Single sign-on (SSO) for DNSFilter

Article author
Minetta Gould
  • Updated

Single sign-on (SSO) is an identification system that authenticates and enables users to securely access many different applications and services using just one set of credentials.

The SSO feature is available to all plans at no extra charge. Only owners can configure SSO on their DNSFilter accounts.

SSO can be configured with any Identity Provider (IdP) that supports the Generic OpenID Connect (OIDC) authentication process. Examples are provided below on how to configure SSO using two common IdPs: Azure Active Directory and Okta.

Azure Active Directory (AD) Configuration Process

The Generic Open ID Connect (OIDC) authentication process is as follows:

Prior to configuring SSO within the DNSFilter Dashboard, your IT Admin will need to create an App Registration with Azure AD.  

  1. Navigate to Manage > App registrations
    mceclip0.png
  2. Click (+) New registration
    mceclip1.png
  3. Configure the app as follows

    Name:  Enter an identifying application name (this name is only used within Azure AD)

    mceclip2.png

    Supported account types:  Leave the default selected 

    Accounts in this organizational directory only (rnvm only - Single tenant)
    mceclip3.png

    Redirect URI (optional): 
    Select a platform dropdown:  Web 

    URL:  https://auth.dnsfilter.com/login/callback 
    Please Note: This is a static authentication callback URL provided to configure OIDC SSO authentication with the DNSFilter Dashboard.

    mceclip4.png
  4. Click Register
  5. On the newly created app registration page within Azure AD, navigate to Client Credentials > Add a certificate or secret
    mceclip5.png
  6. Click (+) New client secret
    mceclip6.png
  7. Enter a name and select a secret expiration timemceclip7.png

    💡  PRO Tip: To avoid being locked out of the DNSFilter dashboard, keep track of when this secret expires. A new secret will need to be created within Azure AD & updated within the DNSFilter SSO configuration prior to expiration.

  8. Click Add
  9. Copy the client's secret value to the clipboard

    💡  PRO Tip: This is the only time the Value for the client secret will be visible & available to copy. Store your app registration secret value in a secure location / secret vault.
    mceclip8.png

  10. After copying the value for the client secret > close the Certificates & Secrets panel
    mceclip9.png
  11. The following values will be needed to configure the DNSFilter SSO connection
    - Application (client) ID
    mceclip10.png
    Client Secret Value [Step 9] 
    mceclip11.png
    OpenID Connect metadata document [found under Endpoints] 
    mceclip12.png

 

Okta Configuration Process

  1. Open Okta and navigate to Applications > Create App Integration and select OIDC - OpenID Connect for the Sign-in method. 
    Screen_Shot_2022-03-30_at_4.57.52_PM.png
  2. The Application Type will need to be set to Web Application, and then choose Next 
    Screen_Shot_2022-03-30_at_4.58.23_PM.png
  3. Enter an Application name and paste the Callback URL below into the Sign-in redirect URIs 
    Callback URL: https://auth.dnsfilter.com/login/callback
    Screen_Shot_2022-03-30_at_5_04_19_PM.png
  4. You can leave the Sign-out redirect URIs blank if preferred. If not, you can use your DNSFilter login URL and paste it into that field (e.g., https://app.dnsfilter.com/)
  5. Navigating back to Okta, under Assignments, you can choose to Allow everyone to have access, Limit access to selected groups, or Skip the group assignment for now.
    Screen_Shot_2022-03-30_at_5.11.00_PM.png
  6. Once making your selection, click Save 
  7. Next, you'll need to locate the Discovery URL in Okta by navigating to General Settings and copying the URL from here
  8. Once you've done that, you will then need to use Okta's OpenID URL format and update it so that it looks something like this https://{domain}.okta.com/.well-known/openid-configuration
  9. Now you can paste this into the Discovery URL in your DNSFilter dashboard

Jumpcloud Configuration

  1. Log into the jumpcloud admin console and navigate to User Authentication > SSO in the left side menu.
  2. Click + Add New Application

Graphical user interface, text, application, email

Description automatically generated

  1. Click Custom OIDC App

Graphical user interface, application

Description automatically generated

  1. Add a Display Label & optionally upload a logo.

Note:  DNSFilter does not require a specific naming convention for the OIDC application within Jumpcloud

Graphical user interface, text, application, email

Description automatically generated

  1. Click SSO
  2. Add https://auth.dnsfilter.com/login/callback to the Redirect URIs
  3. Select Client Secret Post 
  4. Add Login URL, which will be found in DNSFilter after configuring the SSO connection.

Ex:  https://app.dnsfilter.com/login/<SSO GUID> OR https://app.dnsfilter.com/login/<VanityURL>

Graphical user interface, text, application, email

Description automatically generated

  1. Add the Attribute Mapping as outlined below. 

Note:  The Service Provider Attribute Name IS case sensitive.

 

Service Provider Attribute Name:  email

JumpCloud Attribute Name:  email

 

Service Provider Attribute Name:  name

JumpCloud Attribute Name:  fullname

 

Service Provider Attribute Name:  first_name

JumpCloud Attribute Name:  firstname

 

Service Provider Attribute Name:  last_name

JumpCloud Attribute Name:  lastname

 

Graphical user interface

Description automatically generated

  1. DNSFilter does not require anything under Identity Management
  2. User Groups – Make sure to assign the app to the appropriate user groups, or the end user will not be granted access to DNSFilter.

Graphical user interface, text, application

Description automatically generated

 

  1. Click active 
  2. Be sure to copy the Client ID & Client Secret.  

Note:  This is the only time this secret will be available.

Graphical user interface, application

Description automatically generated

 

DNSF OIDC Config:

Client ID from above screenshot

Client Secret from above screenshot

Discovery URL:  https://oauth.id.jumpcloud.com/.well-known/openid-configuration

Google Workspace Configuration

  1. Inside of your Google Workspace account, please navigate to the dashboard and open a previously created project, or create a brand new project
    New Project.png
  2. Give the project a name and assign it to an Organization (if you have an organization created)
    Create project.png
  3. Next, select APIs & Services > OAuth consent screen. You may need to click the Menu "" first
    OAuth consent.png
  4. For User Type, choose either Internal (for your organization) or External if you don't have an organization created
  5. Click Create 
  6. In the App Name field, give the name of your application and enter in a User support emailApp info.png
  7. Scroll down to the bottom and enter in an email address of your choosing in the Developer contact information field so that Google can contact you about changes to your project
  8. Choose Save and ContinueSave and Continue and then Back to Dashboard
  9. In the pane on the left, select APIs & ServicesCredentialsCreate Credentials > OAuth Client ID
    Create credentials.png
  10. Select Web Application as the Application Type 
  11. Give the OAuth web client a name
    Create OAuth client ID.png
  12. For the Authorized JavaScript origins, click Add URI and enter in https://auth.dnsfilter.com 
  13. Under Authorized redirect URIs click Add URI and enter in https://auth.dnsfilter.com/login/callback 
  14. Click Create 
  15. A prompt will appear that will show you your Client ID and Client secret
  16. Please make note of those and or click on the 'Download JSON' so that you can refer back to it
  17. In the DNSFilter dashboard, you can now navigate to Organizations > Settings > SSO and click on Google Workspace
  18. Paste in your Client ID and Client secret
  19. The Discovery URL would look something like this: https://accounts.google.com/.well-known/openid-configuration
  20. You can then assign the desired user role under 'Advanced Settings' and save your changes
  21. To login using your new SSO connection, you can use the Vanity URL that appears now under Sign-On Details

For more details on Google's OAuth setup, please refer to their documentation here. 

DNSFilter Dashboard SSO Configuration

  1. In your DNSFilter Dashboard, navigate to Organization > Settings > Single Sign-On > Configure Single Sign-On
    Screen_Shot_2022-03-29_at_11.11.12_PM.png
  2. A prompt will appear informing you that configuring Single Sign-On will impact existing dashboard users. Select Continue to proceed.
    Screen_Shot_2022-03-29_at_12.46.47_PM.png
  3. Under the first step, click on OpenID to reveal the remaining steps to complete the configuration.
  4. From Azure AD or Okta, you can now paste in your Client ID, Client Secret, and Discovery ID
  5. Scroll down to the fourth step in your dashboard and select your desired default role for the authenticated users
  6. In the last step, you have the option to customize the Sign-On text button. Once you've done that, click Save.
    Screen_Shot_2022-03-29_at_11.30.01_PM.png
  7. The view will refresh and display your SSO configuration details. The URL listed as the 'Vanity URL' is what you must use for your organization for single sign-on.

With the Azure AD configuration, the first person that attempts to log in to DNSFilter using SSO may see the following prompt below. This is expected behavior and, after clicking on the checkbox to provide consent and selecting Accept, the prompt will not appear again.
Screen_Shot_2022-03-29_at_1_35_41_PM.png

Please Note: Owners are the ONLY role that will always be able to log in through both SSO and their username and password

    • This allows owners to always have access to the DNSFilter dashboard, specifically in the event of an issue with their IdP.

 

Configured SSO Users

When an SSO connection is configured, all non-owner users in the organization will be deactivated and removed from the User's view. This is a permanent change: these email/password user accounts will no longer be associated with the organization and cannot be used to sign in, even if the SSO connection is deleted in the future. In order for these users to be able to log in and display in the Users view, they will need to log in with the newly created SSO connection.

  • If an SSO connection is deleted at any point, non-owner users that used to log in with email/password will still not be able to log in. If the Owner decides they’d like to have email/password users in their organization after the SSO connection is deleted, those users will have to be manually re-added by the Owner.
  • If an SSO connection is deleted, users that signed in with SSO will no longer be able to sign in. They will see an error message, then will be redirected to our normal email/password login screen. They will not have a password to log in with and cannot request a password reset; they’ll be directed to contact support if they try to request a password reset.
  • When an SSO connection is established, new users cannot be manually added to the DNSF dashboard any longer. New users can only be added by signing into the SSO connection for the organization.

Was this article helpful?

4 out of 4 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.