This article describes how to deploy the Dashlane SSO Connector using a pre-configured AWS template.
The Dashlane SSO connector can also be deployed with an Azure Template
Before getting started, please review the SSO Overview page
Set up the SSL certificate using AWS Certificate Manager
All traffic to and from the SSO Connector needs to be encrypted using SSL. Therefore, you first need to obtain an SSL Certificate for the SSO Connector.
1. Sign into AWS and ensure the AWS region is Ireland (EU-West-1). Navigate to AWS Certificate Manager.
2. If this is your first time using the AWS Certificate Manager, then click on Get started under Provision certificates. Otherwise, click on Request a certificate.
3. Make sure Request a public certificate is selected and then click on Request a certificate.
4. For the Domain name, add the domain where you would like your SSO Connector to run (e.g. dashlanesso.mycompany.com).
5. Complete the remaining steps to validate that you own the domain and request a certificate.
6. Once the certificate is issued (or while you wait for it to validate), open the details of the certificate and copy/save the ARN of the certificate.
Use AWS CloudFormation to deploy the SSO Connector
1. Navigate to AWS CloudFormation to create a new stack. Note: The AWS region must be Ireland (EU-West-1)
2. Make sure that Template is ready is selected.
3. For the Template source, select Amazon S3 URL. For the Amazon S3 URL, enter the following:
Copy the values from the Config file into the AWS Secrets Manager
When you instantiate the SSO Connector service, you need to configure it such that it is specific to your company requirements. The config file downloaded from Dashlane's Admin Console is used to configure the SSO Connector. Information needs to be entered into the Admin Console so that the config file can be generated and then downloaded. This includes:
- The SAML metadata of the identity provider.
- The SSO Connector endpoint, which is the endpoint that the SSO Connector can be accessed from. This needs to match the site name from the section above. So in our example, the SSO Connector endpoint will be https://dashlanesso.mycompany.com.
- The SSO Connector key generated from the Dashlane Admin Console, which is the unique key that allows Dashlane to have a zero knowledge architecture. Note that if this key is lost, all user data will be lost. Make sure that the key is stored in a safe and memorable location.
Once you have generated the config file, open it in notepad or another text editor. You will need to copy this information and save it as a secret in AWS Secrets Manager. To configure the secret:
1. Open AWS Secrets Manager. You should already have a secret because the CloudFormation generates one for you. Open the secret (click on Dashlane-SSO-Connector-secret below).
2. Scroll down, and click on Retrieve secret value.
3. Click on Edit, and then under Plaintext, paste the config file that you downloaded from the Dashlane Admin Console. For example:
4. Click on Save. The deployment is now complete and the SSO Connector should be successfully running.
5. You can verify the SSO Connector deployed correctly by navigating to the URL/saml. For example, if your site is dashlaneSSO, your SAML data is located at https://dashlaneSSO.mycompany.com/saml
Downloading the SAML metadata of the SSO Connector
Once the SSO Connector is successfully running, you will be able to download the SSO Connector's SAML metadata. To download your saml metadata, go to the following site in any web browser.
https://{SSO connector endpoint}/saml/.
Where {SSO connector endpoint} is the SSO Connector Domain Name you configured above.
In our example above, you will be able to download the SSO Connector SAML metadata by navigating to https://dashlanesso.mycompany.com/saml/.
The SAML metadata will automatically download.
You can now upload the SAML metadata to your identity provider.
Return to the remaining portion of the setup guide for your identity provider.
Azure AD | G suite |
ADFS | Okta |
Maintaining and upgrading the SSO Connector
Periodically, we recommend that you update the CloudFormation stack to ensure that the SSO Connector is up to date. To do this:
1. Navigate to AWS CloudFormation and select the stack that you had created.
2. Click on Update.
3. Select Replace current template and then enter the following for the Amazon S3 URL:
4. You should not need to make any further changes in the stack. Navigate to the last step by clicking on Next, and then acknowledge the capabilities and transforms. Then click on Update stack.
5. Once the Stack is updated, you should see UPDATE_COMPLETE. Your SSO Connector is now up to date!
Advanced option: Running multiple instances for high availability
AWS Lambda is inherently elastic and will scale with demand. However, if you do choose to run multiple instances of the SSO Connector, you simply need to ensure that the SSO Connector Key within the config file is the same across all instances.
The SSO Connector key should have been securely saved after first generated at the time of deploying the first instance of the SSO Connector. If the key was not saved, you may be able to find the key in the config file downloaded during the set up of the first instance. If the initial config file is also not available, it will not be possible to create more instances of the SSO Connector.