NS1 supports SAML 2.0 Single Sign On (SSO) for the NS1 Managed DNS portal (via https://my.nsone.net) for customers using Microsoft Azure Active Directory as their Identity Provider (IdP). This guide includes instructions on how to enable SAML SSO for your organization with the NS1 Azure application.
About Azure for NS1
The administrator user associated with the organization’s account creates users and teams—configuring settings and role-based permissions—in the NS1 portal, and then authentication occurs via the Azure platform. The integration allows you to include the NS1 application in your organization’s existing SSO solution for added network security and simplified user management. For example, in the event that an account user is no longer associated with your organization, your account administrator must only revoke their access via Azure. However, we recommend manually deleting old users in NS1’s portal for general maintenance purposes.
Note: There is no single sign-off. For example, if a user logs out of Azure Active Directory while there is an active NS1 portal session, the user is able to remain logged into the NS1 portal until the session is no longer valid.
NS1 supports logins initiated by both the identity provider (IdP) or the service provider (SP).
- IdP-initiated login allows users to login to Azure, and then select the NS1 application to log into the NS1 portal.
- SP-initiated login allows users to select an SSO option on the login page for the NS1 portal (my.nsone.net).
Once Azure SAML SSO is enabled for your organization, all NS1 portal users associated with your account will be able to access the NS1 portal via Azure or by selecting the SSO option on the NS1 portal login page.
Before you begin: Ensure you have the necessary permissions enabled on your Azure account.
Step 1: Contact NS1 to request your SSO ID.
An SSO ID is a unique identifier for an NS1 organization. It is required to configure the NS1 application in OneLogin. Contact NS1 customer support by submitting a ticket or emailing firstname.lastname@example.org to request an SSO ID.
Step 2: Add the NS1 application to your Enterprise Applications
- Log into the Azure portal, and navigate to Enterprise Applications.
- Click New Application.
- In the Enter a Name field, search for "NS1."
- Click NS1 SSO For Azure from the search results.
- Optionally, you can rename the application. Review the information, and click Add. This adds NS1 to your list of Azure SSO enterprise applications.
Step 3: Add your SSO ID to the NS1 application in Azure.
- In the Azure portal, navigate to the NS1 SSO for Azure | Overview page. From the sidebar menu, click Properties.
- Under Getting Started, click Set up single sign on.
- Under Select a single sign-on method, select SAML.
- Under Set up Single Sign-on with SAML, click the edit icon (pencil) next to option 1, Basic SAML Configuration.
- Under Identifier (Entity ID), enter the following:
Enter the Reply URL using the following format:
where <sso_id> is the alphanumeric string provided to you by NS1.
Note: Do not enter a Sign on URL. Leave this field blank.
- Review the information, or click Save.
Keep the browser window open as you will return to it in the next step.
Step 4: Configure user mappings.
An account administrator must configure user mapping based on usernames or email addresses. First, you will need to identify the format of usernames in your account—either a basic text string (ex. jdoe33) or an email address (email@example.com). This is indicated by the left-most column in the list of NS1 account users.
In the NS1 portal, navigate to Account Settings > Users & Teams.
Click the Users tab to see a list of all users associated with your account.
Refer to the left-most column (“User” column) to verify the username format.For example, the screenshot below demonstrates a basic username format:
Alternatively, the screenshot below demonstrates an email username format:
- Return to the Azure portal. Continuing from Set up Single Sign-on with SAML, click the edit icon next to option 2, User Attributes & Claims.
- Under Required claim > Claim name, click Unique User Identifier (Name ID).
- If mapping users based on the email, select Email address as the name identifier, set the Source to Attribute, and select user.mail as the Source attribute. Click Save to confirm configuration changes.
If mapping users based on a basic username, set the Source to Transformation. A new Manage Transformation pane appears on the right. Enter the following information:
Parameter 1: user.userprincipalname
Ensure the information is accurate, and click Add. Click Save to confirm configuration changes.
Step 5: Send the metadata URL to NS1.
In order to enable SSO for all NS1 users within your organization, you must provide the metadata URL to NS1.
- Continuing from the Set up Single Sign-on with SAML page, navigate to option 3: SAML signing Certificate. Copy the App Federation Metadata Url, and provide it to NS1. You can do this by submitting a support ticket or emailing firstname.lastname@example.org.
Step six: Adding users to the NS1 application.
Under Manage, click Users and Groups from the sidebar menu.
Click Add user.
Back in the Add Assignment screen, you can see the number of users you’ve selected.
The selected users are now able to log into the NS1 portal via Azure SSO. The instructions below explain the process for logging into the NS1 portal via SSO for the first time. Users can log in using SSO from the NS1 portal login page (https://my.nsone.net) or from within the Azure portal. See below for details.
Logging into via the NS1 portal (SP-initiated):
- Navigate to the NS1 portal login page (https://my.nsone.net/#/login).
- Click Log in with SSO.
- After being redirected, enter your Azure username.
- Enter your Azure password.
Click Sign in. You are redirected and logged into the NS1 portal.
Logging into the NS1 platform via the Azure portal (IdP-initiated):
- Log into the Azure AD portal (https://account.activedirectory.windowsazure.com/r#/applications).
- Click NS1 SSO for Azure from the list. You are redirected and logged into the NS1 portal.