Dashlane's single sign-on (SSO) feature allows your users to sign in to Dashlane using their SSO credentials instead of a Master Password. This article shows you how to set up SSO with an on-premise (or cloud-hosted) ADFS infrastructure.
Before you get started, make sure you have done the following:
- You have reviewed the SSO overview page.
- You have signed up for a Dashlane Business Plan. Dashlane Team does not allow enabling SSO. If you would like to upgrade, contact Dashlane Support.
- You have access to the SSO Identity Providers metadata and console (if applicable).
Step-by-step video walkthrough
Overview of single sign-on (SSO)
Today, Dashlane uses the Master Password as one of the keys to encrypt/decrypt user data. Now, with SSO, your users can sign in to their Dashlane vault using their SSO credentials instead of a Master Password. Together with Dashlane's SSO Connector, users can sign in with their SSO credentials while Dashlane retains its zero-knowledge security architecture.
When a user attempts to sign in using SSO, they are redirected to the SSO Connector, which federates to the identity provider.
After the user successfully signs in, the SSO Connector sends a unique key to the client, which then decrypts the user's data.
The SSO Connector manages all user keys. To maintain our patented zero-knowledge security architecture, the SSO Connector must be hosted in an environment controlled by your organization. The SSO Connector runs on Docker and can be hosted in any environment where Docker is present.
Dashlane specific requirements
- Dashlane Business (Dashlane Team does not support SSO)
- Minimum version of the Dashlane app:
- Web: v6.2030.3
- iOS: v6.2029.0
- Android: v6.2030.1
- Desktop apps are not supported
Step 1: Verify your domain
You will need to verify the domain that your organization owns. Once you enable SSO, all users that are using your organization's domain will be required to use SSO to sign in.
- Log in to the Dashlane Admin Console, navigate to the Settings tab, and click Single sign-on.
- In the Verify your company email domain field, enter your company's domain name and click Add.
- If you have multiple e-mail domains configured for your SSO provider, add and verify all additional domains.
- Copy the Hostname and TXT values and add them to a new DNS TXT record for your domain. Once added, click Verify domain. Please note that it can take up to 24 hours to verify the domain.
- Verify all the email domains that your users will use to sign in using SSO. If you have more than 5 domains, please contact Dashlane Support.
Step 2: Configure the SSO Connector
- Navigate back to the SAML SSO section of the Settings tab in the Admin Console.
- Copy and paste the SAML metadata of ADFS into the Enter the identity provider metadata here field. If you need help finding the metadata, go to your ADFS metadata URL where ADFSName.Domain.com is the URL of your ADFS server or farm.
You can also use Microsoft's tool to download your Federation Metadata Document.
- Choose an SSO URL endpoint for your SSO connector. There are three ways to deploy the SSO encryption connector, and how you choose to deploy will change your ACS and Entity ID URLs.
SSO encryption service host SSO Connector endpoint Azure (recommended) https://mycompanysso.azurewebsites.net AWS https://mycompanysso.mycompany.com Linux VM (advanced) https://mycompanysso.mycompany.com
- Enter the SSO connector endpoint in the Dashlane admin portal.
- Click Generate SSO Connector key. This will generate a key that will be used to encrypt all your company's data. Copy the generated key and save it somewhere secure (such as in a secure note in Dashlane). We also recommend sharing it with any other admins as well. You will not be able to see this key again.
- Click Download Config file.
Complete the SSO Connector setup
The SSO Connector encryption service must be completed before moving forward. Learn more about the SSO encryption service and then visit the following article for your preferred platform.
Step 3: Configure ADFS
- To configure ADFS, you will need the SAML metadata from the SSO Connector service. To do so, navigate to https://<SSO Connector Endpoint>/saml/ from the ADFS server or a device that can reach the SSO Connector. This will download a local copy of the SAML metadata.
- Transfer the SAML metadata file to the ADFS server.
- Open the ADFS Management console and click Add Relying Party Trust.
- In the menu, select Claims aware and then click Start.
- Select Import data about the relying part from a file and click Browse to select your SSO Connector's metadata XML file that you saved from Step 2. Once selected, click Next.
- Type "Dashlane SSO Connector" as the display name and then click Next.
- Select your access control policy and click Next. This will vary based on your company's security policies. For this example, we're going to permit everyone.
- Review the relying party trust that was configured, click Next, and then click Close. The new trust will be created.
- Allow the Dashlane SSO Connector to be able to retrieve the user's email address from ADFS. Select the newly created Relying Party Trust (if you don't see it, click on Relying Party Trusts in the left side-bar). Then click on Edit Claim Issuance Policy.
- Click Add Rule in the bottom-left of the window.
- In the Claim rule template dropdown, select Transform an incoming claim and click Next.
- Set the Claim rule name field to "Send Email as Name ID."
- Set Incoming claim type to "UPN".
- Set Outgoing claim type to "Name ID."
- Set Outgoing name ID format to "Email".
- Click the Finish.
Step 4: Test and enable SSO
You can do a quick test to ensure that SSO Connector and ADFS are configured correctly.
- Navigate to the Dashlane Admin Console and click Test SSO Connection.
- Sign in using any user account registered in ADFS to test the account. Once you successfully sign in, you should see a Success message. If you don't see the message, please contact Dashlane Support.
- Click Enable SSO.
You have enabled SSO for all your users! Remember, admins within Dashlane will not be impacted, and will continue to sign in using their Master Password. All other users will be forced to use SSO.