning.
- Select Set up or Edit if you've already started the setup.
- Scroll down to the Group Provisioning section.
- Turn on Group Provisioning in Step 2: Activate group syncing.
- Your plan members may need to log in to Dashlane to see if changes will be reflected in the Admin Console.
- As a plan admin, you won't be added to the groups. You'll continue to use your primary password to log in.
- To see the changes in the Groups tab in the Dashlane Admin Console, force log in to the Admin Console if you don't see the groups.
- Your plan members can accept group invitations through the invite email or by selecting the Notifications icon, shown as a bell, in the Dashlane app.
Troubleshoot Dashlane with PingID
(SSO) Error message: We couldn't verify your SSO connection
Error when testing the connection with Dashlane in the Admin Console. You might also see this error when trying to save the metadata.
How to fix
- Confirm you're opening and logging in to the Admin Console from the Dashlane extension.
- If your IdP's admin portal is open, log out of your admin account on PingID and close the browser tab before testing the connection with Dashlane again.
Contact Support
Please contact our Support team if you encounter any issues or have questions about this process.