This article is for organizations on a Dashlane Business plan.
The encryption service is a required component of Dashlane SCIM and SSO implementation. This article explains why Dashlane uses the encryption service and how you can set it up.
Overview
The encryption service can benefit your organization more than competitor solutions. End-to-end encryption and encrypted sharing keys require a necessary layer of security that SAML and SCIM don't provide out of the box. You can use the encryption service to seamlessly integrate Dashlane with these protocols while keeping the encryption keys secure and the experience intuitive for the plan members and admins.
Architecture
You can set up SCIM and SSO independently from one another, but we recommend configuring both for the best experience. The encryption service provides a user encryption key during login and a group encryption key during SCIM directory sync. We're currently in the process of updating all customers to the encryption service. To get enabled for the latest version, contact the Customer Support team.
Set up the encryption service in Azure
Estimated time to complete: 10 minutes
Access required:
- Dashlane admin account
- Azure admin account
To set up the service:
- Select the Dashlane D icon in your browser's toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console. If you don't have the Dashlane extension installed yet, you can download it.
Download the Dashlane extension
- In the Dashlane Admin Console, in the Encryption Service settings section, select Settings, Single sign-on, and then Edit.
- In the Where will you deploy the Encryption Service? menu, select Microsoft Azure. Your encryption service endpoint is generated automatically with your organization details.
- Select Generate and save to create your encryption service configuration.
- Once generated, select Copy to copy the configuration, and then select Go to service host to open the Azure template.
- In the Azure template, select Edit parameters.
- Select and delete all the current parameters.
- Paste the encryption service configuration you copied from the Dashlane Admin Console and select Save.
- Select a Subscription, select or create a new Resource group, and then select Next: Review + create.
Important! If the Subscription menu is blank or you don't subscribe to Azure, you need to subscribe to complete the encryption service setup. We recommend subscribing to "Azure App Service Basic Plan - Linux - B1". This plan costs $.018 per hour. Depending on your organization's usage, you can expect this to cost $8 to $14 per month. This subscription is different from an Azure Active Directory subscription.
- After you see a Validation Passed message, select Create.
After a few minutes, the deployment completes successfully.
Restart the Azure encryption service
If you're prompted to restart the Azure encryption service, follow these steps. If not prompted, you can skip these steps.
- Return to the Azure portal, select Resource groups, Overview, and then your new Dashlane app service.
- Select Restart to restart the App Service.
Your encryption service is running. You can now configure SAML-based SSO or SCIM provisioning with your Identity Provider.
Set up SSO and SCIM With Azure AD
Set up SSO with Google Workspace
Set up SSO and SCIM with JumpCloud
Set up the encryption service in AWS
Estimated time to complete: 10 minutes
Access required:
- Dashlane admin account
- AWS admin account
To set up the service:
- Select the Dashlane D icon in your browser's toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
- In the Dashlane Admin Console, in the Encryption Service settings section, select Settings, Single sign-on, and then Edit.
- In the Where will you deploy the Encryption Service? menu, select AWS. Your encryption service endpoint is generated automatically with your organization details.
- Select Generate and save to create your encryption service configuration.
- Once generated, select Copy to copy the configuration and then Go to service host.
- Log in to the AWS portal and make sure the AWS region is "Virginia (US-East-1)" or "Ireland (EU-West-1)."
- Search AWS for "certificate manager" and select Certificate Manager from the search results.
- In the New ACM managed certificate section, select Request a certificate.
- Select Request a public certificate and then Next.
- In the Domain names section, paste your encryption service endpoint web address from the Dashlane Admin Console.
- In the Select validation method section, select DNS validation and then Request.
- Select the Certificate ID link.
- Select the icon to Copy the CNAME name and CNAME value.
- Log into your public DNS provider and create a new CNAME record under your domain name. The exact steps vary depending on your provider.
- For Type, select CNAME. For Host, paste the CNAME name you copied from the Certificate Manager. For Points to, paste the CNAME value you copied from the Certificate Manager.
- Select Save.
- Return to the AWS Certificate Manager and select the icon to Copy the ARN string. Paste it into an app like TextEdit for Mac or Notepad for Windows to save it for later.
Note: You must validate your certificate before you can move to the next steps and create a stack.
- Search AWS for "aws cloud formation" and select CloudFormation from the search results.
- In the Create stack menu, select With new resources (standard).
- Select Template is ready, enter the following Amazon S3 URL, and select Next:
https://s3-eu-west-1.amazonaws.com/public-cloudformation.dashlane.com/sso-connector/sam-app/template-latest.yaml
- Complete the following fields:
- For Stack name, name your stack with this format:
[YourCompanyName]-SSO-Connector - For Certificate, paste the ARN string you saved from the Certificate Manager.
- For DomainName, paste the encryption service endpoint URL generated by the Dashlane Admin Console.
- For Stack name, name your stack with this format:
- Select Next.
- On the Configure stack options page, leave all settings as they are and select Next.
- Scroll to the Transforms might require access capabilities section, select all the checkboxes, and then select Create stack.
- This process may take several minutes. A CREATE_COMPLETE message appears when the stack has been created.
- After the stack has been created, select the Outputs tab and copy the CNAME Value.
- Log in to your public DNS provider and create a new CNAME record under your domain name.
- For the Type, select CNAME. For Host, paste the encryption service endpoint URL generated by the Dashlane Admin Console.
Example: For dashlanesso.dashlaneshop.com, paste the text dashlanesso.
- For Points to, paste the CNAME Value copied from the Outputs tab.
- Search in AWS for "secrets manager" and select Secrets Manager from the search results.
- Select your SSO connector Secret name.
- In the Secret value section, select Retrieve secret value.
- Select Edit.
- Return to the Single sign-on section of the Dashlane Admin Console, select Edit for Encryption Service settings, and Copy the encryption service configuration file.
- Return to AWS, select the Plaintext tab, paste the encryption service configuration file, and select Save.
Restart the AWS encryption service
If you're prompted to restart the AWS encryption service, follow these steps. If not, you can skip them.
- Return to the AWS Secrets Manager.
- Select Encryption Service, Retrieve Secrets Value, and then Edit.
- In the Edit secret value pop-up, select the Plaintext tab.
- In the Plaintext tab, add a space to the end of the value and then delete that space to trigger the option to save the secret again.
- Select Save.
Your encryption service is running. You can now configure SAML-based SSO or SCIM provisioning with your Identity Provider.
Set up SSO and SCIM With Azure AD