NS1 supports SAML 2.0 SAML Single Sign On (SSO) for the NS1 Managed DNS portal (via https://my.nsone.net) for customers using Duo as their Identity Provider (IdP). This guide includes instructions for implementing a custom enterprise application with SAML SSO enabled for your organization, as well as setting up users with role-based access to the NS1 portal.
About Duo SAML SSO for NS1
The administrator user associated with the organization’s account creates users and teams—configuring settings and role-based permissions—in the NS1 portal, and then authentication occurs via the Duo platform. The integration allows you to include the NS1 application in your organization’s existing SSO solution for added network security and simplified user management.
Note: In the event that an account user is no longer associated with your organization, your account administrator must delete the user from the NS1 account, as well as from the Duo platform.
NS1 supports logins initiated by both the Identity Provider (IdP) or the Service Provider (SP).
- IdP-initiated login allows users to login to the Duo Access Gateway or Duo SSO, and then select the NS1 application to log into the NS1 portal.
- SP-initiated allows users to select an SSO option on the login page for the NS1 portal (my.nsone.net).
Once Duo SAML SSO is enabled for your organization, all NS1 portal users associated with your account will be able to access the NS1 portal via Duo or by selecting the SSO option on the NS1 portal login page. Duo utilizes either the Duo Access Gateway (DAG)—an on-premise server connected to an Active Directory server for user authentication— or the Duo Cloud SSO.
Note: Before you begin, ensure you have the necessary permissions enabled on your Duo account.
Step 1: Contact NS1 to request your SSO ID.
An SSO ID is a unique identifier for an NS1 organization. It is required to configure the NS1 application in Duo. Contact NS1 customer support by submitting a ticket or emailing firstname.lastname@example.org to request an SSO ID.
Step 2: Create an application in Duo.
Log into the Duo portal.
Click Applications from the left-hand sidebar.
- Click Protect an Application.
Using the search bar, enter a search for “Generic Service Provider.”
- If multiple applications called “Generic Service Provider” appear, note the differences under the Protection Type column. If configuring the Duo Access Gateway (most common), click Protect next to 2FA with SSO self-hosted (Duo Access Gateway). You are redirected to the Application Configuration page.
Note: If using the new Duo SSO Beta product, refer to the Duo product documentation.
Step 3 : Configure the application.
- Scroll to the Service Provider section and enter the following information:
- Service Provider Name: NS1
- Entity ID: https://api.nsone.net/saml/metadata
This is the globally unique identifier that NS1 uses for SSO.
- Assertion Consumer Service: https://api.nsone.net/saml/sso/<sso_id> where the sso_id is the unique SSO ID provided to you by NS1.
- Service Provider Login URL: https://my.nsone.net/#/login
This is the URL from where SP-initiated requests are sent.
Step 4: Configure user mappings.
An account administrator must configure user mapping based on usernames or email addresses. First, you will need to identify the format of usernames in your account—either a basic text string (ex. jdoe33) or an email address (email@example.com). This is indicated by the left-most column in the list of NS1 account users.
In the NS1 portal, navigate to Account Settings > Users & Teams.
Click the Users tab to see a list of all users associated with your account.
Refer to the left-most column (“User” column) to verify the username format.
For example, the screenshot below demonstrates a basic username format:
Alternatively, the screenshot below demonstrates an email-based format:
- Return to the Duo portal. Back on the Application Configuration screen (from Step 3), scroll down to the SAML Response section.
Option A - If mapping users based on a basic username format:Next to NameID format, select
Next to NameID attribute, type
Option B - If mapping users based on a email username format:
Next to NameID format, select
Next to NameID attribute, type
- Scroll down to the Create attributes section.
Under Name, type userid.
- Under Value, enter your organization's unique NS1 customer ID. (Located in the NS1 portal under Account Settings > Users & Teams > Admin Account. Refer to this article for more information.)
Step 5: Configure encryption and assertions.
Navigate to the SAML Response section.
In the text box to the right of Signature Algorithm type in
Next to Sign Response, select (check) the box next to “Cryptographically sign response for verification by your service provider.”
Next to Sign Assertion, select (check) the box next to “Cryptographically sign assertion for verification by your service provider.”
Step 6: Configure the Duo Access Gateway (DAG)
Duo utilizes either the Duo Access Gateway (DAG) which is the on premises server which will connect to the Active Directory server to authenticate users or the Duo Cloud SSO. The steps are the same for both methods. When users initiate SSO requests they are redirected to the DAG server.
Refer to the Duo documentation for instructions on setting up the DAG server. https://duo.com/docs/dag-linux
From the Duo portal, navigate to the NS1 application that you configured in Step 3.
Click Download your configuration file, this will be the configuration file that we use for the DAG server.
- Add the configuration file to the Duo Access Gateway by navigating your Duo Access Gateway or the Duo Cloud SSO. Click the Applications tab from the sidebar, and then click Upload.
- Select the configuration file downloaded above.
Step 7: Contact NS1 to activate SSO.
- Back on the Duo Access Gateway server, navigate to the Applications tab.
Scroll to the bottom of the page, and click Download XML metadata.
- To enable SSO globally for your organization, contact an NS1 support representative by submitting a ticket or emailing firstname.lastname@example.org . Note: You must provide NS1 with the metadata file.
Logging into via the NS1 portal (SP-initiated):
- Navigate to the NS1 portal login page (https://my.nsone.net/#/login), and click Log in with SSO.
You are redirected to the Duo Access Gateway (DAG).
- Enter the valid credentials for the authentication source backing your DAG server. For example, if the authentication source that is configured for your DAG server is Active Directory, enter the corresponding username and password fields for Active Directory.
- Click Log in.
- Under Choose an authentication method, select one of the following options:
- Send me a push
- Call me
- Enter a passcode
- After completing one of the security options above, you are automatically logged in and redirected to the NS1 portal.