NS1 + Okta SSO Implementation Guide

NS1 supports SAML 2.0 Single Sign On (SSO) for the NS1 Managed DNS portal (https://my.nsone.net) management portal for organizations using Okta as their Identity Provider (IdP). This guide includes instructions for implementing a custom enterprise application with SAML SSO enabled for your organization.

About the NS1 + Okta SSO Integration

An administrative user creates account users and teams in the NS1 portal, and then authentication occurs via the Okta platform. The integration allows you to add the NS1 application to your organization’s existing SSO solution for added network security and simplified user management.

NS1 supports logins initiated by both the Identity Provider (IdP) or the Service Provider (SP).

• IdP-initiated login allows users to login to Okta, and then select the NS1 application to log into the NS1 portal.
• SP-initiated login allows users to select an SSO option on the login page for the NS1 portal (my.nsone.net).

Once Okta SSO is enabled for your organization, all NS1 portal users associated with your account will be able to access the NS1 portal via Okta or by selecting the SSO option on the NS1 portal login page.

Instructions

Step 1: Contact NS1 to request your SSO ID

An SSO ID is a unique identifier for an NS1 organization. It is required to configure the NS1 application in Okta. Contact NS1 customer support by submitting a ticket or emailing support@ns1.com to request an SSO ID.

Step 2: Save the Encryption Certificate

The encryption certificate is used to encrypt the SAML information that is sent to NS1. The certificate is available in Step 1 of Okta's How to Configure SAML 2.0 For NS1 guide.

Step 3: Add the NS1 application to your Enterprise Applications

1. Log into the Okta portal, and then select the Classic UI view from the drop-down list.
   
   

2. Click Applications in the sub-navigation.
   
   

3. Click Add Application.

4. Type “NS1” in the search bar, and click the NS1 application from the list.
   
   

5. Click Add.
   
   

6. Under General Settings, enter the SSO ID provided to you by NS1.
   
   

7. Click Done.

Step 4: Send your identity provider metadata link to NS1

1. In the Okta portal, navigate to the NS1 application settings, and select Sign On settings from the sub-navigation.
   
   

2. Copy the link to Identity Provider metadata.

3. Send the link to the identity provider metadata to NS1 via a support ticket or emailing support@ns1.com.

   NOTE
   When submitting the support ticket, please include the projected date by which you want to activate Okta SSO on your account. Full NS1 + Okta SSO activation should happen only after you’ve completed the steps in this guide—including initial user mappings. See Step 6 for details.

Step 5: Upload the encryption certificate

1. Confirm that the following Audience URI is displayed under General Audience URI (SP Entity ID): https://api.nsone.net/saml/metadata 

2. In the Okta portal, navigate to the NS1 application settings and select Sign On from the sub-navigation.

3. Next to Encryption Certificate, click Browse and select the certificate file provided to you by NS1.
   
   

4. Click Upload.

Step 6: Configure user mappings

An account administrator must configure user mapping based on usernames or email addresses. First, you will need to identify the format of usernames in your account—either a basic text string (ex. jdoe33) or an email address (jdoe33@example.com). This is indicated by the left-most column in the list of NS1 account users.

1. In the NS1 portal, navigate to Account Settings > Users & Teams.

2. Click the Users tab to see a list of all users associated with your account.

3. Refer to the left-most column (“User” column) to verify the username format.
   
   Example A: List of users with basic username type
   
   
   
   Example B: List of users with email username type
   
   

4. In the Okta portal, navigate to the NS1 application details page, and click Assignments tab.

5. Click Assign to add people or groups from your organization to the NS1 application.
   
   

6. Next to User Name, enter a username exactly as it appears in the NS1 portal.
   
   

   If your NS1 organization uses email format usernames, you must enter the user’s entire email address in the Edit User Assignment screen.

   

Step 7: Contact NS1 to enable SSO

Once you’ve completed the steps in this guide, please contact NS1 to let us know when you’re ready to activate the NS1 + Okta SSO. Until then, you may continue logging into the NS1 portal via login page until we complete this step. Once we’ve enabled SSO, users will only be able to login via the NS1 App in Okta. When reaching out, please let us know the date and time at which you would like to fully activate SSO.

Testing the SSO Connection

Once setup is complete, NS1 recommends that you test the SSO configuration to ensure you and your users can log into the NS1 portal via SSO.

Logging into via the NS1 portal (SP-initiated):

1. Navigate to the NS1 portal login page (https://my.nsone.net/#/login).
   
   
2. Click Log in with SSO.
3. Enter your NS1 account username, and click Log in with SSO.
   
   
   
4. After being redirected, enter your Okta login credentials, and click Sign In.
   
   
   
   You are now logged into the NS1 portal.

Logging into the NS1 platform via the Okta portal (IdP-initiated):

1. Log into the Okta portal (https://<company_url>.okta.com/app/UserHome), and click the NS1 application from the list.
   
   
   
   You are now logged in and redirect to the NS1 portal (http://my.nsone.net).

Troubleshooting notes

• If an individual users experiences issues logging in, verify that you have accurately mapped the Okta username to the NS1 username (refer to Step 5). 
• Contact NS1 support by submitting a ticket or emailing support@ns1.com for help with the implementation process.