Set up Confidential SSO and Provisioning with PingID

Step 1: Register a new application in PingID

1. Log in to your Ping Identity Admin Console.
2. Navigate to Applications. Select + Add Application.

   

Step 2: Configure PingID for SAML SSO

1. Choose SAML as the application type and set up the application name as Arrow SSO.

2. Select Configure.

   

3. For SAML configuration, select Manually enter.
   • For ACS URL enter https://sso.nitro.dashlane.com/saml/callback
   • For Entity ID, enter dashlane-nitro-sso
   • Save the changes

     

4. Under Attribute Mappings select Email Address for the PingOne Mappings and Save.

   

   

Step 3: Download PingID Metadata

1. In the Overview tab, select Download Metadata.
2. Enable the toggle on the top right corner to activate the application.

   

3. Open the XML metadata file downloaded to your computer using Notepad on Windows or TextEdit on Mac, for example.

   

4. Select all and copy the contents of the XML file.

   

Step 4: Configure Arrow with PingID Metadata

1. Log in to the Arrow Admin Console
2. In the Integrations section of the left menu, select Single sign-on. If you've already started the setup, select Edit. Otherwise, select Set up Confidential SSO.

   

3. Go to Step 2: Save your IdP metadata and paste the XML metadata copied earlier.
4. Select Save.

   

Step 5: Verify your domain in DNS Provider

1. In Step 3: Verify your domain(s) in the Admin Console, enter your company email domain, and select Verify domain. Note the copy buttons you'll use to copy the hostname and TXT values to your public DNS provider.

   

2. In a new browser tab, navigate to your Public DNS provider and Add a TXT Record. The exact steps vary depending on your provider.

   

3. Paste the Host Name and TXT Value from the Arrow Admin Console into the new TXT record, and select Save.

   

4. After you've entered the record, wait a few minutes, and in the Arrow Admin Console, select Verify domain.
   

   Public DNS changes can take up to 24 hours, but most new records take 5 minutes or less. If it doesn't work the first time, wait a few minutes and select Verify domain again.

   

(Optional) Just in Time Provisioning

You can turn on Just in Time Provisioning to automatically add any employee with your verified domains at their first login attempt.

Before you turn on Just in Time Provisioning:

• Ensure your plan members have already been added to the Arrow SAML application in your IdP.
• After you turn it on, they can install the Arrow Smart Extension and create their account.
• If your plan is out of seats, members won't be able to log in until you buy more seats.
• If you’re using Just in Time Provisioning along with another automatic provisioning method like SCIM or AD sync, make sure to add all of your plan members to your synced groups. Otherwise, plan members who aren’t added to synced groups will be removed the next time the directory syncs.

  

More about Just in Time Provisioning

Step 6: Assign Users in PingID

1. In Ping Identity, open the Arrow application and select the edit icon under Access.
2. Select the Group of Users you want to have access to Arrow and Save the changes.

   

Step 7: Test your SSO configuration

1. Return to the Arrow Admin Console and perform a Test connection.
2. A success message appears if SSO was set up as expected.

   

Step 8: Enable SSO for all users

1. After testing is successful, activate SSO in Arrow Step 4: Activate SSO for verified domains.
2. Notify members about the new SSO login method. Members with an account created with a Master Password must do a final login with the Master Password before activating SSO.
3. Ensure that members can log in with their PingID credentials.

To see how the process works for plan members, refer to this article: Migrate your existing plan members to SSO

Step 1: Generate SCIM API Token in Arrow

1. Log in to the Arrow Admin Console
2. In the Integrations section, select Provisioning and then Confidential Provisioning.
3. Select Set up or Edit if you've already started the setup.

   

   If this option is grayed out and unavailable, you either need to set up Confidential SSO first, or you've already set up Self-hosted SSO, SCIM, or Active Directory.

4. In Step 1: Generate SCIM API token, select Generate Token.
5. Copy the SCIM API token in Step 2: Copy token.
6. Turn on the toggle for Step 3: Activate automatic user provisioning.

   

Step 2: Generate SCIM API Token in PingID

1. Open the PingIdentity Admin Console and open the Provisioning tab under Integrations

   

2. Select the plus icon next to Provisioning and select New Connection. Select Identity Store.

   

3. Select SCIM Outbound and Next.
4. Add a name to the connection — suggestion: Arrow User SCIM — and select Next.

   

5. Copy the SCIM Endpoint URL from the Arrow Admin Console and enter the value under the SCIM Base URL.
6. Select OAuth 2 Bearer Token as the Authentication Method.
7. For OAuth Acess Token, enter the SCIM API token copied from the Arrow Admin Console.
8. Select Test Connection

   

   Note: The connection test will fail if you haven't first completed Step 1: Generate SCIM API Token in Arrow in full.

Step 1: Set up Group Provisioning with SAML in PingID

1. Select Identity Provider, then SP Connections, then Arrow, and then Identity Mapping. Then select Next.
• For Extend the Contract, enter dashlaneSharingGroups.
• For Attribute Name Format enter basic.
2. Select Next.

   

3. Select Adapter Instance Name, then Description, then LDAP, and dashlaneSharingGroups:
   • For Source, select Expression from the drop-down list.

   • For Value, enter this code:

     #groupName = new java.util.ArrayList(), #groups = #this.get("ds.memberOf")!=null ? #this.get("ds.memberOf").getValues() : {}, #i= 0, #groups.{ #group = new javax.naming.ldap.LdapName(#groups[#i]), #cn = #group.getRdn(#group.size() - 1).getValue().toString(), #group.toString().matches(".*INSERT-MATCHING.*") ? (#groupName.add("INSERT-GROUP-NAMES-YOU-WANT-TO-SYNC-HERE")): null, #i = #i + 1 }, new org.sourceid.saml20.adapter.attribute.AttributeValue(#groupName)
4. Select Update the expression and then select Next.

   

   Note: If you get an error message during this step, go back to Data Store. Select Next. Then select Show All Attributes and MemberOf from the drop-down lists. Then select Add Attribute, then Next three times, and then Save.

   

   

5. Select Cluster Management. Then select Replicated Configuration and Done.

   

Step 2: Set up Group Provisioning with SAML in Arrow

1. Log in to the Arrow Admin Console
2. Go to Integration, select Provisioning, and select Confidential Provisioning.
3. Select Set up or Edit if you've already started the setup.

   

4. Scroll down to the Group Provisioning section.
5. Turn on Group Provisioning in Step 2: Activate group syncing.

   

(SSO) Error message: We couldn't verify your SSO connection

Error when testing the connection with Arrow in the Admin Console. You might also see this error when trying to save the metadata.

How to fix

• Confirm you're opening and logging in to the Admin Console from the Arrow Smart Extension.

  Install the Arrow Smart Extension

• If your IdP's admin portal is open, log out of your admin account on PingID and close the browser tab before testing the connection with Arrow again.
• If the error persists, contact our Support team.

  Contact an agent through the Admin Console