This article explains the user experience for migrating your organization from using Master Passwords to your Identity Provider's SSO. If you want to learn how to configure SSO to migrate your users, start with SSO overview and deployment.
Once you enable single sign-on for your organization, the members of your team will be able to use your organization's identity provider to sign in to Dashlane instead of their master password. However, because each user's data is encrypted using their master password, a one-time migration will be required for all members of your organization. This migration will decrypt the data using their master password and re-encrypt it using their SSO credentials. After the migration, the master password will no longer be used and your users will no longer need to remember their old master password.
This article outlines the important considerations before enabling SSO for your organization and how it will impact your organization.
Desktop apps are not supported for Mac and Windows with SSO users
Once a user migrates from using their master password to using SSO, that user will no longer be able to sign in to the native Windows and Mac desktop applications (all extensions will continue to work). They will instead see the following error when attempting to log in to one of the native desktop applications:
Your company has enabled single sign-on (SSO). Use the Dashlane web app (app.dashlane.com) instead of your desktop app going forward. [-1211]
Users will be blocked from signing into the desktop app only after they have migrated to using single sign-on. Learn more about the migration steps. If your organization has enabled SSO but the user has not migrated, that user will continue to be able to sign in to the desktop app.
We are quickly adding core features from the desktop app to the web app (https://app.dashlane.com). To see which features have already been implemented and which are still being built, take a look at our feature comparison chart.
Re-registering all devices
As part of the migration, all user devices will be deregistered. If the user uses multiple devices, the user will be signed out of all devices. Once the user signs in again, the user will receive an email notification that a new device was added even if the user has signed in to Dashlane on that device before. Because the identity provider handles two-factor authentication (2FA), the user will not be prompted for a 2FA code when registering the new device. A 2FA challenge from the SSO identity provider may still occur if you have configured 2FA as part of SSO.
No access to any data after being revoked from the team
If you revoke a user that is using SSO to sign in, that user will no longer be able to access Dashlane, including the data stored in their personal space. However, if you need to give that user access again, you can add them back into your business plan within 30 days of revoking them. No user data is deleted within 30 days, including the data in the business space.
Previously revoked users not impacted
If you have users that you revoked before enabling SSO for your organization, these users will not be disrupted and will continue to be able to sign in to Dashlane using their email and master password. They will not be forced to migrate to SSO either.
User migration from master password to single sign-on
Once you activate SSO for your organization, all members (not admins) in your organization will be forced to re-encrypt their data so they can sign in to Dashlane using SSO instead of their master password at their next login. Admins in your organization will not be impacted and will continue to use their master password to sign in.
Once you activate SSO, your members will go through the following migration:
- The next time the user successfully signs into their browser extension using their master password, they will see the following image. (If they attempt to sign into the web application in the browser, they will be directly taken to the next step).
- Once the user clicks on Log in with SSO, the user will see the following screen:
- Once the user clicks Log in with SSO, the user will be redirected to their identity provider to sign in.
- Upon a successful sign-in, the user will be redirected to Dashlane and automatically have their data re-encrypted. Once the re-encryption is complete, the user will be redirected to the Dashlane web application. Note: If the user doesn't have the extension installed, they will have to type in the master password once more before the re-encryption happens.
The migration is complete - the user will no longer need their master password! Future logins will look like the following:
Note: The same experience is available on the iOS and Android applications. The migration will be done only once per user and will happen on the device that the user signs into first after SSO has been activated for the organization.