Use self-hosted SSO to integrate Dashlane with your IdP Expand Sections

This feature is only available to organizations on a Dashlane Business plan.
Upgrade to Dashlane Business

You can integrate Dashlane with your Identity Provider using the self-hosted SSO configuration.

More about integrating Dashlane with your IdP

Dashlane will guide you through the steps to set up SSO with self-hosted SSO in the Admin Console. Follow these steps to start the process:

1. Select the Dashlane D icon in your browser’s toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
2. Select Settings and then select Single sign-on.
3. Select Set up self-hosted SSO.

   Note: If you don’t want to set up SCIM and you only have one domain, consider setting up Dashlane Confidential SSO instead. The process is simpler. However, after you set up Confidential SSO, you can’t switch to self-hosted.
   More about the difference between self-hosted and Confidential SSO

4. For Encryption service settings, select Set up.

5. Set up your encryption service

   The encryption service is a required component of Dashlane SCIM and SSO implementation. This article explains why Dashlane uses the encryption service and how you can set it up.

   Overview

   The encryption service can benefit your organization more than competitor solutions. End-to-end encryption and encrypted sharing keys require a necessary layer of security that SAML and SCIM don't provide out of the box. You can use the encryption service to seamlessly integrate Dashlane with these protocols while keeping the encryption keys secure and the experience intuitive for the plan members and admins.

   

   Architecture

   You can set up SCIM and SSO independently from one another, but we recommend configuring both for the best experience. The encryption service provides a user encryption key during login and a group encryption key during SCIM directory sync. We're currently in the process of updating all customers to the encryption service. To get enabled for the latest version, contact the Customer Support team.

   Contact us

   

   • Azure
   • AWS

   Azure

   Subscribe to Azure to set up the encryption service

   If you want to use Azure to host your encryption service and don't have a subscription yet, this article will explain what plan you need and how to subscribe.

   Note: E3 and E5 licenses from Microsoft Office 365 aren't Azure services licenses.

   

   The subscription plan

   We recommend subscribing to "Azure App Service Basic Plan - Linux - B1" to set up the encryption service. This plan costs $.018 per hour. Depending on your organization's usage, you can expect this to cost $8 to $14 per month.

   

   Example of an invoice for an organization of 10 employees with a monthly cost of $8.63:

   

   Subscribe to Azure

   Once you complete these steps, you'll be ready to set up the encryption service.

   1. In Azure, type Subscriptions in the search bar and select Subscriptions.

      

   2. Select + Add.

      

   3. Select the Add a different type of subscription link.

      Note: If you don't see this option, continue to the next step.

      

   4. Select offer for Pay-As-You-Go.
      

      Note: If you want to pay annually or through a vendor, you can change your plan at any time.

      

   5. For the Subscription name, enter "Azure Subscription 1" and select Next.

      Note: Enter your contact details instead, if prompted.

      

   6. Select Next, and then select Next again.
   7. Select Create.

      You'll see Successfully created the subscription in your Azure Notifications.

      

   Set up the encryption service in Azure

   Estimated time to complete: 10 minutes

   Access required:

   • Dashlane admin account
   • Azure admin account

   To set up the service:

   1. In the Admin Console, follow the steps to start setting up self-hosted SSO.
      Start setting up self-hosted SSO
   2. In the Where will you deploy the Encryption Service? menu, select Microsoft Azure. Your encryption service endpoint is generated automatically with your organization details.

      

   3. Select Generate and save to create your encryption service configuration.

      

   4. Once generated, select Copy to copy the configuration, and then select Go to service host to open the Azure template.

      

   5. In the Azure template, select Edit parameters.

      

   6. Select and delete all the current parameters.

      

   7. Paste the encryption service configuration you copied from the Dashlane Admin Console and select Save.

      

   8. Select a Subscription, select or create a new Resource group, and then select Next: Review + create.

      

      Important: If the Subscription menu is blank or you don't subscribe to Azure, you need to subscribe to complete the encryption service setup. We recommend subscribing to "Azure App Service Basic Plan - Linux - B1". This plan costs $.018 per hour. Depending on your organization's usage, you can expect this to cost $8 to $14 per month. This subscription is different from an Azure Active Directory subscription.

      Subscribe to Azure to set up the encryption service

   9. After you see a Validation Passed message, select Create.

      

   After a few minutes, the deployment completes successfully.

   Restart the Azure encryption service

   If you're prompted to restart the Azure encryption service, follow these steps. If not prompted, you can skip these steps.

   1. Return to the Azure portal, select Resource groups, Overview, and then your new Dashlane app service.

      

   2. Select Restart to restart the App Service.

      

   Your encryption service is running. You can now configure SAML-based SSO or SCIM provisioning with your Identity Provider.

   AWS

   Set up the encryption service in AWS

   Estimated time to complete: 10 minutes

   Access required:

   • Dashlane admin account
   • AWS admin account

   To set up the service:

   1. In the Admin Console, follow the steps to start setting up self-hosted SSO.
      Start setting up self-hosted SSO
   2. In the Where will you deploy the Encryption Service? menu, select AWS. Your encryption service endpoint is generated automatically with your organization details.
   3. Select Generate and save to create your encryption service configuration.
   4. Once generated, select Copy to copy the configuration and then Go to service host.

      

   5. Log in to the AWS portal and make sure the AWS region is "Virginia (US-East-1)" or "Ireland (EU-West-1)."
   6. Search AWS for "certificate manager" and select Certificate Manager from the search results.
   7. In the New ACM managed certificate section, select Request a certificate.

      

   8. Select Request a public certificate and then Next.

      

   9. In the Domain names section, paste your encryption service endpoint web address from the Dashlane Admin Console.
   10. In the Select validation method section, select DNS validation and then Request.

       

   11. Select the Certificate ID link.

       

   12. Select the icon to Copy the CNAME name and CNAME value.

       

   13. Log into your public DNS provider and create a new CNAME record under your domain name. The exact steps vary depending on your provider.
   14. For Type, select CNAME. For Host, paste the CNAME name you copied from the Certificate Manager. For Points to, paste the CNAME value you copied from the Certificate Manager.
   15. Select Save.

       

   16. Return to the AWS Certificate Manager and select the icon to Copy the ARN string. Paste it into an app like TextEdit for Mac or Notepad for Windows to save it for later.

       Note: You must validate your certificate before you can move to the next steps and create a stack.

   17. Search AWS for "aws cloud formation" and select CloudFormation from the search results.

       

   18. In the Create stack menu, select With new resources (standard).

       

   19. Select Template is ready, enter the following Amazon S3 URL, and select Next:
       https://s3.eu-west-1.amazonaws.com/public-cloudformation.dashlane.com/encryption-service/sam-app/template-latest.yaml
       
   20. Complete the following fields:
       • For Stack name, name your stack with this format:
         [YourCompanyName]-SSO-Connector
       • For Certificate, paste the ARN string you saved from the Certificate Manager.
       • For DomainName, paste the encryption service endpoint URL generated by the Dashlane Admin Console.
   21. Select Next.
   22. On the Configure stack options page, leave all settings as they are and select Next.

       

   23. Scroll to the Transforms might require access capabilities section, select all the checkboxes, and then select Create stack.

       

   24. This process may take several minutes. A CREATE_COMPLETE message appears when the stack has been created.

       

   25. After the stack has been created, select the Outputs tab and copy the CNAME Value.

       

   26. Log in to your public DNS provider and create a new CNAME record under your domain name.
   27. For the Type, select CNAME. For Host, paste the encryption service endpoint URL generated by the Dashlane Admin Console.

       Example: For dashlanesso.dashlaneshop.com, paste the text dashlanesso.

   28. For Points to, paste the CNAME Value copied from the Outputs tab.

       

   29. Search in AWS for "secrets manager" and select Secrets Manager from the search results.

       

   30. Select your SSO connector Secret name.

       

   31. In the Secret value section, select Retrieve secret value.

       

   32. Select Edit.

       

   33. Return to the Single sign-on section of the Dashlane Admin Console, select Edit for Encryption Service settings, and Copy the encryption service configuration file.
   34. Return to AWS, select the Plaintext tab, paste the encryption service configuration file, and select Save.

       

   Restart the AWS encryption service

   If you're prompted to restart the AWS encryption service, follow these steps. If not, you can skip them.

   1. Return to the AWS Secrets Manager.
   2. Select Encryption Service, Retrieve Secrets Value, and then Edit.
   3. In the Edit secret value pop-up, select the Plaintext tab.
   4. In the Plaintext tab, add a space to the end of the value and then delete that space to trigger the option to save the secret again.
   5. Select Save.

      

   Your encryption service is running. You can now configure SAML-based SSO or SCIM provisioning with your Identity Provider.

   What's an encryption service?

6. Set up your integration

   Follow the steps for your Identity Provider to integrate with Dashlane. You can also check that provider's Help Center for more information on how to create a new SSO application:
   Azure AD | ADFS | Okta | Google Workspace | Jumpcloud

   Note: ADFS and Google Workspace don’t support SCIM with Dashlane.

   • Azure
   • Okta
   • JumpCloud
   • ADFS
   • Google Workspace

   Azure

   Time to complete: 10 minutes

   Required Access:

   • Dashlane Admin
   • Azure AD admin
   • Public DNS editor for domain verification

   Dashlane offers deep integration with Azure AD, with the ability to integrate SSO with SAML, plan member sync, and group sync using SCIM. It is possible to do only SSO or only SCIM provisioning, but we recommend doing both for the best experience.

    

   

   SSO setup

   Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

   Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

   

   

   Select Back, and then Set up self-hosted or Continue setup, and then select Edit or Set up for SSO settings.

   Enter your company e-mail domain and select Verify domain.

   

   Note the hostname and TXT value you need to copy into your public DNS provider. Use the Copy buttons to copy the hostname and TXT Value.

   In a new browser tab, navigate to your Public DNS provider and Add a TXT Record.

   

   Paste the "Host Name" and TXT Value from the Dashlane Admin Console into the new TXT record, and click Save.

   

   Once you've entered the record, wait a few minutes and in the Dashlane Admin Console, select Verify domain. Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less. If it doesn't work the first time, wait a few minutes and select Verify domain again.

   

   If you entered the record correctly, you see a green check next to the verified e-mail domain. Repeat the steps for any additional domains you want to enable for SSO that are part of your same SSO tenant. We currently do not support linking multiple SSO providers to a single Dashlane plan.

   

   You will now build an Enterprise Application in Azure for your members to connect to.

   In a new browser tab, navigate to the Azure Portal and search for or select Enterprise Applications.

   

   Select New application.

   Click Create your own application.

   

   Name the Application Dashlane > select Integrate any other application you don't find in the gallery > Select Create.

   

   Select Set up single sign-on.

   

   Select the SAML tile.

   

   Under Basic SAML Configuration, select Edit.

   

   In your Dashlane Admin Console, use the copy button to copy the values from the Entity ID and the Assertion Consumer Service (ACS) URL from Dashlane to the Azure Enterprise application.

   

   Paste the Entity ID from the Dashlane admin console to the Entity ID in the Azure Enterprise application.

   Paste the Assertion Consumer URL from the Dashlane Admin Console to the corresponding field in Azure.

   For the Sign on URL, enter "https://app.dashlane.com".

   Delete the default URL.

   Ensure the Entity ID URL ends in "/saml/" and the ACS URL ends in "callback", as shown in the image.

   Select Save.

   

   On the Azure Enterprise app under the SAML signing Certificate, click to Download Federation Metadata XML.

   

   Open "Federation Metadata XML" in Notepad or plain text editor > select all, copy the contents.

   *Do not open the XML using Safari as it may break the format for the XML when copying.

   

   Paste the Federation Metadata XML in console.dashlane.com > click Save changes.

   

   Go to Enterprise Application in Azure > Users and Groups > Add the users or groups you want to have access to Dashlane SSO.

   

   Once you've assigned users, you can test with any assigned user from the Dashlane Admin Console by selecting the Test connection. Use the Copy test URL to test the SSO connection from different locations, devices, and users.

   

   If you've set up SSO as expected, you see the Success Message.

   If you see an error message, contact Customer Support for assistance.

   Contact us

   

   You can now Enable SSO by selecting the selector next to Enable SSO.
   Once enabled, any non-admin Master Password member will be converted to an SSO member at the next login, at which time they will enter their Dashlane Password for the last time and only be able to login with SSO.

   Any new members invited to your Dashlane plan will never have a separate password. They will use only their SSO login.

   SCIM Provisioning Setup

   Log in to the Dashlane Admin Console and select Settings > Directory Sync > SCIM Provisioning > Set up.

   

   Select Generate Token.

   

   Enable the switch for Allow the Encryption Service to sync directory.

   

   In Azure, navigate back to your Dashlane Enterprise Application (or create a new one by following the steps of the SSO section.)

   

   Select Provisioning >  Get Started.

   

   Copy the tenant URL and the secret token from the Dashlane Admin Console and paste them into the corresponding fields in Azure.

   

   Acknowledge the message to restart the encryption service one last time. We will do this next.

   

   In the Azure Portal, navigate to your resource group to find your SSO/SCIM connector encryption service web app service.

   

   Select Restart.

   

   You can check that your SCIM service has been enabled by opening the Log Stream of your Dashlane encryption service.

   

   In Azure, go back to Enterprise Apps > select Dashlane App > select Properties in the Navigation Pane > ensure Assignment is turned on.

   

   Go to Enterprise Application in Azure > Users and Groups > Add the users or groups you would like to sync with SCIM (if not already done in the SSO section).

   

    Provisioning > Start Provisioning > Edit Provisioning.

   

   Set Provisioning Status to On and select Save.

   

   Any members you add to the groups you selected will be added automatically to your Dashlane plan.

   Okta

   As an admin, you can set up Okta single sign-on (SSO) for your plan members with SAML. You can further control your SSO integration by syncing it with your Identity Provider’s directory of plan members and groups with SCIM.

   We recommend setting up both SSO and SCIM at the same time to get the full benefits of both.

   More about SSO and SCIM

   Time to complete: 15 minutes

   Required Access

   • Dashlane admin account
   • Okta admin account
   • Public DNS editor for domain verification

   

   Set up SSO

   1. Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

      Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

      

      

   2. Select Back, and then Set up self-hosted or Continue setup, and then select Edit or Set up for SSO settings.
   3. Enter your company e-mail domain and select Verify domain. Notice the copy buttons you will use to copy the hostname and TXT values to your public DNS provider.
   4. Go to your Public DNS provider account and create a new TXT record. The exact steps vary depending on your provider.

      

   5. Return to the Dashlane Admin Console and copy the HOSTNAME TXT VALUE and paste this information into the new TXT record you created in your Public DNS provider.

      

   6. Wait a few minutes for the DNS record to be replicated throughout the internet and select Verify domain. A green checkmark appears to verify your company email domain. Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less.

      

   7. Repeat the same steps to add more company email domains.

      Note: You can’t link multiple SSO providers to a single Dashlane plan.

      

   8. Navigate to your Okta Admin Console and select Applications, select Applications again and then Create App Integration.

      

   9. On the Create a new app integration page, select SAML 2.0 and then Next.

      

   10. Download a Dashlane logo for the application display if you'd like.

       

       

   11. On the Create SAML Integration screen, enter "Dashlane" for the app name, upload a logo, and select Next.

       

   12. From the Dashlane Admin Console, copy the text to the corresponding entries in the Okta app. Copy the Assertion Consumer Service URL to Single sign on URL in Okta. Copy Entity ID to Audience URI (SP Entity ID) in Okta.

       

   13. In Okta, verify that the Single sign-on URL ends in "/callback" and the Audience URI ends in "/saml/". All other fields can be left alone unless you have a custom configuration that you know to be different.

       

   14. Scroll to the bottom of the page and select Next.
   15. In the Help Okta Support page, select I'm an Okta customer adding an internal app and then Finish.

       

   16. In Okta, on the Dashlane SAML app that was just created, select Sign On, and then in Settings, select Edit.

       

   17. To access your XML metadata, select View Setup Instructions in the SAML 2.0 section.

       

   18. In the Optional section, select and copy all of your IDP metadata.

       

   19. In the Dashlane Admin Console, paste the XML data and select Save changes.

       

   20. Go to https://portal.azure.com and select Restart to restart your Azure encryption service.

       

       

   21. Go to the Dashlane app in the Okta Admin Console and select Assignments and then Assign.
   22. Select Assign to People or Assign to Groups and assign to test.

       

   23. In the Test the SSO connection section in Dashlane, select Test connection for any of the groups or people you assigned. Select Copy test URL to test the SSO connection from different locations, devices, and members.

       

       A success message will tell you if SSO was set up as expected.

       If you see an error message, contact us.

       

   24. Turn on the Enable SSO setting.

       

   Once enabled, all non-admin plan members are converted to SSO members the next time they log in. They'll enter their Master Password for the last time and use SSO going forward.

   Any new members invited to your Dashlane plan will never have a Master Password and will only use their SSO to log in.

   All members who use SSO will be automatically redirected to the SSO login flow.

   

   Set up directory sync using SCIM

   1. Go to the SSO setup section and set up a new Dashlane Application in Okta.
   2. In your Dashlane application in Okta, select Edit, select the check box to Enable SCIM provisioning and select Save.

      

   3. Log in to the Dashlane Admin Console and select Settings, Directory Sync, SCIM Provisioning, and then Set up.

      

   4. Select Generate Token.

      

   5. Turn on Allow the Encryption Service to sync directory and Save changes.

      

   6. Restart your Dashlane encryption service in Azure to enable the changes for SCIM enablement.
   7. In the Okta Dashlane app, select the Provisioning tab, select Edit, and copy the SCIM values from the Dashlane Admin Console to the Okta text fields.
      • For SCIM connector base URL, copy and paste the URL from Dashlane.
      • In the Unique identifier field for users field, enter "email."
      • Enable all the Supported provisioning methods.
      • For Authentication Mode, select HTTP Header.
      • For Authorization, copy and paste the SCIM token from Dashlane and the Bearer field.
   8. Select Test Connector Configuration. You should receive a successful test.

      

   9. Save the configuration.
   10. In the Provisioning tab, select Settings, To App, and Edit.
   11. Enable Create Users, Update User Attributes, Deactivate Users, and select Save.

       

   After you complete the SSO setup, all non-admin plan members will use SSO the next time they log in. This includes any new people added to your plan and anyone already using SSO.

   

   If you have questions or need help, contact us.

   JumpCloud

   As an admin, you can set up JumpCloud single sign-on (SSO) for your plan members with SAML. You can further control your SSO integration by syncing it with your Identity Provider’s directory of plan members and groups with SCIM.

   We recommend setting up both SSO and SCIM at the same time to get the full benefits of both.

   More about SSO and SCIM

   Before you start

   Open and log in to these platforms with your admin accounts:

   • The Dashlane Admin Console
   • The JumpCloud Admin Console
   • Your Public DNS provider account
   • Your encryption service account—Azure or AWS

   Time to complete SSO and SCIM setup: 15 minutes

   Set up SSO

   1. Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

      Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

   2. Log in to the JumpCloud Admin Console, select the USER AUTHENTICATION drop-down list, and select SSO.

      

   3. Select + to create a new application.

      

   4. Select Custom SAML App.

      

   5. In the General Info tab, enter "Dashlane" for the Display Label, and select activate.

      

   6. Open the Dashlane Admin Console, select Settings, Single sign-on, Set up self-hosted SSO, and select Edit or Set up.
   7. In the Verify your company email domain section, enter your company email domain and then select Add domain to see the new HOSTNAME and TXT VALUE.
   8. Go to your Public DNS provider account and create a new TXT record. The exact steps vary depending on your provider.
   9. Return to the Dashlane Admin Console, Copy the HOSTNAME and TXT VALUE, and paste this information into the new TXT record you created in your Public DNS provider. Save your changes.

      

   10. Return to the Dashlane Admin Console, and in the Verify your company email domain section, select Verify next to your company's domain name.

       

   11. Wait a few minutes for the DNS record to be replicated throughout the internet. A green checkmark appears to verify your company email domain. In rare cases, it could take up to 24 hours. Continue to select Verify until the green checkmark appears.
   12. Repeat the steps to add more company email domains.

       Note: You can’t link multiple SSO providers to a single Dashlane plan.

       

   13. Select the Copy icon to copy the ENTITY ID, return to the JumpCloud Admin Console, select the SSO tab, and paste that information into IdP Entity ID and SP Entity ID. Then, copy the Assertion Consumer Service URL from Dashlane and paste it into ACS URL in JumpCloud.
   14. Select email in the SAMLSubject NameID drop-down list.

       

       

   15. For Login URL, enter "https://app.dashlane.com".

       

   16. Select the User Groups tab, add All Users or search and add specific groups and members, and select activate.

       

   17. Select continue to Please confirm your new SSO connector instance.

       

   18. Select Dashlane, which appears in the Name column.

       

   19. Select the SSO tab and select Export Metadata to download a copy of the metadata.

       

   20. Open the XML metadata file that was downloaded to your computer in an application like TextEdit for Mac or Notepad for Windows.

       

   21. Select all and copy the contents of the XML file.

       

   22. Return to the Dashlane Admin Console, paste the contents of the XML file into the Add identity provider metadata section, and select Save changes.

       

   23. Return to the JumpCloud Admin Console, select the USER MANAGEMENT drop-down list, User Groups, and All Users or search and add specific groups and members.

       

   24. Select the Applications tab, Dashlane checkbox, and save.

       

   25. Select the Users tab, the checkboxes for the Name of each person you want to add, and save.

       

   26. In the Test the SSO connection section in Dashlane, select Test connection for any of the groups or people you assigned. A SUCCESS message appears if SSO was set up as expected. To test with an individual member, select Copy test URL and send it to that member to open. That member enters their SSO Email and Password. If MFA is enabled, the member also logs into that.

       Note: As an admin, you can't test the SSO connection yourself because you will continue to use your Master Password and not SSO.

   27. When you're ready to enable, return to the Dashlane Admin Console and select Enable SSO.

       

   Once enabled, all non-admin plan members are converted to SSO members the next time they log in. Members enter their Master Password for the last time and use SSO going forward.

   Any new members invited to your Dashlane plan won't have a Master Password and will only use their SSO to log in.

   All members who use SSO are automatically redirected to the SSO login flow.

   Set up SCIM

   After you complete the SCIM setup, anyone you add to a group in your Identity Provider is automatically invited to your Dashlane plan.

   1. Open the Dashlane Admin Console, select Settings, Directory Sync, and in the SCIM provisioning settings section, select Set up.
   2. Select Generate token, turn on Allow the Encryption Service to sync directory, and select Save changes.
   3. Select the Copy icon to copy the SCIM API token and the SCIM endpoint.
   4. Open the JumpCloud Admin Console, select the USER AUTHENTICATION drop-down list, and select SSO.
   5. Select Dashlane, the Identity Management tab, and select SCIM 2.0 if it isn't selected already.
   6. For Base URL, paste the SCIM endpoint from Dashlane. For Token Key, paste the SCIM API token from Dashlane and save.

      

   ADFS

   With Dashlane's single sign-on (SSO) feature, members can sign in to Dashlane with their SSO login instead of a Master Password. This article shows you how to set up SSO with an on-premise—or cloud-hosted—ADFS infrastructure.

   Before you start

   Open and log in to these platforms with your admin accounts:

   • The Dashlane Admin Console
   • The ADFS administrator console
   • Your Public DNS provider account
   • Your encryption service account—Azure or AWS

   Time to complete SSO setup: 15 minutes

   Set up SSO

   To set up SSO, complete these steps:

   Step 1: Test your encryption service

   1. Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

      Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

   Step 2: Verify your company domain with your DNS Provider

   1. Select the Dashlane D icon in your browser’s toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
   2. In the Dashlane Admin Console, select Settings, Single sign-on, Set up self-hosted SSO, and then Edit or Set up, depending on what you see for Encryption service settings.

      

   3. In the Verify your company email domain section, enter your company email domain and select Verify to see the new HOSTNAME and TXT VALUE.

      

   4. Navigate to your Public DNS provider's console and account and create a new TXT record.

      

   5. Return to the Dashlane Admin Console and copy the HOSTNAME and TXT VALUE and paste this information into the new TXT record you created in your Public DNS provider. Select the Copy icon to copy the information.
   6. Paste the information into a new TXT record in your public DNS provider. You may need to consult your DNS provider's documentation for specific steps.

      

      

   7. Wait a few minutes for the DNS record to be replicated throughout the internet, and then select Verify domain. A green checkmark appears to verify your company email domain.

      

   8. Confirm that you now have a green check next to your domain, which indicates it has been verified.

      

   9. Repeat the steps to add more company email domains.

   Note: You can link multiple domains, but they all need to be on the same SSO provider tenant.

   Step 3: Setup ADFS to connect to SSO

   1. Navigate to the SAML SSO section of the Settings tab in the Dashlane Admin Console.
   2. Copy and paste the SAML metadata of ADFS into the Enter the identity provider metadata here field. If you need help finding the metadata, go to your ADFS metadata URL where "ADFSName.Domain.com" is the URL of your ADFS server or farm.
      https://ADFSName.Domain.com/FederationMetadata/2007-06/FederationMetadata.xml

      You can also use Microsoft's tool to download your Federation Metadata Document.

   3. Paste the ADFS metadata into the Dashlane Admin Console.

      

   Step 4: Configure ADFS

   1. To configure ADFS, you need the SAML metadata from the encryption service. To find your SAML URL, go to the Dashlane Admin Console, select Single Sign-on in the menu. In the Settings section, go to the Entity ID.

      

   2. Enter the Entity ID URL in your browser to download a local copy of the SAML metadata.
   3. Open the ADFS Management Console and select Add Relying Party Trust.

      

   4. In the drop-down menu, select Claims aware and then select Start.
   5. Select Import data about the relying part from a file and select Browse to select your SSO Connector's metadata XML file. Then, select Next.

      

   6. Type "Dashlane Encryption Service" as the display name and select Next.

      

   7. Select your access control policy and select Next. This will vary based on your company's security policies. In this example, access is granted to everyone.

      

   8. Review the relying party trust, select Next, and then select Close. The new trust is created.
   9. Allow the Dashlane SSO Connector to retrieve the member's email address from ADFS. Select the newly created Relying Party Trust. If you don't see it, select Relying Party Trusts in the left sidebar. Then, select Edit Claim Issuance Policy.

      

   10. Select Add Rule.

       

   11. In the Claim rule template drop-down menu, select Transform an incoming claim and select Next.

       

   12. Set the Claim rule name field to "Send Email as Name ID."
       • Set Incoming claim type to "UPN."
       • Set Outgoing claim type to "Name ID."
       • Set Outgoing name ID format to "Email."
       • Select Finish.

       

   Step 5: Test and enable SSO

   1. After members are assigned, you can test with an assigned member from the Dashlane Admin Console. Select Test connection. Use the Copy test URL to test the SSO connection from different locations, devices, and members.

      

      If SSO is set up as expected, the success message appears.

      If you see an error message, contact Customer Support for assistance.
      Contact us

      

   2. When you're ready to enable, return to the Dashlane Admin Console and select Enable SSO.
      

      Once enabled, all non-admin plan members are converted to SSO members the next time they log in. Members enter their Master Password for the last time and use SSO going forward.

      Any new members invited to your Dashlane plan won't have a Master Password and will only use their SSO to log in.

      All members who use SSO are automatically redirected to the SSO login flow.

      

   You can continue with your AD integration by configuring Active Directory sync for automated onboarding and offboarding of members based on their AD account status.

   Configure Active Directory sync

   Google Workspace

   As an admin, you can set up Google Workspace single sign-on (SSO) for your plan members with SAML.

   More about SSO

   Before you start

   Open and log in to these platforms with your admin accounts:

   • The Dashlane Admin Console
   • The Google Workspace Admin Console

     • Note: You need to have super administrator role

   • Your Public DNS provider account
   • Your Encryption Service account—Azure or AWS

   Time to complete SSO setup: 15 minutes

   Set up SSO

   1. Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

      Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

   2. Open the Dashlane Admin Console, select Settings, Single sign-on, Set up self-hosted SSO and Edit or Set up.
   3. In the Verify your company email domain section, enter your company email domain and then select Add domain to see the new HOSTNAME and TXT VALUE
   4. Go to your Public DNS provider account and create a new TXT record. The exact steps vary depending on your provider.
   5. Return to the Dashlane Admin Console, Copy the HOSTNAME and TXT VALUE, and paste this information into the new TXT record you created in your Public DNS provider. Save your changes.
   6. In the Verify your company email domain section, select Verify next to your company's domain name.
   7. Wait a few minutes for the DNS record to be replicated throughout the internet. A green checkmark appears to verify your company email domain. In rare cases, it could take up to 24 hours. Continue to select Verify until the green checkmark appears.
   8. Repeat the steps to add more company email domains.

      Note: You can’t link multiple SSO providers to a single Dashlane plan.

      
   9. Open the Google Workspace Admin Console, select the Apps drop-down list and then Web and mobile apps.
   10. Select the Add app drop-down list and then Add custom SAML app.
   11. In the App details page, enter "Dashlane" for App name, "Dashlane SSO" for Description, and upload the Dashlane logo for the App icon.
   12. Select CONTINUE.
   13. Select CONTINUE again to confirm the Google Identity Provider details page.
   14. Select the Copy icon to copy the Entity ID, return to the Google Workspace Admin Console and paste it into the Entity ID section. Then, copy the Assertion Consumer Service URL from Dashlane and paste it into ACS URL section in the Google Workspace Admin Console.
   15. Select CONTINUE.
   16. Select FINISH.
   17. In the Dashlane app you just created in Google Workspace, select OFF for everyone in the User access section.
   18. In the Service status section, select ON for everyone and then SAVE.
   19. Select DOWNLOAD METADATA.
   20. Select DOWNLOAD METADATA again.
   21. Open the XML metadata file that was downloaded to your computer in an application like TextEdit for Mac or Notepad for Windows.
   22. Select all and copy the contents of the XML file.
   23. Return to the Dashlane Admin Console, paste the contents of the XML file into the Add identity provider metadata section and select Save changes.
   24. In the Test the SSO connection section in Dashlane, select Test connection for any of the groups or people you assigned including yourself. A SUCCESS message appears if SSO was set up as expected. To test with an individual member, select Copy test URL and send it to that member to open. That member enters their SSO Email and Password. If MFA is enabled, the member also logs into that.
   25. When you're ready to enable SSO, return to the Dashlane Admin Console and select Enable SSO.

       Once enabled, all non-admin plan members are converted to SSO members the next time they log in. Members enter their Master Password for the last time and use SSO going forward.

       Any new members invited to your Dashlane plan won't have a Master Password and will only use their SSO to log in.

       All members who use SSO are automatically redirected to the SSO login flow.

   

Note: After you set up SCIM, we recommend that you continue to use it to create and manage groups in Dashlane. There is a way to create and manage groups in the Dashlane Admin Console, but this won’t sync with IdP or SCIM.

FAQ about self-hosted SSO

Troubleshooting for self-hosted SSO

I got an “Application with identified was not found in the directory” error

Microsoft will stop supporting the Azure feature Automation Run As Accounts in September 2023. If you created your Dashlane encryption service with Azure before September 14, 2022, you'll need to edit the configuration to keep the service working properly.