NS1 supports SAML 2.0 Single Sign On (SSO) for the NS1 Managed DNS portal (https://my.nsone.net) management portal for organizations using Okta as their Identity Provider (IdP). This guide includes instructions for implementing a custom enterprise application with SAML SSO enabled for your organization.
About the NS1 + Okta SSO Integration
An administrative user creates account users and teams in the NS1 portal, and then authentication occurs via the Okta platform. The integration allows you to add the NS1 application to your organization’s existing SSO solution for added network security and simplified user management.
NS1 supports logins initiated by both the Identity Provider (IdP) or the Service Provider (SP).
- IdP-initiated login allows users to login to Okta, and then select the NS1 application to log into the NS1 portal.
- SP-initiated login allows users to select an SSO option on the login page for the NS1 portal (my.nsone.net).
Once Okta SSO is enabled for your organization, all NS1 portal users associated with your account will be able to access the NS1 portal via Okta or by selecting the SSO option on the NS1 portal login page.
Step 1: Contact NS1 to request your SSO ID
An SSO ID is a unique identifier for an NS1 organization. It is required to configure the NS1 application in Okta. Contact NS1 customer support by submitting a ticket or emailing firstname.lastname@example.org to request an SSO ID.
Step 2: Save the Encryption Certificate
The encryption certificate is used to encrypt the SAML information that is sent to NS1. The certificate is available in Step 1 of Okta's How to Configure SAML 2.0 For NS1 guide.
Step 3: Add the NS1 application to your Enterprise Applications
Log into the Okta portal, and then select the Classic UI view from the drop-down list.
Click Applications in the sub-navigation.
Click Add Application.
Type “NS1” in the search bar, and click the NS1 application from the list.
Under General Settings, enter the SSO ID provided to you by NS1.
Step 4: Send your identity provider metadata link to NS1
In the Okta portal, navigate to the NS1 application settings, and select Sign On settings from the sub-navigation.
- Copy the link to Identity Provider metadata.
Send the link to the identity provider metadata to NS1 via a support ticket or emailing email@example.com.NOTE
When submitting the support ticket, please include the projected date by which you want to activate Okta SSO on your account. Full NS1 + Okta SSO activation should happen only after you’ve completed the steps in this guide—including initial user mappings. See Step 6 for details.
Step 5: Upload the encryption certificate
Confirm that the following Audience URI is displayed under General Audience URI (SP Entity ID): https://api.nsone.net/saml/metadata
In the Okta portal, navigate to the NS1 application settings and select Sign On from the sub-navigation.
- Next to Encryption Certificate, click Browse and select the certificate file you saved in Step 2.
Step 6: Configure user mappings
An account administrator must configure user mapping based on usernames or email addresses. First, you will need to identify the format of usernames in your account—either a basic text string (ex. jdoe33) or an email address (firstname.lastname@example.org). This is indicated by the left-most column in the list of NS1 account users.
In the NS1 portal, navigate to Account Settings > Users & Teams.
Click the Users tab to see a list of all users associated with your account.
Refer to the left-most column (“User” column) to verify the username format.
Example A: List of users with basic username type
Example B: List of users with email username type
In the Okta portal, navigate to the NS1 application details page, and click Assignments tab.
Click Assign to add people or groups from your organization to the NS1 application.
- Next to User Name, enter a username exactly as it appears in the NS1 portal.
If your NS1 organization uses email format usernames, you must enter the user’s entire email address in the Edit User Assignment screen.
Step 7: Contact NS1 to enable SSO
Once you’ve completed the steps in this guide, please contact NS1 to let us know when you’re ready to activate the NS1 + Okta SSO. Until then, you may continue logging into the NS1 portal via login page until we complete this step. Once we’ve enabled SSO, users will only be able to login via the NS1 App in Okta. When reaching out, please let us know the date and time at which you would like to fully activate SSO.
Testing the SSO Connection
Once setup is complete, NS1 recommends that you test the SSO configuration to ensure you and your users can log into the NS1 portal via SSO.
Logging into via the NS1 portal (SP-initiated):
- Navigate to the NS1 portal login page (https://my.nsone.net/#/login).
- Click Log in with SSO.
- Enter your NS1 account username, and click Log in with SSO.
- After being redirected, enter your Okta login credentials, and click Sign In.
You are now logged into the NS1 portal.
Logging into the NS1 platform via the Okta portal (IdP-initiated):
- Log into the Okta portal (https://<company_url>.okta.com/app/UserHome), and click the NS1 application from the list.
You are now logged in and redirect to the NS1 portal (http://my.nsone.net).
- If an individual users experiences issues logging in, verify that you have accurately mapped the Okta username to the NS1 username (refer to Step 5).
- Contact NS1 support by submitting a ticket or emailing email@example.com for help with the implementation process.