Single sign-on (SSO) for DNSFilter

Single sign-on (SSO) is an identification system that authenticates and enables users to securely access many different applications and services using just one set of credentials.

The SSO feature is available to all plans at no charge. Only owners can configure SSO on their DNSFilter accounts.

SSO can be configured with any Identity Provider (IdP) that supports the Generic OpenID Connect (OIDC) authentication process. Examples are provided below on how to configure SSO using two common IdPs: Azure Active Directory and Okta.

Azure Active Directory (AD) Configuration Process

The Generic Open ID Connect (OIDC) authentication process is as follows:

Prior to configuring SSO within the DNSFilter Dashboard, your IT Admin will need to create an App Registration with Azure AD.  

1. Navigate to Manage > App registrations
   
   
2. Click (+) New registration
   
3. Configure the app as follows
   
   Name:  Enter an identifying application name (this name is only used within Azure AD)

   

   Supported account types:  Leave the default selected 

   Accounts in this organizational directory only (rnvm only - Single tenant)
   

   Redirect URI (optional): 
   Select a platform dropdown:  Web 

   URL:  https://auth.dnsfilter.com/login/callback 
   Please Note: This is a static authentication callback URL provided to configure OIDC SSO authentication with the DNSFilter Dashboard
   

   
4. Click Register
5. On the newly created app registration page within Azure AD navigate to Client Credentials > Add a certificate or secret
   
6. Click (+) New client secret
   
7. Enter a name and select a secret expiration time
   

   💡  PRO Tip: To avoid being locked out of the DNSFilter dashboard, keep track of when this secret expires. A new secret will need to be created within Azure AD & updated within the DNSFilter SSO configuration prior to expiration.

8. Click Add
9. Copy the client secret value to clipboard
   

   💡  PRO Tip: This is the only time the Value for the client secret will be visible & available to copy. Store your app registration secret value in a secure location / secret vault.
   

10. After copying the value for the client secret > close the Certificates & Secrets panel
    
11. The following values will be needed to configure the DNSFilter SSO connection
    - Application (client) ID
    
    - Client Secret Value [Step 9] 
    
    - OpenID Connect metadata document [found under Endpoints] 
    

Okta Configuration Process

1. Open Okta and navigate to Applications > Create App Integration and select OIDC - OpenID Connect for the Sign-in method 
   
2. The Application Type will need to be set to Web Application and then choose Next 
   
3. Enter in an Application name and paste in the Callback URL below into the Sign-in redirect URIs 
   Callback URL: https://auth.dnsfilter.com/login/callback
   
4. You can leave the Sign-out redirect URIs blank if preferred. If not, you can use your DNSFilter login URL and paste it into that field (e.g. https://app.dnsfilter.com/)
5. Navigating back to Okta, under Assignments, you can choose to Allow everyone to have access, Limit access to selected groups, or Skip the group assignment for now.
   
6. Once making your selection, click Save 
7. Next, you'll need to locate the Discovery URL in Okta by navigating to General Settings and copy the URL from here
8. Once you've done that, you will then need to use Okta's OpenID URL format and update it so that it looks something like this https://${yourOktaOrg}/.well-known/openid-configuration
9. Now you can paste this into the Discovery URL in your DNSFilter dashboard

Jumpcloud Configuration

1. Log into the jumpcloud admin console and navigate to User Authentication > SSO in the left side menu.
2. Click + Add New Application

3. Click Custom OIDC App

4. Add a Display Label & optionally upload a logo.

Note:  DNSFilter does not require a specific naming convention for the OIDC application within jumpcloud

5. Click SSO
6. Add https://auth.dnsfilter.com/login/callback to the Redirect URIs
7. Select Client Secret Post 
8. Add Login URL which will be found in DNSFilter after configuring the SSO connection.

Ex:  https://app.dnsfilter.com/login/<SSO GUID> OR https://app.dnsfilter.com/login/<VanityURL>

9. Add the Attribute Mapping as outlined below. 

Note:  The Service Provider Attribute Name IS case sensitive.

Service Provider Attribute Name:  email

JumpCloud Attribute Name:  email

Service Provider Attribute Name:  name

JumpCloud Attribute Name:  fullname

Service Provider Attribute Name:  first_name

JumpCloud Attribute Name:  firstname

Service Provider Attribute Name:  last_name

JumpCloud Attribute Name:  lastname

10. DNSFilter does not require anything under Identity Management
11. User Groups – Make sure to assign the app to the appropriate user groups, or the end user will not be granted access to DNSFilter.

12. Click active 
13. Be sure to copy the Client ID & Client Secret.  

Note:  This is the only time this secret will be available.

DNSF OIDC Config:

Client ID from above screenshot

Client Secret from above screenshot

Discovery URL:  https://oauth.id.jumpcloud.com/.well-known/openid-configuration

DNSFilter Dashboard SSO Configuration

1. In your DNSFilter Dashboard, navigate to Organization > Settings > Single Sign-On > Configure Single Sign-On
   
2. A prompt will appear informing you that configuring Single Sign-On will impact existing dashboard users. Select Continue to proceed.
   
3. Under the first step, click on OpenID to reveal the remaining steps to complete the configuration.
4. From Azure AD or Okta, you can now paste in your Client ID, Client Secret, and Discovery ID
5. Scroll down to the fourth step in your dashboard and select your desired default role for the authenticated users
6. In the last step, you have the option to customize the Sign-On text button. Once you've done that, click Save.
   
7. The view will refresh and display your SSO configuration details. The URL listed as the 'Vanity URL' is what you must use for your organization for single sign-on.

With the Azure AD configuration, the first person that attempts to login to DNSFilter using SSO may see the following prompt below. This is expected behaviour and after clicking on the checkbox to provide consent, and select Accept, the prompt will not appear again.


Please Note: Owners are the ONLY role that will always be able to login through both SSO and their username and password

• • This allows owners to always have access to the DNSFilter dashboard, specifically in the event of an issue with their IdP.

Configured SSO Users

When a SSO connection is configured, all non-owner users in the organization will be deactivated and removed from the Users view. This is a permanent change: these email/password user accounts will no longer be associated with the organization and cannot be used to sign in, even if the SSO connection is deleted in the future. In order for these users to be able to log in and display in the Users view, they will need to log in with the newly created SSO connection.

• If a SSO connection is deleted at any point, non-owner users that used to log in with email/password will still not be able to log in. If the Owner decides they’d like to have email/password users in their organization after the SSO connection is deleted, those users will have to be manually re-added by the Owner.
• If a SSO connection is deleted, users that signed in with SSO will no longer be able to sign in. They will see an error message, then will be redirected to our normal email/password login screen. They will not have a password to log in with, and cannot request a password reset; they’ll be directed to contact support if they try to request a password reset.
• When an SSO connection is established, new users cannot be manually added to the DNSF dashboard any longer. New users can only be added by signing into the SSO connection for the organization.