Single sign-on (SSO) for DNSFilter

Article author
Brian Reynolds
  • Updated

Single sign-on (SSO) is an identification system that authenticates and enables users to securely access many different applications and services using just one set of credentials.

The SSO feature is available to all plans at no charge. Only owners can configure SSO on their DNSFilter accounts.

SSO can be configured with any Identity Provider (IdP) that supports the Generic OpenID Connect (OIDC) authentication process. Examples are provided below on how to configure SSO using two common IdPs: Azure Active Directory and Okta.

Azure Active Directory (AD) Configuration Process

The Generic Open ID Connect (OIDC) authentication process is as follows:

Prior to configuring SSO within the DNSFilter Dashboard, your IT Admin will need to create an App Registration with Azure AD.  

  1. Navigate to Manage > App registrations
    mceclip0.png
  2. Click (+) New registration
    mceclip1.png
  3. Configure the app as follows

    Name:  Enter an identifying application name (this name is only used within Azure AD)

    mceclip2.png

    Supported account types:  Leave the default selected 

    Accounts in this organizational directory only (rnvm only - Single tenant)
    mceclip3.png

    Redirect URI (optional): 
    Select a platform dropdown:  Web 

    URL:  https://auth.dnsfilter.com/login/callback 
    Please Note: This is a static authentication callback URL provided to configure OIDC SSO authentication with the DNSFilter Dashboard

    mceclip4.png
  4. Click Register
  5. On the newly created app registration page within Azure AD navigate to Client Credentials > Add a certificate or secret
    mceclip5.png
  6. Click (+) New client secret
    mceclip6.png
  7. Enter a name and select a secret expiration timemceclip7.png

    💡  PRO Tip: To avoid being locked out of the DNSFilter dashboard, keep track of when this secret expires. A new secret will need to be created within Azure AD & updated within the DNSFilter SSO configuration prior to expiration.

  8. Click Add
  9. Copy the client secret value to clipboard

    💡  PRO Tip: This is the only time the Value for the client secret will be visible & available to copy. Store your app registration secret value in a secure location / secret vault.
    mceclip8.png

  10. After copying the value for the client secret > close the Certificates & Secrets panel
    mceclip9.png
  11. The following values will be needed to configure the DNSFilter SSO connection
    - Application (client) ID
    mceclip10.png
    Client Secret Value [Step 9] 
    mceclip11.png
    OpenID Connect metadata document [found under Endpoints] 
    mceclip12.png

 

Okta Configuration Process

  1. Open Okta and navigate to Applications > Create App Integration and select OIDC - OpenID Connect for the Sign-in method 
    Screen_Shot_2022-03-30_at_4.57.52_PM.png
  2. The Application Type will need to be set to Web Application and then choose Next 
    Screen_Shot_2022-03-30_at_4.58.23_PM.png
  3. Enter in an Application name and paste in the Callback URL below into the Sign-in redirect URIs 
    Callback URL: https://auth.dnsfilter.com/login/callback
    Screen_Shot_2022-03-30_at_5_04_19_PM.png
  4. You can leave the Sign-out redirect URIs blank if preferred. If not, you can use your DNSFilter login URL and paste it into that field (e.g. https://app.dnsfilter.com/)
  5. Navigating back to Okta, under Assignments, you can choose to Allow everyone to have access, Limit access to selected groups, or Skip the group assignment for now.
    Screen_Shot_2022-03-30_at_5.11.00_PM.png
  6. Once making your selection, click Save 
  7. Next, you'll need to locate the Discovery URL in Okta by navigating to General Settings and copy the URL from here
  8. Once you've done that, you will then need to use Okta's OpenID URL format and update it so that it looks something like this https://${yourOktaOrg}/.well-known/openid-configuration
  9. Now you can paste this into the Discovery URL in your DNSFilter dashboard

DNSFilter Dashboard SSO Configuration

  1. In your DNSFilter Dashboard, navigate to Organization > Settings > Single Sign-On > Configure Single Sign-On
    Screen_Shot_2022-03-29_at_11.11.12_PM.png
  2. A prompt will appear informing you that configuring Single Sign-On will impact existing dashboard users. Select Continue to proceed.
    Screen_Shot_2022-03-29_at_12.46.47_PM.png
  3. Under the first step, click on OpenID to reveal the remaining steps to complete the configuration.
  4. From Azure AD or Okta, you can now paste in your Client ID, Client Secret, and Discovery ID
  5. Scroll down to the fourth step in your dashboard and select your desired default role for the authenticated users
  6. In the last step, you have the option to customize the Sign-On text button. Once you've done that, click Save.
    Screen_Shot_2022-03-29_at_11.30.01_PM.png
  7. The view will refresh and display your SSO configuration details. The URL listed as the 'Vanity URL' is what you must use for your organization for single sign-on.

With the Azure AD configuration, the first person that attempts to login to DNSFilter using SSO may see the following prompt below. This is expected behaviour and after clicking on the checkbox to provide consent, and select Accept, the prompt will not appear again.
Screen_Shot_2022-03-29_at_1_35_41_PM.png

Please Note: Owners are the ONLY role that will always be able to login through both SSO and their username and password

    • This allows owners to always have access to the DNSFilter dashboard, specifically in the event of an issue with their IdP.

Default Roles for Dashboard Users

Authenticated users will be designated the role selected when SSO is configured. If there are any changes or modifications made to your SSO configuration such as changing their default role permission, you would need to re-enter in the Client Secret ID and save those changes. Otherwise, the changes will fail to save. Editing the role in the SSO connection will not cause existing users within the organization to have their roles updated

Configured SSO Users

When a SSO connection is configured, all non-owner users in the organization will be deactivated and removed from the Users view. This is a permanent change: these email/password user accounts will no longer be associated with the organization and cannot be used to sign in, even if the SSO connection is deleted in the future. In order for these users to be able to log in and display in the Users view, they will need to log in with the newly created SSO connection.

  • If a SSO connection is deleted at any point, non-owner users that used to log in with email/password will still not be able to log in. If the Owner decides they’d like to have email/password users in their organization after the SSO connection is deleted, those users will have to be manually re-added by the Owner.
  • If a SSO connection is deleted, users that signed in with SSO will no longer be able to sign in. They will see an error message, then will be redirected to our normal email/password login screen. They will not have a password to log in with, and cannot request a password reset; they’ll be directed to contact support if they try to request a password reset.
  • When an SSO connection is established, new users cannot be manually added to the DNSF dashboard any longer. New users can only be added by signing into the SSO connection for the organization.

Was this article helpful?

2 out of 2 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.