SSO and SCIM are only available to organizations on a Dashlane Business or Business Plus plan.
Upgrade your plan
Important: With the Dashlane Safari Extension, self-hosted SSO and SCIM aren't available at this time due to Apple limitations, but you can use them through the macOS app.
If a member’s email changes in the IdP, this won’t automatically update in Dashlane.
Admins of Dashlane Business or Business Plus plans can integrate Dashlane with their Identity Provider using the self-hosted SSO and SCIM configuration.
More about integrating Dashlane with your IdP
Dashlane will guide you through setting up self-hosted SSO and SCIM in the Admin Console. This article explains the steps in more detail.
Tip: Consider setting up Dashlane Confidential SSO and SCIM Provisioning instead of self-hosted SSO and SCIM. The process is simpler. However, after you set up Confidential, you can’t switch to self-hosted SSO or SCIM.
More about the difference between self-hosted and Confidential
Before you start, open and log in to these accounts:
- Dashlane admin account
- IdP admin account
Note: For Google Workspace, you need to have a super administrator role
- Public DNS editor for domain verification
- Azure or AWS admin account, depending on where you want to host your encryption service
Step 1: Set up your encryption service
To implement Dashlane SSO and SCIM, you need to set up an encryption service. The setup process takes about 10 minutes. You'll need a Dashlane admin account and an admin account for your encryption service to complete the process. You can choose either Azure or AWS as your encryption service.
What's an encryption service?
Why use an encryption service?
Subscribe to Azure to set up the encryption service
If you want to use Azure to host your encryption service, you need to subscribe to Azure if you haven't already. We recommend subscribing to "Azure App Service Basic Plan - Linux - B1" to set up the encryption service. This plan costs $.018 per hour. Depending on your organization's usage, you can expect this to cost $8 to $14 per month.
Note: E3 and E5 licenses from Microsoft Office 365 aren't Azure services licenses.
- In Azure, type Subscriptions in the search bar and select Subscriptions.
- Select + Add.
- Select the Add a different type of subscription link.
Note: If you don't see this option, continue to the next step.
- Select Select offer for Pay-As-You-Go.
Note: If you want to pay annually or through a vendor, you can change your plan at any time.
- For the Subscription name, enter "Azure Subscription 1" and select Next.
Note: Enter your contact details instead, if prompted.
- Select Next, and then select Next again.
- Select Create. You'll see Successfully created the subscription in your Azure Notifications.
Example of an invoice for Azure App Service Basic Plan - Linux - B1 for an organization of 10 employees with a monthly cost of $8.63:
Set up the encryption service in Azure
- Select the Dashlane D icon in your browser’s toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
- In the Integrations section of the side menu, select Single sign-on.
- Select Set up self-hosted SSO.
- For Encryption service settings, select Set up.
- In the Where will you deploy the Encryption Service? menu, select Microsoft Azure. Your encryption service endpoint is generated automatically with your organization details.
- Select Generate and save to create your encryption service configuration.
- Once generated, select Copy to copy the configuration, and then select Go to service host to open the Azure template. If Go to service host doesn't take you to the Azure template, you can use this link instead:
Azure template - In the Azure template, select Edit parameters.
- Select and delete all the current parameters.
- Paste the encryption service configuration you copied from the Dashlane Admin Console and select Save.
- Select a Subscription, select or create a new Resource group, and then select Next: Review + create.
Important: If the Subscription menu is blank or you don't subscribe to Azure, you need to subscribe to complete the encryption service setup. We recommend subscribing to "Azure App Service Basic Plan - Linux - B1". This plan costs $.018 per hour. Depending on your organization's usage, you can expect this to cost $8 to $14 per month. This subscription is different from a Microsoft Entra ID subscription.
- After you see a Validation Passed message, select Create.
After a few minutes, the deployment completes successfully.
Set up the encryption service in AWS
- Select the Dashlane D icon in your browser’s toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
- In the Integrations section of the side menu, select Single sign-on.
- Select Set up self-hosted SSO.
- For Encryption service settings, select Set up.
- In the Where will you deploy the Encryption Service? menu, select AWS. Your encryption service endpoint is generated automatically with your organization details.
- Select Generate and save to create your encryption service configuration.
- Once generated, select Copy to copy the configuration and then Go to service host.
- Log in to the AWS portal and make sure the AWS region is "Virginia (US-East-1)" or "Ireland (EU-West-1)."
- Search AWS for "certificate manager" and select Certificate Manager from the search results.
- In the New ACM managed certificate section, select Request a certificate.
- Select Request a public certificate and then Next.
- In the Domain names section, paste your encryption service endpoint web address from the Dashlane Admin Console.
- In the Select validation method section, select DNS validation and then Request.
- Select the Certificate ID link.
- Select the icon to Copy the CNAME name and CNAME value.
- Log into your public DNS provider and create a new CNAME record under your domain name. The exact steps vary depending on your provider.
- For Type, select CNAME. For Host, paste the CNAME name you copied from the Certificate Manager. For Points to, paste the CNAME value you copied from the Certificate Manager.
- Select Save.
- Return to the AWS Certificate Manager and select the icon to Copy the ARN string. Paste it into an app like TextEdit for Mac or Notepad for Windows to save it for later.
Note: You must validate your certificate before you can move to the next steps and create a stack.
- Search AWS for "aws cloud formation" and select CloudFormation from the search results.
- In the Create stack menu, select With new resources (standard).
- Select Template is ready, enter the following Amazon S3 URL, and select Next:
https://s3.eu-west-1.amazonaws.com/public-cloudformation.dashlane.com/encryption-service/sam-app/template-latest.yaml
- Complete the following fields:
- For Stack name, name your stack with this format:
[YourCompanyName]-SSO-Connector
- For Certificate, paste the ARN string you saved from the Certificate Manager.
- For DomainName, paste the encryption service endpoint URL generated by the Dashlane Admin Console.
- For Stack name, name your stack with this format:
- Select Next.
- On the Configure stack options page, leave all settings as they are and select Next.
- Scroll to the Transforms might require access capabilities section, select all the checkboxes, and then select Create stack.
- This process may take several minutes. A CREATE_COMPLETE message appears when the stack has been created.
- After the stack has been created, select the Outputs tab and copy the CNAME Value.
- Log in to your public DNS provider and create a new CNAME record under your domain name.
- For the Type, select CNAME. For Host, paste the encryption service endpoint URL generated by the Dashlane Admin Console.
Example: For dashlanesso.dashlaneshop.com, paste the text dashlanesso.
- For Points to, paste the CNAME Value copied from the Outputs tab.
- Search in AWS for "secrets manager" and select Secrets Manager from the search results.
- Select your SSO connector Secret name.
- In the Secret value section, select Retrieve secret value.
- Select Edit.
- Return to the Single sign-on section of the Dashlane Admin Console, select Edit for Encryption Service settings, and Copy the encryption service configuration file.
- Return to AWS, select the Plaintext tab, paste the encryption service configuration file, and select Save.
After completing these steps, your encryption service is running. You can configure SAML-based SSO or SCIM provisioning with your Identity Provider.
Step 2: Set up self-hosted SSO and SCIM
After you've set up your encryption service, you're ready to integrate your Identity Provider with Dashlane.
Set up your integration in Azure
Dashlane offers deep integration with Microsoft Entra ID, with the ability to integrate SSO with SAML, plan member sync, and group sync using SCIM. It is possible to do only SSO or only SCIM provisioning, but we recommend doing both for the best experience. The setup process takes about 10 minutes.
More about SSO and SCIM
More about SAML-based SSO on the Microsoft support website
Step 1: Set up SSO in Azure
- Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.
Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.
- Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
- For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
- Enter your company e-mail domain and select Verify domain.
- Note the hostname and TXT value you need to copy into your public DNS provider. Use the Copy buttons to copy the hostname and TXT Value.
- In a new browser tab, navigate to your Public DNS provider and Add a TXT Record.
- Paste the "Host Name" and TXT Value from the Dashlane Admin Console into the new TXT record, and click Save.
- Once you've entered the record, wait a few minutes and in the Dashlane Admin Console, select Verify domain. Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less. If it doesn't work the first time, wait a few minutes and select Verify domain again.
- After the domain is verified, you’ll see a green checkmark. Repeat the steps for any additional domains you want to enable for SSO that are part of your same SSO tenant. We currently don't support linking multiple SSO providers to a single Dashlane plan.
- If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
Buy more seats for your plan - You will now build an Enterprise Application in Azure for your members to connect to.
In a new browser tab, navigate to the Azure Portal and search for or select Enterprise Applications.
- Select New application.
- Click Create your own application.
- Name the Application Dashlane > select Integrate any other application you don't find in the gallery > Select Create.
- Select Set up single sign-on.
- Select the SAML tile.
- Under Basic SAML Configuration, select Edit.
- In your Dashlane Admin Console, use the copy button to copy the values from the Entity ID and the Assertion Consumer Service (ACS) URL from Dashlane to the Azure Enterprise application.
- Paste the Entity ID from the Dashlane admin console to the Entity ID in the Azure Enterprise application.
- Paste the Assertion Consumer URL from the Dashlane Admin Console to the corresponding field in Azure.
- For the Sign on URL, enter "https://app.dashlane.com".
- Delete the default URL.
- Ensure the Entity ID URL ends in "/saml/" and the ACS URL ends in "callback", as shown in the image.
- Select Save.
- On the Azure Enterprise app under the SAML signing Certificate, click to Download Federation Metadata XML.
- Open "Federation Metadata XML" in Notepad or plain text editor > select all, copy the contents.
- *Do not open the XML using Safari as it may break the format for the XML when copying.
- Paste the Federation Metadata XML in console.dashlane.com > click Save changes.
- Go to Enterprise Application in Azure > Users and Groups > Add the users or groups you want to have access to Dashlane SSO.
- After you’ve assigned users, you can test the connection by selecting the Test Connection button. If you're logged in as the admin of your IdP account, you might not be able to use the Test Connection button. Instead, you can open a different browser profile, copy the test URL into the new browser, and test SSO using a member's account that you've assigned to the Dashlane SAML application.
- If you've set up SSO as expected, you see the Success Message.
-
If you see an error message, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.
- You can now Enable SSO by selecting the selector next to Enable SSO.
Once enabled, any non-admin Master Password member will be converted to an SSO member at the next login, at which time they will enter their Dashlane Password for the last time and only be able to login with SSO.
Any new members invited to your Dashlane plan will never have a separate password. They will use only their SSO login.
Step 2: Set up SCIM provisioning in Azure
- Log in to the Dashlane Admin Console and select Integrations, Provisioning, and Set up for Self-hosted Provisioning. If this option is grayed out and not available, you either need to set up self-hosted SSO first or you already set up Confidential SSO, SCIM, or Active Directory.
- Select Generate Token.
- Enable the switch for Allow the Encryption Service to sync directory.
- In Azure, navigate back to your Dashlane Enterprise Application (or create a new one by following the steps of the SSO section.)
- Select Provisioning > Get Started.
- Copy the tenant URL and the secret token from the Dashlane Admin Console and paste them into the corresponding fields in Azure.
- Acknowledge the message to restart the encryption service one last time. We will do this next.
- In the Azure Portal, navigate to your resource group to find your SSO/SCIM connector encryption service web app service.
- Select Restart.
- You can check that your SCIM service has been enabled by opening the Log Stream of your Dashlane encryption service.
- In Azure, go back to Enterprise Apps > select Dashlane App > select Properties in the Navigation Pane > ensure Assignment is turned on.
- Go to Enterprise Application in Azure > Users and Groups > Add the users or groups you would like to sync with SCIM (if not already done in the SSO section).
- Provisioning > Start Provisioning > Edit Provisioning.
- Set Provisioning Status to On and select Save.
Any members you add to the groups you selected will be added automatically to your Dashlane plan.
Video guide to setting up SSO and SCIM in Azure
Set up your integration in Okta
As an admin, you can set up Okta single sign-on (SSO) for your plan members with SAML. You can further control your SSO integration by syncing it with your Identity Provider’s directory of plan members and groups with SCIM. We recommend setting up both SSO and SCIM at the same time to get the full benefits of both. The setup process takes about 15 minutes.
More about SSO and SCIM
More about adding a SAML application on Okta's support website
Step 1: Set up SSO in Okta
-
Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.
Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.
- Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
- For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
- Enter your company e-mail domain and select Verify domain. Notice the copy buttons you will use to copy the hostname and TXT values to your public DNS provider.
- Go to your Public DNS provider account and create a new TXT record. The exact steps vary depending on your provider.
- Return to the Dashlane Admin Console and copy the HOSTNAME TXT VALUE and paste this information into the new TXT record you created in your Public DNS provider.
- Wait a few minutes for the DNS record to be replicated throughout the internet and select Verify domain. A green checkmark appears to verify your company email domain. Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less.
- Repeat the same steps to add more company email domains.
Note: You can’t link multiple SSO providers to a single Dashlane plan.
- If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
Buy more seats for your plan - Navigate to your Okta Admin Console and select Applications, select Applications again and then Create App Integration.
- On the Create a new app integration page, select SAML 2.0 and then Next.
- Download a Dashlane logo for the application display if you'd like.
- On the Create SAML Integration screen, enter "Dashlane" for the app name, upload a logo, and select Next.
- From the Dashlane Admin Console, copy the text to the corresponding entries in the Okta app. Copy the Assertion Consumer Service URL to Single sign on URL in Okta. Copy Entity ID to Audience URI (SP Entity ID) in Okta.
- In Okta, verify that the Single sign-on URL ends in "/callback" and the Audience URI ends in "/saml/". All other fields can be left alone unless you have a custom configuration that you know to be different.
- Scroll to the bottom of the page and select Next.
- In the Help Okta Support page, select I'm an Okta customer adding an internal app and then Finish.
- In Okta, on the Dashlane SAML app that was just created, select Sign On, and then in Settings, select Edit.
- To access your XML metadata, select View Setup Instructions in the SAML 2.0 section.
- In the Optional section, select and copy all of your IDP metadata.
- In the Dashlane Admin Console, paste the XML data and select Save changes.
- Go to https://portal.azure.com and select Restart to restart your Azure encryption service.
- Go to the Dashlane app in the Okta Admin Console and select Assignments and then Assign.
- Select Assign to People or Assign to Groups and assign to test.
- In the Test the SSO connection section in Dashlane, select Test connection for any of the groups or people you assigned. Select Copy test URL to test the SSO connection from different locations, devices, and members.
A success message will tell you if SSO was set up as expected.
If you see an error message, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.
- Turn on the Enable SSO setting.
Once enabled, all non-admin plan members are converted to SSO members the next time they log in. They'll enter their Master Password for the last time and use SSO going forward.
Any new members invited to your Dashlane plan will never have a Master Password and will only use their SSO to log in.
All members who use SSO will be automatically redirected to the SSO login flow.
Step 2: Set up directory sync using SCIM
- Go to the SSO setup section and set up a new Dashlane Application in Okta.
- In your Dashlane application in Okta, select Edit, select the check box to Enable SCIM provisioning and select Save.
- Log in to the Dashlane Admin Console and select Integrations, Provisioning, and Set up for Self-hosted Provisioning. If this option is greyed out and not available, you either need to set up self-hosted SSO first or you already set up Confidential SSO, SCIM, or Active Directory.
- Select Generate Token.
- Turn on Allow the Encryption Service to sync directory and Save changes.
- Restart your Dashlane encryption service in Azure to enable the changes for SCIM enablement.
- In the Okta Dashlane app, select the Provisioning tab, select Edit, and copy the SCIM values from the Dashlane Admin Console to the Okta text fields.
- For SCIM connector base URL, copy and paste the URL from Dashlane.
- In the Unique identifier field for users field, enter "email."
- Enable all the Supported provisioning methods.
- For Authentication Mode, select HTTP Header.
- For Authorization, copy and paste the SCIM token from Dashlane and the Bearer field.
- Select Test Connector Configuration. You should receive a successful test.
- Save the configuration.
- In the Provisioning tab, select Settings, To App, and Edit.
- Enable Create Users, Update User Attributes, Deactivate Users, and select Save.
After you complete the SSO setup, all non-admin plan members will use SSO the next time they log in. This includes any new people added to your plan and anyone already using SSO.
If you have questions or need help, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.
Video guide to setting up SSO and SCIM in Okta
Set up your integration in JumpCloud
As an admin, you can set up JumpCloud single sign-on (SSO) for your plan members with SAML. You can further control your SSO integration by syncing it with your Identity Provider’s directory of plan members and groups with SCIM. We recommend setting up SSO and SCIM at the same time to get the full benefits of both. The setup process takes about 15 minutes.
More about SSO and SCIM
More about SSO using Custom SAML Application Connectors on the JumpCloud support website
Step 1: Set up SSO in JumpCloud
-
Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.
Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.
- Log in to the JumpCloud Admin Console, select the USER AUTHENTICATION drop-down list, and select SSO.
- Select + to create a new application.
- Select Custom SAML App.
- In the General Info tab, enter "Dashlane" for the Display Label, and select activate.
- Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
- For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
- In the Verify your company email domain section, enter your company email domain and then select Add domain to see the new HOSTNAME and TXT VALUE.
- Go to your Public DNS provider account and create a new TXT record. The exact steps vary depending on your provider.
- Return to the Dashlane Admin Console, Copy the HOSTNAME and TXT VALUE, and paste this information into the new TXT record you created in your Public DNS provider. Save your changes.
- Return to the Dashlane Admin Console, and in the Verify your company email domain section, select Verify next to your company's domain name.
- Wait a few minutes for the DNS record to be replicated throughout the internet. A green checkmark appears to verify your company email domain. In rare cases, it could take up to 24 hours. Continue to select Verify until the green checkmark appears.
- Repeat the steps to add more company email domains.
Note: You can’t link multiple SSO providers to a single Dashlane plan.
- If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
Buy more seats for your plan - Select the Copy icon to copy the ENTITY ID, return to the JumpCloud Admin Console, select the SSO tab, and paste that information into IdP Entity ID and SP Entity ID. Then, copy the Assertion Consumer Service URL from Dashlane and paste it into ACS URL in JumpCloud.
- Select email in the SAMLSubject NameID drop-down list.
- For Login URL, enter "https://app.dashlane.com".
- Select the User Groups tab, add All Users or search and add specific groups and members, and select activate.
- Select continue to Please confirm your new SSO connector instance.
- Select Dashlane, which appears in the Name column.
- Select the SSO tab and select Export Metadata to download a copy of the metadata.
- Open the XML metadata file that was downloaded to your computer in an application like TextEdit for Mac or Notepad for Windows.
- Select all and copy the contents of the XML file.
- Return to the Dashlane Admin Console, paste the contents of the XML file into the Add identity provider metadata section, and select Save changes.
- Return to the JumpCloud Admin Console, select the USER MANAGEMENT drop-down list, User Groups, and All Users or search and add specific groups and members.
- Select the Applications tab, Dashlane checkbox, and save.
- Select the Users tab, the checkboxes for the Name of each person you want to add, and save.
- In the Test the SSO connection section in Dashlane, select Test connection for any of the groups or people you assigned. A SUCCESS message appears if SSO was set up as expected. To test with an individual member, select Copy test URL and send it to that member to open. That member enters their SSO Email and Password. If MFA is enabled, the member also logs into that.
Note: As an admin, you can't test the SSO connection yourself because you will continue to use your Master Password and not SSO.
-
When you're ready to enable, return to the Dashlane Admin Console and select Enable SSO.
Once enabled, all non-admin plan members are converted to SSO members the next time they log in. Members enter their Master Password for the last time and use SSO going forward.
Any new members invited to your Dashlane plan won't have a Master Password and will only use their SSO to log in.
All members who use SSO are automatically redirected to the SSO login flow.
Step 2: Set up SCIM in JumpCloud
After you complete the SCIM setup, anyone you add to a group in your Identity Provider is automatically invited to your Dashlane plan.
- Open the Dashlane Admin Console, select Integrations, Provisioning, and Set up for Self-hosted Provisioning. If this option is greyed out and not available, you either need to set up self-hosted SSO first or you already set up Confidential SSO, SCIM, or Active Directory.
- Select Generate token, turn on Allow the Encryption Service to sync directory, and select Save changes.
- Select the Copy icon to copy the SCIM API token and the SCIM endpoint.
- Open the JumpCloud Admin Console, select the USER AUTHENTICATION drop-down list, and select SSO.
- Select Dashlane, the Identity Management tab, and select SCIM 2.0 if it isn't selected already.
- For Base URL, paste the SCIM endpoint from Dashlane. For Token Key, paste the SCIM API token from Dashlane and save.
Set up your integration in AD FS
With Dashlane's single sign-on (SSO) feature, members can sign in to Dashlane with their SSO login instead of a Master Password. This article shows you how to set up SSO with an on-premise—or cloud-hosted—AD FS infrastructure. The setup process takes about 15 minutes.
We don’t support syncing AD FS provisioning with SCIM. Instead, we recommend turning on Just in Time Provisioning. How to turn it on is covered in the setup process.
More about SSO
More about configuring SAML on the Microsoft support website
Step 1: Test your encryption service
Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.
Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.
Step 2: Verify your company domain with your DNS Provider
- Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
- For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
- In the Verify your company email domain section, enter your company email domain and select Verify to see the new HOSTNAME and TXT VALUE.
- Navigate to your Public DNS provider's console and account and create a new TXT record.
- Return to the Dashlane Admin Console and copy the HOSTNAME and TXT VALUE and paste this information into the new TXT record you created in your Public DNS provider. Select the Copy icon to copy the information.
- Paste the information into a new TXT record in your public DNS provider. You may need to consult your DNS provider's documentation for specific steps.
- Wait a few minutes for the DNS record to be replicated throughout the internet, and then select Verify domain.
- Confirm that you now have a green check next to your domain, which indicates it has been verified.
- Repeat the steps to add more company email domains.
Note: You can link multiple domains, but they all need to be on the same SSO provider tenant.
- If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
Buy more seats for your plan
Step 3: Setup AD FS to connect to SSO
- Navigate to the Single sign-on section of the Integrations tab in the Dashlane Admin Console.
- Copy and paste the SAML metadata of AD FS into the Enter the identity provider metadata here field. If you need help finding the metadata, go to your AD FS metadata URL where "ADFSName.Domain.com" is the URL of your AD FS server or farm.
https://ADFSName.Domain.com/FederationMetadata/2007-06/FederationMetadata.xmlYou can also use Microsoft's tool to download your Federation Metadata Document.
- Paste the AD FS metadata into the Dashlane Admin Console.
Step 4: Configure AD FS
- To configure AD FS, you need the SAML metadata from the encryption service. To find your SAML URL, go to the Dashlane Admin Console, select Single Sign-on in the menu and then select Edit Self-Hosted SSO. Then in the SSO settings, select Edit and find for your Entity ID.
- Enter the Entity ID URL in your browser to download a local copy of the SAML metadata.
- Open the AD FS Management Console and select Add Relying Party Trust.
- In the drop-down menu, select Claims aware and then select Start.
- Select Import data about the relying part from a file and select Browse to select your SSO Connector's metadata XML file. Then, select Next.
- Type "Dashlane Encryption Service" as the display name and select Next.
- Select your access control policy and select Next. This will vary based on your company's security policies. In this example, access is granted to everyone.
- Review the relying party trust, select Next, and then select Close. The new trust is created.
- Allow the Dashlane SSO Connector to retrieve the member's email address from AD FS. Select the newly created Relying Party Trust. If you don't see it, select Relying Party Trusts in the left sidebar. Then, select Edit Claim Issuance Policy.
- Select Add Rule.
- In the Claim rule template drop-down menu, select Transform an incoming claim and select Next.
- Set the Claim rule name field to "Send Email as Name ID."
- Set Incoming claim type to "UPN."
- Set Outgoing claim type to "Name ID."
- Set Outgoing name ID format to "Email."
- Select Finish.
Step 5: Test and enable SSO
- After members are assigned, you can test with an assigned member from the Dashlane Admin Console. Select Test connection. Use the Copy test URL to test the SSO connection from different locations, devices, and members.
If SSO is set up as expected, the success message appears.
If you see an error message, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.
- When you're ready to enable, return to the Dashlane Admin Console and select Enable SSO.
Once enabled, all non-admin plan members are converted to SSO members the next time they log in. Members enter their Master Password for the last time and use SSO going forward.
Any new members invited to your Dashlane plan won't have a Master Password and will only use their SSO to log in.
All members who use SSO are automatically redirected to the SSO login flow.
You can continue with your AD integration by configuring Active Directory sync for automated onboarding and offboarding of members based on their AD account status.
Set up your integration in Google Workspace
As an admin, you can set up Google Workspace single sign-on (SSO) for your plan members with SAML. The setup process takes about 15 minutes.
We don’t support syncing Google Workspace provisioning with SCIM. Instead, we recommend turning on Just in Time Provisioning. How to turn it on is covered in the setup process.
More about SSO
How to Configure SAML 2.0 for Google Workspace
Set up SSO in Google Workspace
- Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.
Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.
- Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
- For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
- In the Verify your company email domain section, enter your company email domain and then select Add domain to see the new HOSTNAME and TXT VALUE
- Go to your Public DNS provider account and create a new TXT record. The exact steps vary depending on your provider.
- Return to the Dashlane Admin Console, Copy the HOSTNAME and TXT VALUE, and paste this information into the new TXT record you created in your Public DNS provider. Save your changes.
- In the Verify your company email domain section, select Verify next to your company's domain name.
- Wait a few minutes for the DNS record to be replicated throughout the internet. A green checkmark appears to verify your company email domain. In rare cases, it could take up to 24 hours. Continue to select Verify until the green checkmark appears.
- Repeat the steps to add more company email domains.
Note: You can’t link multiple SSO providers to a single Dashlane plan.
- If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
Buy more seats for your plan - Open the Google Workspace Admin Console, select the Apps drop-down list and then Web and mobile apps.
- Select the Add app drop-down list and then Add custom SAML app.
- In the App details page, enter "Dashlane" for App name, "Dashlane SSO" for Description, and upload the Dashlane logo for the App icon.
- Select CONTINUE.
- Select CONTINUE again to confirm the Google Identity Provider details page.
- Select the Copy icon to copy the Entity ID, return to the Google Workspace Admin Console and paste it into the Entity ID section. Then, copy the Assertion Consumer Service URL from Dashlane and paste it into ACS URL section in the Google Workspace Admin Console.
- Select CONTINUE.
- Select FINISH.
- In the Dashlane app you just created in Google Workspace, select OFF for everyone in the User access section.
- In the Service status section, select ON for everyone and then SAVE.
- Select DOWNLOAD METADATA.
- Select DOWNLOAD METADATA again.
- Open the XML metadata file that was downloaded to your computer in an application like TextEdit for Mac or Notepad for Windows.
- Select all and copy the contents of the XML file.
- Return to the Dashlane Admin Console, paste the contents of the XML file into the Add identity provider metadata section and select Save changes.
- In the Test the SSO connection section in Dashlane, select Test connection for any of the groups or people you assigned including yourself. A SUCCESS message appears if SSO was set up as expected. To test with an individual member, select Copy test URL and send it to that member to open. That member enters their SSO Email and Password. If MFA is enabled, the member also logs into that.
- When you're ready to enable SSO, return to the Dashlane Admin Console and select Enable SSO.
Once enabled, all non-admin plan members are converted to SSO members the next time they log in. Members enter their Master Password for the last time and use SSO going forward.
Any new members invited to your Dashlane plan won't have a Master Password and will only use their SSO to log in.
All members who use SSO are automatically redirected to the SSO login flow.
Set up your integration in Duo
As an admin, you can set up Duo single sign-on (SSO) for your plan members with SAML. Duo doesn’t support SCIM with Dashlane. The setup process takes about 15 minutes.
More about SSO
Important: If you don’t see the Single Sign-On tab in the Duo Admin Panel, you need to connect Duo to your Identity Provider (IdP) to enable it to set up SSO.
Enable Duo single sign-on
- Copy the URL from the encryption service setup, open a new tab in your browser, and paste the URL into the address bar. A Dashlane page appears to confirm that the encryption service is set up.
Note: If this confirmation doesn't appear, make sure you completed the encryption service setup.
- Go to the setup page in the Admin Console for self-hosted SSO by selecting Single sign-on and then Set up self-hosted SSO, or Continue setup if you already started. If you’re still in the Encryption service settings, select Back or Close to return to the self-hosted SSO setup page.
- For SSO settings, select Set up. If you previously started the setup, you’ll select Edit instead.
- Enter your company e-mail domain and select Verify domain.
- Note the Hostname and TXT Value you need to copy into your public DNS provider. Use the Copy buttons to copy the Hostname and TXT Value.
- In a new browser tab, navigate to your Public DNS provider and Add a TXT Record.
- Paste the Hostname and TXT Value from the Dashlane Admin Console into the new TXT record, and Save.
- After you enter the record, wait a few minutes and in the Dashlane Admin Console, select Verify domain. Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less. If it doesn't work the first time, wait a few minutes and select Verify domain again.
- After the domain is verified, you’ll see a green checkmark. Repeat the steps for any additional domains you want to enable for SSO that are part of your same SSO tenant. We currently don't support linking multiple SSO providers to a single Dashlane plan.
- If you want, you can turn on Just In Time Provisioning to automatically add any employee with your verified domains at their first login attempt.
Before you turn on Just in Time Provisioning, make sure your plan members have already been added to the Dashlane SAML application in your IdP. After you turn it on, they can install the Dashlane browser extension and create their account. If your plan is out of seats, the member won’t be able to log in until you buy more seats.
Buy more seats for your plan - Sign in to the Duo Admin Panel and select Application and then Protect an Application. Search for and select Generic SAML Service Provider and then select Protect.
- In the Dashlane Admin Console, select Single sign-on and then copy the Entity ID. In the Duo Admin Panel, paste this for Entity ID in the Service Provider section.
- In the Dashlane Admin Console, copy the Assertion Consumer Service URL. In the Duo Admin Panel, paste this for Assertion Consumer Service (ACS) URL, also in the Service Provider section.
- In the Policy section, for Group policies, select Apply a policy to a group of users.
- From the Select a policy dropdown, choose the policy and groups you want to apply to the Dashlane application.
- Select Save to confirm your generic SAML service provider settings.
- On the same page, in the Downloads section, select Download XML for SAML Metadata.
- Open the XML file that you just downloaded in any plain text editor on your computer, highlight and copy all of the text. In the Dashlane Admin Console, paste the text you copied for Add identity provider metadata and then select Save changes.
- Once you've assigned members, you can test with any assigned member from the Dashlane Admin Console by selecting Test connection. Use the Copy test URL to test the SSO connection from different locations, devices, and members.
If you set up SSO as expected, you see a success message. If you see an error message, you can open a ticket through our support chatbot. Open the chatbot by selecting the Chat with bot icon, shown as a speech bubble, at the bottom of any Help Center page. In the chatbot, follow the prompts and briefly describe your issue.
Learn how to use our support chatbot
Once enabled, any non-admin Master Password member will be converted to an SSO member. During their next login, they'll enter their Master Password for the last time and only be able to login with SSO after that point.
Any new members invited to your Dashlane plan will never have a Master Password. They will only use SSO to log in.
Note: After you set up SCIM, we recommend that you continue to use it to create and manage groups in Dashlane. There is a way to create and manage groups in the Dashlane Admin Console, but this won’t sync with IdP or SCIM.
FAQ about self-hosted SSO
What does self-hosted mean?
You have two configuration options when you integrate Dashlane with your Identity Provider: Dashlane Confidential SSO and self-hosted SSO. Your choice depends on how you want to set up your encryption service, which is an added layer of security that we require for SSO.
With the self-hosted option, admins set up and manage their own encryption service.
More about the difference between self-hosted and Confidential SSO
Can I switch to Dashlane Confidential SSO after I set up self-hosted?
You can’t switch to Confidential SSO after you set up self-hosted. Before setting up Confidential SSO, make sure it meets your organization’s needs.
More about the difference between self-hosted and Confidential SSO
How do I restart the encryption service?
- Go to the Azure portal, select Resource groups, Overview, and then your new Dashlane app service.
- Select Restart to restart the App Service.
- Go to the AWS Secrets Manager.
- Select Encryption Service, Retrieve Secrets Value, and then Edit.
- In the Edit secret value pop-up, select the Plaintext tab.
- In the Plaintext tab, add a space to the end of the value and then delete that space to trigger the option to save the secret again.
- Select Save.
Troubleshooting for self-hosted SSO
I got an “Application with identified was not found in the directory” error
Microsoft will stop supporting the Azure feature Automation Run As Accounts in September 2023. If you created your Dashlane encryption service with Azure before September 14, 2022, you'll need to edit the configuration to keep the service working properly.
Edit your configuration for Microsoft's update to Azure automation accounts
More about the Microsoft update
You need to take two steps to update the encryption service with Azure. First, update the Health Check path for the app service. Then delete the respective automation account and runbooks.
Note: Depending on the original settings of the encryption service, you might not have an automation account and runbooks linked to the Dashlane resource group. If that’s the case, you'll only need to update the Health Check path for the app service.
Step 1: Update the Health Check path
- Go to the Azure console and select Resource Groups.
- Select the Dashlane resource group.
- Select the app service.
- In the Monitoring section, select Health Check.
- Update the Path to "/azureHealthCheck".
- Select Save.
Step 2: Delete the Azure automation account and runbooks
- Go to the Azure console and select Resource Groups.
- Select the Dashlane resource group.
- Select the Automation Account.
- Select Delete
- Return to the Dashlane resource group and select the Runbook.
- Select Delete.