If you want to use Azure to host your encryption service, you need to subscribe to Azure if you haven't already. We recommend subscribing to "Azure App Service Basic Plan - Linux - B1" to set up the encryption service. This plan costs $.018 per hour. Depending on your organization's usage, you can expect this to cost $8 to $14 per month.

Note: E3 and E5 licenses from Microsoft Office 365 aren't Azure services licenses.

1. In Azure, type Subscriptions in the search bar and select Subscriptions.

   

2. Select + Add.

   

3. Select the Add a different type of subscription link.

   Note: If you don't see this option, continue to the next step.

   

4. Select Select offer for Pay-As-You-Go.
   

   Note: If you want to pay annually or through a vendor, you can change your plan at any time.

   

5. For the Subscription name, enter "Azure Subscription 1" and select Next.

   Note: Enter your contact details instead, if prompted.

   

6. Select Next, and then select Next again.
7. Select Create. You'll see Successfully created the subscription in your Azure Notifications.

   

Example of an invoice for Azure App Service Basic Plan - Linux - B1 for an organization of 10 employees with a monthly cost of $8.63:

1. Select the Dashlane D icon in your browser’s toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
2. In the Integrations section of the side menu, select Single sign-on.
3. Select Set up self-hosted SSO.
4. For Encryption service settings, select Set up.
5. In the Where will you deploy the Encryption Service? menu, select Microsoft Azure. Your encryption service endpoint is generated automatically with your organization details.

   

6. Select Generate and save to create your encryption service configuration.

   

7. Once generated, select Copy to copy the configuration, and then select Go to service host to open the Azure template. If Go to service host doesn't take you to the Azure template, you can use this link instead:
   Azure template

   

8. In the Azure template, select Edit parameters.

   

9. Select and delete all the current parameters.

   

10. Paste the encryption service configuration you copied from the Dashlane Admin Console and select Save.

    

11. Select a Subscription, select or create a new Resource group, and then select Next: Review + create.

    

    Important: If the Subscription menu is blank or you don't subscribe to Azure, you need to subscribe to complete the encryption service setup. We recommend subscribing to "Azure App Service Basic Plan - Linux - B1". This plan costs $.018 per hour. Depending on your organization's usage, you can expect this to cost $8 to $14 per month. This subscription is different from a Microsoft Entra ID subscription.

    Subscribe to Azure to set up the encryption service

12. After you see a Validation Passed message, select Create.

    

After a few minutes, the deployment completes successfully.

1. Select the Dashlane D icon in your browser’s toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
2. In the Integrations section of the side menu, select Single sign-on.
3. Select Set up self-hosted SSO.
4. For Encryption service settings, select Set up.
5. In the Where will you deploy the Encryption Service? menu, select AWS. Your encryption service endpoint is generated automatically with your organization details.
6. Select Generate and save to create your encryption service configuration.
7. Once generated, select Copy to copy the configuration and then Go to service host.

   

8. Log in to the AWS portal and make sure the AWS region is "Virginia (US-East-1)" or "Ireland (EU-West-1)."
9. Search AWS for "certificate manager" and select Certificate Manager from the search results.
10. In the New ACM managed certificate section, select Request a certificate.

    

11. Select Request a public certificate and then Next.

    

12. In the Domain names section, paste your encryption service endpoint web address from the Dashlane Admin Console.
13. In the Select validation method section, select DNS validation and then Request.

    

14. Select the Certificate ID link.

    

15. Select the icon to Copy the CNAME name and CNAME value.

    

16. Log into your public DNS provider and create a new CNAME record under your domain name. The exact steps vary depending on your provider.
17. For Type, select CNAME. For Host, paste the CNAME name you copied from the Certificate Manager. For Points to, paste the CNAME value you copied from the Certificate Manager.
18. Select Save.

    

19. Return to the AWS Certificate Manager and select the icon to Copy the ARN string. Paste it into an app like TextEdit for Mac or Notepad for Windows to save it for later.

    Note: You must validate your certificate before you can move to the next steps and create a stack.

    

20. Search AWS for "aws cloud formation" and select CloudFormation from the search results.

    

21. In the Create stack menu, select With new resources (standard).

    

22. Select Template is ready, enter the following Amazon S3 URL, and select Next:
    https://s3.eu-west-1.amazonaws.com/public-cloudformation.dashlane.com/encryption-service/sam-app/template-latest.yaml
    
23. Complete the following fields:
    • For Stack name, name your stack with this format: [YourCompanyName]-SSO-Connector
    • For Certificate, paste the ARN string you saved from the Certificate Manager.
    • For DomainName, paste the encryption service endpoint URL generated by the Dashlane Admin Console.
24. Select Next.
25. On the Configure stack options page, leave all settings as they are and select Next.

    

26. Scroll to the Transforms might require access capabilities section, select all the checkboxes, and then select Create stack.

    

27. This process may take several minutes. A CREATE_COMPLETE message appears when the stack has been created.

    

28. After the stack has been created, select the Outputs tab and copy the CNAME Value.

    

29. Log in to your public DNS provider and create a new CNAME record under your domain name.
30. For the Type, select CNAME. For Host, paste the encryption service endpoint URL generated by the Dashlane Admin Console.

    Example: For dashlanesso.dashlaneshop.com, paste the text dashlanesso.

31. For Points to, paste the CNAME Value copied from the Outputs tab.

    

32. Search in AWS for "secrets manager" and select Secrets Manager from the search results.

    

33. Select your SSO connector Secret name.

    

34. In the Secret value section, select Retrieve secret value.

    

35. Select Edit.

    

36. Return to the Single sign-on section of the Dashlane Admin Console, select Edit for Encryption Service settings, and Copy the encryption service configuration file.
37. Return to AWS, select the Plaintext tab, paste the encryption service configuration file, and select Save.

    

1. Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

   Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

   

   

2. Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
3. For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
4. Enter your company e-mail domain and select Verify domain.
5. Note the hostname and TXT value you need to copy into your public DNS provider. Use the Copy buttons to copy the hostname and TXT Value.
6. In a new browser tab, navigate to your Public DNS provider and Add a TXT Record.

   

7. Paste the "Host Name" and TXT Value from the Dashlane Admin Console into the new TXT record, and click Save.

   

8. Once you've entered the record, wait a few minutes and in the Dashlane Admin Console, select Verify domain. Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less. If it doesn't work the first time, wait a few minutes and select Verify domain again.

   

9. After the domain is verified, you’ll see a green checkmark. Repeat the steps for any additional domains you want to enable for SSO that are part of your same SSO tenant. We currently don't support linking multiple SSO providers to a single Dashlane plan.
10. If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
    Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
    Buy more seats for your plan
11. You will now build an Enterprise Application in Azure for your members to connect to.

    In a new browser tab, navigate to the Azure Portal and search for or select Enterprise Applications.

    

12. Select New application.
13. Click Create your own application.

    

14. Name the Application Dashlane > select Integrate any other application you don't find in the gallery > Select Create.

    

15. Select Set up single sign-on.

    

16. Select the SAML tile.

    

17. Under Basic SAML Configuration, select Edit.

    

18. In your Dashlane Admin Console, use the copy button to copy the values from the Entity ID and the Assertion Consumer Service (ACS) URL from Dashlane to the Azure Enterprise application.

    

19. Paste the Entity ID from the Dashlane admin console to the Entity ID in the Azure Enterprise application.
20. Paste the Assertion Consumer URL from the Dashlane Admin Console to the corresponding field in Azure.
21. For the Sign on URL, enter "https://app.dashlane.com".
22. Delete the default URL.
23. Ensure the Entity ID URL ends in "/saml/" and the ACS URL ends in "callback", as shown in the image.
24. Select Save.

    

25. On the Azure Enterprise app under the SAML signing Certificate, click to Download Federation Metadata XML.

    

26. Open "Federation Metadata XML" in Notepad or plain text editor > select all, copy the contents.
27. *Do not open the XML using Safari as it may break the format for the XML when copying.

    

28. Paste the Federation Metadata XML in console.dashlane.com > click Save changes.

    

29. Go to Enterprise Application in Azure > Users and Groups > Add the users or groups you want to have access to Dashlane SSO.

    

30. After you’ve assigned users, you can test the connection by selecting the Test Connection button. If you're logged in as the admin of your IdP account, you might not be able to use the Test Connection button. Instead, you can open a different browser profile, copy the test URL into the new browser, and test SSO using a member's account that you've assigned to the Dashlane SAML application.
    

    

31. If you've set up SSO as expected, you see the Success Message. 

    

32. If you see an error message, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.

    Learn how to use our support chatbot

33. You can now Enable SSO by selecting the selector next to Enable SSO.

Once enabled, any non-admin Master Password member will be converted to an SSO member at the next login, at which time they will enter their Dashlane Password for the last time and only be able to login with SSO.

Any new members invited to your Dashlane plan will never have a separate password. They will use only their SSO login.

1. Log in to the Dashlane Admin Console and select Integrations, Provisioning, and Set up for Self-hosted Provisioning. If this option is grayed out and not available, you either need to set up self-hosted SSO first or you already set up Confidential SSO, SCIM, or Active Directory.

   

2. Select Generate Token.
3. Enable the switch for Allow the Encryption Service to sync directory.
4. In Azure, navigate back to your Dashlane Enterprise Application (or create a new one by following the steps of the SSO section.)

   

5. Select Provisioning > Get Started.

   

6. Copy the tenant URL and the secret token from the Dashlane Admin Console and paste them into the corresponding fields in Azure.

   

7. Acknowledge the message to restart the encryption service one last time. We will do this next.
8. In the Azure Portal, navigate to your resource group to find your SSO/SCIM connector encryption service web app service.

   

9. Select Restart.

   

10. You can check that your SCIM service has been enabled by opening the Log Stream of your Dashlane encryption service.

    

11. In Azure, go back to Enterprise Apps > select Dashlane App > select Properties in the Navigation Pane > ensure Assignment is turned on.

    

12. Go to Enterprise Application in Azure > Users and Groups > Add the users or groups you would like to sync with SCIM (if not already done in the SSO section).

    

13. Provisioning > Start Provisioning > Edit Provisioning.

    

14. Set Provisioning Status to On and select Save.

    

Any members you add to the groups you selected will be added automatically to your Dashlane plan.

1. Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

   Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

   

   

2. Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
3. For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
4. Enter your company e-mail domain and select Verify domain. Notice the copy buttons you will use to copy the hostname and TXT values to your public DNS provider.
5. Go to your Public DNS provider account and create a new TXT record. The exact steps vary depending on your provider.

   

6. Return to the Dashlane Admin Console and copy the HOSTNAME TXT VALUE and paste this information into the new TXT record you created in your Public DNS provider.

   

7. Wait a few minutes for the DNS record to be replicated throughout the internet and select Verify domain. A green checkmark appears to verify your company email domain. Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less.

   

8. Repeat the same steps to add more company email domains.

   Note: You can’t link multiple SSO providers to a single Dashlane plan.

9. If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
   Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
   Buy more seats for your plan
10. Navigate to your Okta Admin Console and select Applications, select Applications again and then Create App Integration.

    

11. On the Create a new app integration page, select SAML 2.0 and then Next.

    

12. Download a Dashlane logo for the application display if you'd like.

    

    

13. On the Create SAML Integration screen, enter "Dashlane" for the app name, upload a logo, and select Next.

    

14. From the Dashlane Admin Console, copy the text to the corresponding entries in the Okta app. Copy the Assertion Consumer Service URL to Single sign on URL in Okta. Copy Entity ID to Audience URI (SP Entity ID) in Okta.

    

15. In Okta, verify that the Single sign-on URL ends in "/callback" and the Audience URI ends in "/saml/". All other fields can be left alone unless you have a custom configuration that you know to be different.

    

16. Scroll to the bottom of the page and select Next.
17. In the Help Okta Support page, select I'm an Okta customer adding an internal app and then Finish.

    

18. In Okta, on the Dashlane SAML app that was just created, select Sign On, and then in Settings, select Edit.

    

19. To access your XML metadata, select View Setup Instructions in the SAML 2.0 section.

    

20. In the Optional section, select and copy all of your IDP metadata.

    

21. In the Dashlane Admin Console, paste the XML data and select Save changes.

    

22. Go to https://portal.azure.com and select Restart to restart your Azure encryption service.

    

    

23. Go to the Dashlane app in the Okta Admin Console and select Assignments and then Assign.
24. Select Assign to People or Assign to Groups and assign to test.

    

25. In the Test the SSO connection section in Dashlane, select Test connection for any of the groups or people you assigned. Select Copy test URL to test the SSO connection from different locations, devices, and members.

    

    A success message will tell you if SSO was set up as expected.

    If you see an error message, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.

    Learn how to use our support chatbot

    

26. Turn on the Enable SSO setting.

    

Once enabled, all non-admin plan members are converted to SSO members the next time they log in. They'll enter their Master Password for the last time and use SSO going forward.

Any new members invited to your Dashlane plan will never have a Master Password and will only use their SSO to log in.

All members who use SSO will be automatically redirected to the SSO login flow.

1. Go to the SSO setup section and set up a new Dashlane Application in Okta.
2. In your Dashlane application in Okta, select Edit, select the check box to Enable SCIM provisioning and select Save.

   

3. Log in to the Dashlane Admin Console and select Integrations, Provisioning, and Set up for Self-hosted Provisioning. If this option is greyed out and not available, you either need to set up self-hosted SSO first or you already set up Confidential SSO, SCIM, or Active Directory.

   

4. Select Generate Token.
5. Turn on Allow the Encryption Service to sync directory and Save changes.
6. Restart your Dashlane encryption service in Azure to enable the changes for SCIM enablement.
7. In the Okta Dashlane app, select the Provisioning tab, select Edit, and copy the SCIM values from the Dashlane Admin Console to the Okta text fields.
   • For SCIM connector base URL, copy and paste the URL from Dashlane.
   • In the Unique identifier field for users field, enter "email."
   • Enable all the Supported provisioning methods.
   • For Authentication Mode, select HTTP Header.
   • For Authorization, copy and paste the SCIM token from Dashlane and the Bearer field.
8. Select Test Connector Configuration. You should receive a successful test.

   

9. Save the configuration.
10. In the Provisioning tab, select Settings, To App, and Edit.
11. Enable Create Users, Update User Attributes, Deactivate Users, and select Save.

    

After you complete the SSO setup, all non-admin plan members will use SSO the next time they log in. This includes any new people added to your plan and anyone already using SSO.

If you have questions or need help, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.

Learn how to use our support chatbot

1. Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

   Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

   

2. Log in to the JumpCloud Admin Console, select the USER AUTHENTICATION drop-down list, and select SSO.

   

3. Select + to create a new application.

   

4. Select Custom SAML App.

   

5. In the General Info tab, enter "Dashlane" for the Display Label, and select activate.

   

6. Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
7. For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
8. In the Verify your company email domain section, enter your company email domain and then select Add domain to see the new HOSTNAME and TXT VALUE.
9. Go to your Public DNS provider account and create a new TXT record. The exact steps vary depending on your provider.
10. Return to the Dashlane Admin Console, Copy the HOSTNAME and TXT VALUE, and paste this information into the new TXT record you created in your Public DNS provider. Save your changes.

    

11. Return to the Dashlane Admin Console, and in the Verify your company email domain section, select Verify next to your company's domain name.

    

12. Wait a few minutes for the DNS record to be replicated throughout the internet. A green checkmark appears to verify your company email domain. In rare cases, it could take up to 24 hours. Continue to select Verify until the green checkmark appears.
13. Repeat the steps to add more company email domains.

    Note: You can’t link multiple SSO providers to a single Dashlane plan.

14. If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
    Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
    Buy more seats for your plan
15. Select the Copy icon to copy the ENTITY ID, return to the JumpCloud Admin Console, select the SSO tab, and paste that information into IdP Entity ID and SP Entity ID. Then, copy the Assertion Consumer Service URL from Dashlane and paste it into ACS URL in JumpCloud.
16. Select email in the SAMLSubject NameID drop-down list.

    

    

17. For Login URL, enter "https://app.dashlane.com".

    

18. Select the User Groups tab, add All Users or search and add specific groups and members, and select activate.

    

19. Select continue to Please confirm your new SSO connector instance.

    

20. Select Dashlane, which appears in the Name column.

    

21. Select the SSO tab and select Export Metadata to download a copy of the metadata.

    

22. Open the XML metadata file that was downloaded to your computer in an application like TextEdit for Mac or Notepad for Windows.

    

23. Select all and copy the contents of the XML file.

    

24. Return to the Dashlane Admin Console, paste the contents of the XML file into the Add identity provider metadata section, and select Save changes.

    

25. Return to the JumpCloud Admin Console, select the USER MANAGEMENT drop-down list, User Groups, and All Users or search and add specific groups and members.

    

26. Select the Applications tab, Dashlane checkbox, and save.

    

27. Select the Users tab, the checkboxes for the Name of each person you want to add, and save.

    

28. In the Test the SSO connection section in Dashlane, select Test connection for any of the groups or people you assigned. A SUCCESS message appears if SSO was set up as expected. To test with an individual member, select Copy test URL and send it to that member to open. That member enters their SSO Email and Password. If MFA is enabled, the member also logs into that.

    Note: As an admin, you can't test the SSO connection yourself because you will continue to use your Master Password and not SSO.

29. When you're ready to enable, return to the Dashlane Admin Console and select Enable SSO.

    

Once enabled, all non-admin plan members are converted to SSO members the next time they log in. Members enter their Master Password for the last time and use SSO going forward.

Any new members invited to your Dashlane plan won't have a Master Password and will only use their SSO to log in.

All members who use SSO are automatically redirected to the SSO login flow.

After you complete the SCIM setup, anyone you add to a group in your Identity Provider is automatically invited to your Dashlane plan.

1. Open the Dashlane Admin Console, select Integrations, Provisioning, and Set up for Self-hosted Provisioning. If this option is greyed out and not available, you either need to set up self-hosted SSO first or you already set up Confidential SSO, SCIM, or Active Directory.
2. Select Generate token, turn on Allow the Encryption Service to sync directory, and select Save changes.
3. Select the Copy icon to copy the SCIM API token and the SCIM endpoint.
4. Open the JumpCloud Admin Console, select the USER AUTHENTICATION drop-down list, and select SSO.
5. Select Dashlane, the Identity Management tab, and select SCIM 2.0 if it isn't selected already.
6. For Base URL, paste the SCIM endpoint from Dashlane. For Token Key, paste the SCIM API token from Dashlane and save.

   

Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

1. Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
2. For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
3. In the Verify your company email domain section, enter your company email domain and select Verify to see the new HOSTNAME and TXT VALUE.

   

4. Navigate to your Public DNS provider's console and account and create a new TXT record.

   

5. Return to the Dashlane Admin Console and copy the HOSTNAME and TXT VALUE and paste this information into the new TXT record you created in your Public DNS provider. Select the Copy icon to copy the information.
6. Paste the information into a new TXT record in your public DNS provider. You may need to consult your DNS provider's documentation for specific steps.

   

   

7. Wait a few minutes for the DNS record to be replicated throughout the internet, and then select Verify domain.

   

8. Confirm that you now have a green check next to your domain, which indicates it has been verified.
9. Repeat the steps to add more company email domains.

   Note: You can link multiple domains, but they all need to be on the same SSO provider tenant.

10. If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
    Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
    Buy more seats for your plan

1. Navigate to the Single sign-on section of the Integrations tab in the Dashlane Admin Console.
2. Copy and paste the SAML metadata of AD FS into the Enter the identity provider metadata here field. If you need help finding the metadata, go to your AD FS metadata URL where "ADFSName.Domain.com" is the URL of your AD FS server or farm.
   https://ADFSName.Domain.com/FederationMetadata/2007-06/FederationMetadata.xml

   You can also use Microsoft's tool to download your Federation Metadata Document.

3. Paste the AD FS metadata into the Dashlane Admin Console.

   

1. To configure AD FS, you need the SAML metadata from the encryption service. To find your SAML URL, go to the Dashlane Admin Console, select Single Sign-on in the menu and then select Edit Self-Hosted SSO. Then in the SSO settings, select Edit and find for your Entity ID.
   

   

2. Enter the Entity ID URL in your browser to download a local copy of the SAML metadata.
3. Open the AD FS Management Console and select Add Relying Party Trust.

   

4. In the drop-down menu, select Claims aware and then select Start.
5. Select Import data about the relying part from a file and select Browse to select your SSO Connector's metadata XML file. Then, select Next.

   

6. Type "Dashlane Encryption Service" as the display name and select Next.

   

7. Select your access control policy and select Next. This will vary based on your company's security policies. In this example, access is granted to everyone.

   

8. Review the relying party trust, select Next, and then select Close. The new trust is created.
9. Allow the Dashlane SSO Connector to retrieve the member's email address from AD FS. Select the newly created Relying Party Trust. If you don't see it, select Relying Party Trusts in the left sidebar. Then, select Edit Claim Issuance Policy.

   

10. Select Add Rule.

    

11. In the Claim rule template drop-down menu, select Transform an incoming claim and select Next.

    

12. Set the Claim rule name field to "Send Email as Name ID."
    • Set Incoming claim type to "UPN."
    • Set Outgoing claim type to "Name ID."
    • Set Outgoing name ID format to "Email."
    • Select Finish.

    

1. After members are assigned, you can test with an assigned member from the Dashlane Admin Console. Select Test connection. Use the Copy test URL to test the SSO connection from different locations, devices, and members.

   

   If SSO is set up as expected, the success message appears.

   If you see an error message, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.

   Learn how to use our support chatbot

   

2. When you're ready to enable, return to the Dashlane Admin Console and select Enable SSO.
   

   Once enabled, all non-admin plan members are converted to SSO members the next time they log in. Members enter their Master Password for the last time and use SSO going forward.

   Any new members invited to your Dashlane plan won't have a Master Password and will only use their SSO to log in.

   All members who use SSO are automatically redirected to the SSO login flow.

   

You can continue with your AD integration by configuring Active Directory sync for automated onboarding and offboarding of members based on their AD account status.

Configure Active Directory sync

1. Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

   Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

   

2. Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
3. For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
4. In the Verify your company email domain section, enter your company email domain and then select Add domain to see the new HOSTNAME and TXT VALUE
5. Go to your Public DNS provider account and create a new TXT record. The exact steps vary depending on your provider.
6. Return to the Dashlane Admin Console, Copy the HOSTNAME and TXT VALUE, and paste this information into the new TXT record you created in your Public DNS provider. Save your changes.

   

7. In the Verify your company email domain section, select Verify next to your company's domain name.

   

8. Wait a few minutes for the DNS record to be replicated throughout the internet. A green checkmark appears to verify your company email domain. In rare cases, it could take up to 24 hours. Continue to select Verify until the green checkmark appears.
9. Repeat the steps to add more company email domains.

   Note: You can’t link multiple SSO providers to a single Dashlane plan.

10. If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
    Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
    Buy more seats for your plan
11. Open the Google Workspace Admin Console, select the Apps drop-down list and then Web and mobile apps.

    

12. Select the Add app drop-down list and then Add custom SAML app.

    

13. In the App details page, enter "Dashlane" for App name, "Dashlane SSO" for Description, and upload the Dashlane logo for the App icon.
14. Select CONTINUE.

    

15. Select CONTINUE again to confirm the Google Identity Provider details page.

    

16. Select the Copy icon to copy the Entity ID, return to the Google Workspace Admin Console and paste it into the Entity ID section. Then, copy the Assertion Consumer Service URL from Dashlane and paste it into ACS URL section in the Google Workspace Admin Console.
17. Select CONTINUE.

    

    

18. Select FINISH.

    

19. In the Dashlane app you just created in Google Workspace, select OFF for everyone in the User access section.

    

20. In the Service status section, select ON for everyone and then SAVE.

    

21. Select DOWNLOAD METADATA.

    

22. Select DOWNLOAD METADATA again.

    

23. Open the XML metadata file that was downloaded to your computer in an application like TextEdit for Mac or Notepad for Windows.

    

24. Select all and copy the contents of the XML file.

    

25. Return to the Dashlane Admin Console, paste the contents of the XML file into the Add identity provider metadata section and select Save changes.

    

26. In the Test the SSO connection section in Dashlane, select Test connection for any of the groups or people you assigned including yourself. A SUCCESS message appears if SSO was set up as expected. To test with an individual member, select Copy test URL and send it to that member to open. That member enters their SSO Email and Password. If MFA is enabled, the member also logs into that.
27. When you're ready to enable SSO, return to the Dashlane Admin Console and select Enable SSO.

    

    Once enabled, all non-admin plan members are converted to SSO members the next time they log in. Members enter their Master Password for the last time and use SSO going forward.

    Any new members invited to your Dashlane plan won't have a Master Password and will only use their SSO to log in.

    All members who use SSO are automatically redirected to the SSO login flow.

As an admin, you can set up Duo single sign-on (SSO) for your plan members with SAML. Duo doesn’t support SCIM with Dashlane. The setup process takes about 15 minutes.
More about SSO

Important: If you don’t see the Single Sign-On tab in the Duo Admin Panel, you need to connect Duo to your Identity Provider (IdP) to enable it to set up SSO.
Enable Duo single sign-on

1. Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.

   Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.

2. Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
3. For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
4. Enter your company e-mail domain and select Verify domain.
5. Note the Hostname and TXT Value you need to copy into your public DNS provider. Use the Copy buttons to copy the Hostname and TXT Value.
6. In a new browser tab, navigate to your Public DNS provider and Add a TXT Record.
7. Paste the Hostname and TXT Value from the Dashlane Admin Console into the new TXT record, and Save.
8. After you enter the record, wait a few minutes and in the Dashlane Admin Console, select Verify domain. Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less. If it doesn't work the first time, wait a few minutes and select Verify domain again.
9. After the domain is verified, you’ll see a green checkmark. Repeat the steps for any additional domains you want to enable for SSO that are part of your same SSO tenant. We currently don't support linking multiple SSO providers to a single Dashlane plan.
10. If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
    Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
    Buy more seats for your plan
11. Sign in to the Duo Admin Panel and select Application and then Protect an Application. Search for and select Generic SAML Service Provider and then select Protect.
12. In the Dashlane Admin Console, select Single sign-on and then copy the Entity ID. In the Duo Admin Panel, paste this for Entity ID in the Service Provider section.
13. In the Dashlane Admin Console, copy the Assertion Consumer Service URL. In the Duo Admin Panel, paste this for Assertion Consumer Service (ACS) URL, also in the Service Provider section.
14. In the Policy section, for Group policies, select Apply a policy to a group of users.
15. From the Select a policy dropdown, choose the policy and groups you want to apply to the Dashlane application.
16. Select Save to confirm your generic SAML service provider settings.
17. On the same page, in the Downloads section, select Download XML for SAML Metadata.
18. Open the XML file that you just downloaded in any plain text editor on your computer, highlight and copy all of the text. In the Dashlane Admin Console, paste the text you copied for Add identity provider metadata and then select Save changes.
19. Once you've assigned members, you can test with any assigned member from the Dashlane Admin Console by selecting Test connection. Use the Copy test URL to test the SSO connection from different locations, devices, and members.

If you set up SSO as expected, you see a success message. If you see an error message, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.

Learn how to use our support chatbot

Once enabled, any non-admin Master Password member will be converted to an SSO member. During their next login, they'll enter their Master Password for the last time and only be able to login with SSO after that point.

Any new members invited to your Dashlane plan will never have a Master Password. They will only use SSO to log in.