This article will guide you through setting up single sign-on (SSO) with Okta
Before you get started, make sure you have done the following:
- You have reviewed the SSO overview page
- You have signed up for a Dashlane Business Plan and only admins are currently on the plan. Dashlane Team does allow enabling SSO.
- You have access to the SSO Identity Providers metadata and console (if applicable)
- Step by step video walk through
- Overview of single sign-on (SSO)
- System requirements
- Enabling SSO
Step by Step video walk through
Overview of single sign-on (SSO)
Today, the Master Password is used as one of the keys to encrypt/decrypt user data. Now, with SSO, your users can sign in to their Dashlane vault using their SSO credentials instead of a Master Password. Together with Dashlane's SSO Connector, users can sign in with their SSO credentials, all while Dashlane retains its zero-knowledge security architecture.
When a user attempts to sign in using SSO, they are redirected to the SSO Connector, which federates to the identity provider.
After the user successfully signs in, the SSO Connector sends a unique key to the client which then decrypts the user's data.
All user keys are managed by the SSO Connector. In order to maintain our patented zero-knowledge security architecture, the SSO Connector needs to be hosted in an environment controlled by your organization. The SSO Connector runs on Docker and can be hosted in any environment where Docker is present.
Dashlane specific requirements
- Dashlane Business (Dashlane Team does not support SSO)
- Minimum version of the Dashlane app:
- Web: v6.2030.3
- iOS: v6.2029.0
- Android: v6.2030.1
- Desktop apps are not supported
Verify your domain
You will need to verify the domain that your organization owns. Once you enable SSO, all users that are using your organization's domain will be required to use SSO to sign in.
1. Visit the Dashlane Admin Console and navigate to the Settings tab.
2. Click the SAML SSO tab. In the Verify your company email domain field, enter your company's domain name and click the Verify button.
- If you have multiple e-mail domains configured for your SSO provider, add and verify all additional domains.
3. Copy the Hostname and TXT values and add them to a new DNS TXT record for your domain. Once added, click on the Verify domain button. Please note that it can take up to 24 hours to verify the domain.
4. Verify all the email domains your users will use to sign in using SSO. If you have more than 5, contact support.
You must verify your domain before you can configure the SSO Connector.
SSO Connector configuration steps
Create an application in Okta
DO NOT search for Dashlane in the OKTA marketplace. It will not work for SSO.
1. Navigate to the Admin center in Okta and go to Applications.
2. Click on Add Application.
3. At the top right of the page, click on Create New App.
4. Select Web as the Platform, and SAML 2.0 as the Sign on method.
5. Click on Create.
6. Set a name for the app, for example Dashlane SSO, and click on Next.
You can use this image file for the app logo.
7.Choose a single-sign on URL endpoint that you would like to use for your SSO connector.
There are three ways to deploy the SSO encryption connector, and how you choose to deploy will change your ACS & Entity ID URL's.
|SSO encryption service host||SSO Connector endpoint|
|Linux VM (advanced)||https://mycompanysso.mycompany.com|
Enter the SSO connector endpoint in the Dashlane admin portal
8. Set the Single sign on URL to https://<SSO Connector Endpoint>/saml/callback, where SSO Connector Endpoint URL is where the SSO Connector is hosted and can be publicly reached. Make sure to include /saml/callback at the end of the path.
9. Set the Audience URI (SP Entity ID) to https://<SSO ConnectorEndpoint>/saml/, where SSO Connector Endpoint URL is where the SSO Connector is hosted and can be publicly reached. Make sure to include /saml/ at the end of the path.
10. Click on Next.
11. Select "I'm an Okta customer adding an internal app" and "This is an internal app that we have created". Then, click on Finish.
12. You will automatically be navigated to the Sign On section. Click on View Setup Instructions.
13. Scroll to the bottom of the screen to the Optional section and copy the SAML metadata from the field titled Provide the following IDP metadata to your SP provider
Configure the SSO Connector
1. Navigate back to the SAML SSO section of the Settings tab in the Admin Console.
2. Paste the SAML metadata from Okta that was copied from the Provide the following IDP metadata to your SP provider field in step 12 above.
3. Enter the URL where your SSO Connector instance will exist. This is the URL that the SSO Connector service can be reached through (for example: https://ssoconnector.company.com).
Note: /saml/login may be automatically appended to the end of your path.
4. Click on the Generate SSO Connector key button. This will generate a key that will be used to encrypt all the your company's data. Copy the generated key and save it somewhere secure (such as a secure note in Dashlane). We also recommend sharing it with any other admins as well. You will not be able to see this key again.
5. Click on the Download Config file button.
Setup the SSO connector in your preferred environment
Testing and enabling SSO
1. You can do a quick test to ensure that SSO Connector and Okta are configured correctly. To do so, navigate back to the Dashlane admin console and click on Test Connection.
You can sign in using any user account assigned to the application in Okta to test the account. Once you successfully sign in, you should see a Success message. If you don't, contact Dashlane Support for help.
2. You can now enable SSO for all your users! Remember, admins within Dashlane will not be impacted and will continue to sign in using their Master Password. All other users will be forced to use SSO to access Dashlane.