NS1 status

Articles in this section

NS1 + Azure SSO Implementation Guide

  • Updated
Follow

The NS1 portal supports SAML 2.0 single sign-on (SSO) for those using Microsoft Azure Active Directory as their Identity Provider (IdP). The integration allows account administrators to includes the NS1 application in an organization's SSO configuration for added network security and to simplify user management across platforms. For example, if an account user is no longer associated with your organization, an admin can revoke their access to the NS1 platform via Azure SSO. (Note that, in this case, we still recommend deleting the inactive NS1 account for general maintenance purposes.)

NS1 supports logins initiated by both the identity provider (IdP) or the service provider (SP)

  • IdP-initiated login refers to a user logging in to the Azure SSO platform, and then selecting the NS1 application to be redirected and logged in to the NS1 portal.

  • SP-initiated login refers to the option on the NS1 portal login page to log in using SSO.

Note

There is no single sign-off. If a user logs out of Azure Active Directory while their is an active NS1 portal session, the user will still be able to log into the NS1 portal until the session expires.

This guides provides account administrators with instructions to configure SSO for all users associated with your NS1 account. Once Azure SAML SSO is enabled for your organization, all users associated with your NS1 account can access the NS1 portal via Azure or by selecting the SSO option on the portal login page.

Instructions

Warning

Check your Azure SSO account settings to ensure you have the relevant permissions to complete the steps below.

Step 1: Contact NS1 to request your SSO ID.

An SSO ID is a unique identifier for an NS1 organization. It is required to configure the NS1 application in Azure. Contact NS1 customer support to request an SSO ID.

Step 2: Add the NS1 application to your Enterprise Applications

  1. Log into the Azure portal, and navigate to Enterprise Applications.

  2. Click New Application.

  3. In the Enter a Name field, search for "NS1."

    screen_-_azure_-_add_an_application.png

  4. Click NS1 SSO For Azure from the search results.

    screen_-_azure_-_add_ns1_application.png

  5. Optionally, you can rename the application. Review the information, and click Add. This adds NS1 to your list of Azure SSO enterprise applications.

Step 3: Add your SSO ID to the NS1 application in Azure.

  1. In the Azure portal, navigate to the NS1 SSO for Azure | Overview page. From the sidebar menu, click Properties.

    screen_-_azure_-_ns1_app_overview.png

  2. Under Getting Started, click Set up single sign on.

    screen_-_azure_-_select_method.png

  3. Under Select a single sign-on method, select SAML.

    screen_-_azure_-_initial_setup.png

  4. Under Set up Single Sign-on with SAML, click the edit icon (pencil) next to option 1, Basic SAML Configuration.

    screen_-_azure_-_basic_SAML_configuration.png

  5. Under Identifier (Entity ID), enter the following:

    https://api.nsone.net/saml/metadata

  6. Enter the Reply URL using the following format:

    https://api.nsone.net/saml/sso/<sso_id>

    where <sso_id> is the alphanumeric string provided to you by NS1.

    Note: Do not enter a Sign on URL. Leave this field blank.

  7. Review the information, or click Save.

    Keep the browser window open as you will return to it in the next step.

Step 4: Configure user mappings.

An account administrator must configure user mapping based on usernames or email addresses. First, you will need to identify the format of usernames in your account — either a basic text string (e.g., jdoe33) or an email address (jdoe33@example.com). This is indicated by the leftmost column in the list of NS1 account users.

  1. In the NS1 portal, navigate to Account Settings >Users & Teams.

  2. Click the Users tab to see a list of all users associated with your account.

  3. Refer to the leftmost column (“User” column) to verify the username format.

    For example, the screenshot below demonstrates a basic username format:

    users_and_teams_-_basic_username_type.png

    Alternatively, the screenshot below demonstrates an email username format:

    users_and_teams_-_email_username_type.png

  4. Return to the Azure portal. Continuing from Set up Single sign-on with SAML, click the edit icon next to option 2, User Attributes & Claims.

    screen_-_azure_-_user_attributes_and_claims.png

  5. Under Required claim > Claim name, click Unique User Identifier (Name ID).

    screen_-_azure_-_unique_user_identifier.png

  6. If mapping users based on the email, select Email address as the name identifier, set the Source to Attribute, and select user.mail as the Source attribute. Click Save to confirm configuration changes.

    screen_-_azure_-_email_username_config.png

    If mapping users based on a basic username, set the Source to Transformation. A new Manage Transformation pane appears on the right. Enter the following information:

    Transformation: ExtractMailPrefix()

    Parameter 1: user.userprincipalname

    Azure SSO - Basic username configuration

    Ensure the information is accurate, and click Add. Click Save to confirm configuration changes.

Step 5: Send the metadata URL to NS1.

To enable SSO for all NS1 users within your organization, you must provide the metadata URL to NS1.

  • Continuing from the Set up Single Sign-on with SAML page, navigate to option 3: SAML signing Certificate. Copy the App Federation Metadata Url, and provide it to NS1. You can do this by submitting a support ticket or emailing support@ns1.com.

    screen_-_azure_-_saml_signing_certificate.png

Step six: Adding users to the NS1 application.

  1. Under Manage, click Users and Groups from the sidebar menu.

    screen_-_azure_-_users_and_groups.png

  2. Click Add user.

    screen_-_azure_-_add_user.png

  3. Back in the Add Assignment screen, you can see the number of users you’ve selected.

    screen_-_azure_-_add_assignment.png

    Click Assign.

    The selected users can now log into the NS1 portal via Azure SSO. The instructions below explain the process for logging into the NS1 portal via SSO for the first time. Users can log in using SSO from the NS1 portal login page (https://my.nsone.net) or from within the Azure portal. See below for details.

Logging into via the NS1 portal (SP-initiated):

  1. Navigate to the NS1 portal login page (https://my.nsone.net/#/login).

    Screen_Shot_2020-04-24_at_3.57.08_PM.png

  2. Click Log in with SSO.

    screen_-_log_in_via_sso.png

  3. After being redirected, enter your Azure username.

    screen_-_azure_sso_login_username.png

    Click Next.

  4. Enter your Azure password.

    screen_-_azure_sso_login_password.png

    Click Sign in. You are redirected and logged into the NS1 portal.

Logging into the NS1 platform via the Azure portal (IdP-initiated):

  1. Log into the Azure AD portal (https://account.activedirectory.windowsazure.com/r#/applications).

    screen_-_azure_-_homepage.png

  2. Click NS1 SSO for Azure from the list. You are redirected and logged into the NS1 portal.

Related articles