Dashlane's single sign-on (SSO) feature allows your users to sign in to Dashlane using their SSO credentials instead of a Master Password. This article shows you how to set up single sign-on (SSO) with Okta.
Before you get started, make sure you have done the following:
- You have reviewed the SSO overview page.
- You have signed up for a Dashlane Business Plan. Dashlane Team does not allow enabling SSO. If you would like to upgrade, contact Dashlane Support.
- You have access to the SSO Identity Providers metadata and console (if applicable).
Step-by-step video walkthrough
Overview of single sign-on (SSO)
Today, Dashlane uses the Master Password as one of the keys to encrypt/decrypt user data. Now, with SSO, your users can sign in to their Dashlane vault using their SSO credentials instead of a Master Password. Together with Dashlane's SSO Connector, users can sign in with their SSO credentials while Dashlane retains its zero-knowledge security architecture.
When users attempt to sign in using SSO, Dashlane redirects them to the SSO Connector, which federates to the identity provider.
After the user successfully signs in, the SSO Connector sends a unique key to the client, which then decrypts the user's data.
The SSO Connector manages all user keys. To maintain our patented zero-knowledge security architecture, you must host the SSO Connector in an environment controlled by your organization. The SSO Connector runs on Docker. You can host the SSO Connector in any environment where Docker is present.
Dashlane specific requirements
- Dashlane Business (Dashlane Team does not support SSO)
- Minimum version of the Dashlane app:
- Web: v6.2030.3
- iOS: v6.2029.0
- Desktop apps are not supported
Step 1: Verify your domain
You will need to verify the domain that your organization owns. Once you enable SSO, all users using your organization's domain will be required to use SSO to sign in.
- Log in to the Dashlane Admin Console, navigate to the Settings tab, and click Single sign-on.
- In the Verify your company email domain field, enter your company's domain name and click Add.
- If you have multiple e-mail domains configured for your SSO provider, add and verify all additional domains.
- Copy the Hostname and TXT values and add them to a new DNS TXT record for your domain. Once added, click Verify domain. Please note that it can take up to 24 hours to verify the domain.
- Verify all the email domains your users will use to sign in using SSO. If you have more than 5, please contact Dashlane Support.
You must verify your domain before you can configure the SSO Connector.
Step 2: Create an application in Okta
DO NOT search for Dashlane in the OKTA marketplace. It will not work for SSO.
- Navigate to the Admin center in Okta and go to Applications.
- Click Add Application.
- At the top right of the page, click Create New App.
- Select Web as the Platform and SAML 2.0 as the Sign on method.
- Click Create.
- Set a name for the app, such as Dashlane SSO, and click Next.
You can use this image file for the app logo.
- You have three options to deploy the SSO encryption connector, and how you choose to deploy it will change your ACS & Entity ID URLs. Your URL should look like the examples in the following table, where you replace 'mycompany' with your company's name. If your company name is acmeco, then your SSO connector on Azure would be https://acmecosso.azurewebsites.net.
SSO encryption service host SSO Connector endpoint Azure (recommended) https://mycompanysso.azurewebsites.net AWS https://mycompanysso.mycompany.com Linux VM (advanced) https://mycompanysso.mycompany.com
Enter the SSO connector endpoint in the Dashlane admin portal.
- Set the Single sign on URL to https://<SSO Connector Endpoint>/saml/callback, where SSO Connector Endpoint URL is where the SSO Connector is hosted and can be reached publicly. Make sure to include /saml/callback at the end of the path.
- Set the Audience URI (SP Entity ID) to https://<SSO Connector Endpoint>/saml/, where SSO Connector Endpoint URL is where the SSO Connector is hosted and can be publicly reached. Make sure to include /saml/ at the end of the path.
- Click Next.
- Select I'm an Okta customer adding an internal app and This is an internal app that we have created.
- Click Finish. You're taken to the Sign On section.
- Click View Setup Instructions.
- Scroll to the bottom of the screen to the Optional section and copy the SAML metadata from the field titled Provide the following IDP metadata to your SP provider.
Step 3: Configure the SSO Connector
- Navigate back to the SAML SSO section of the Settings tab in the Admin Console.
- Copy and paste the SAML metadata from Okta that was copied from the Provide the following IDP metadata to your SP provider field in the previous section.
- Enter the URL where your SSO Connector instance will exist. This is the URL that the SSO Connector service can be reached through (for example, https://ssoconnector.company.com).
Note: /saml/login may be automatically appended to the end of your path.
- Click Generate SSO Connector key. This generates a key that will be used to encrypt your company's data. Make sure to copy the generated key and save it somewhere secure (such as a secure note in Dashlane). We also recommend sharing it with any other admins as well. You will not be able to see this key again.
- Click Download Config file.
Complete the SSO Connector setup
You must complete the SSO Connector encryption service before moving forward. Learn more about the SSO encryption service, and then visit the following article for your preferred platform.
Step 4: Test and enable SSO
You can do a quick test to ensure that the SSO Connector and Okta are configured correctly.
- Navigate to the Dashlane Admin Console and click Test SSO Connection.
- Sign in using any user account assigned to the application in Okta to test the account. Once you successfully sign in, you should see a Success message. If you don't, please contact Dashlane Support.
- Click Enable SSO.
You have enabled SSO for all your users! Remember, admins within Dashlane will not be impacted and will continue to sign in using their Master Password. All other users will be forced to use SSO.