The NS1 portal supports SAML 2.0 single sign-on (SSO) for those using Microsoft Azure Active Directory as their Identity Provider (IdP). The integration allows account administrators to includes the NS1 application in an organization's SSO configuration for added network security and to simplify user management across platforms. For example, if an account user is no longer associated with your organization, an admin can revoke their access to the NS1 platform via Azure SSO. (Note that, in this case, we still recommend deleting the inactive NS1 account for general maintenance purposes.)
NS1 supports logins initiated by both the identity provider (IdP) or the service provider (SP)
-
IdP-initiated login refers to a user logging in to the Azure SSO platform, and then selecting the NS1 application to be redirected and logged in to the NS1 portal.
-
SP-initiated login refers to the option on the NS1 portal login page to log in using SSO.
Note
There is no single sign-off. If a user logs out of Azure Active Directory while their is an active NS1 portal session, the user will still be able to log into the NS1 portal until the session expires.
This guides provides account administrators with instructions to configure SSO for all users associated with your NS1 account. Once Azure SAML SSO is enabled for your organization, all users associated with your NS1 account can access the NS1 portal via Azure or by selecting the SSO option on the portal login page.
Warning
Check your Azure SSO account settings to ensure you have the relevant permissions to complete the steps below.
An SSO ID is a unique identifier for an NS1 organization. It is required to configure the NS1 application in Azure. Contact NS1 customer support to request an SSO ID.
-
Log into the Azure portal, and navigate to Enterprise Applications.
-
Click New Application.
-
In the Enter a Name field, search for "NS1."
-
Click NS1 SSO For Azure from the search results.
-
Optionally, you can rename the application. Review the information, and click Add. This adds NS1 to your list of Azure SSO enterprise applications.
-
In the Azure portal, navigate to the NS1 SSO for Azure | Overview page. From the sidebar menu, click Properties.
-
Under Getting Started, click Set up single sign on.
-
Under Select a single sign-on method, select SAML.
-
Under Set up Single Sign-on with SAML, click the edit icon (pencil) next to option 1, Basic SAML Configuration.
-
Under Identifier (Entity ID), enter the following:
https://api.nsone.net/saml/metadata
-
Enter the Reply URL using the following format:
https://api.nsone.net/saml/sso/<sso_id>
where <sso_id> is the alphanumeric string provided to you by NS1.
Note: Do not enter a Sign on URL. Leave this field blank.
-
Review the information, or click Save.
Keep the browser window open as you will return to it in the next step.
An account administrator must configure user mapping based on usernames or email addresses. First, you will need to identify the format of usernames in your account — either a basic text string (e.g., jdoe33) or an email address (jdoe33@example.com). This is indicated by the leftmost column in the list of NS1 account users.
-
In the NS1 portal, navigate to Account Settings >Users & Teams.
-
Click the Users tab to see a list of all users associated with your account.
-
Refer to the leftmost column (“User” column) to verify the username format.
For example, the screenshot below demonstrates a basic username format:
Alternatively, the screenshot below demonstrates an email username format:
-
Return to the Azure portal. Continuing from Set up Single sign-on with SAML, click the edit icon next to option 2, User Attributes & Claims.
-
Under Required claim > Claim name, click Unique User Identifier (Name ID).
-
If mapping users based on the email, select Email address as the name identifier, set the Source to Attribute, and select user.mail as the Source attribute. Click Save to confirm configuration changes.
If mapping users based on a basic username, set the Source to Transformation. A new Manage Transformation pane appears on the right. Enter the following information:
Transformation: ExtractMailPrefix()
Parameter 1: user.userprincipalname
Ensure the information is accurate, and click Add. Click Save to confirm configuration changes.
To enable SSO for all NS1 users within your organization, you must provide the metadata URL to NS1.
-
Continuing from the Set up Single Sign-on with SAML page, navigate to option 3: SAML signing Certificate. Copy the App Federation Metadata Url, and provide it to NS1. You can do this by submitting a support ticket or emailing support@ns1.com.
-
Under Manage, click Users and Groups from the sidebar menu.
-
Click Add user.
-
Back in the Add Assignment screen, you can see the number of users you’ve selected.
Click Assign.
The selected users can now log into the NS1 portal via Azure SSO. The instructions below explain the process for logging into the NS1 portal via SSO for the first time. Users can log in using SSO from the NS1 portal login page (https://my.nsone.net) or from within the Azure portal. See below for details.
-
Navigate to the NS1 portal login page (https://my.nsone.net/#/login).
-
Click Log in with SSO.
-
After being redirected, enter your Azure username.
Click Next.
-
Enter your Azure password.
Click Sign in. You are redirected and logged into the NS1 portal.