Single Sign On (SSO) Configuration
Enabling Single Sign On or SSO, allows admin accounts with external identify providers to manage access to ScoutDNS through their choses ID platform. Currently ScoutDNS SSO supports Entra ID (formerly Azure Identity) but we plan to add more ID platforms in the near future.
SSO will disable all existing ScoutDNS platform Admin and Viewer accounts. These roles will only be allowed to login via Entra ID. Super Admin and Organization Operator roles are unaffected.
Configuring SSO for Entra ID requires setting up an Enterprise Application through App Registration. This allows Microsoft Entra ID APIs to comminate with ScoutDNS and manage authenticated users. You will be able to assign Entra ID users and groups to ScoutDNS and map your Entra ID roles to ScoutDNS application roles.
Register Application
To get started, go to your Entra ID Admin Center:
Select App Registrations under the Applications tab on the left side menu and select New Registration. Enter ScoutDNS as the application name and choose "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" for account types. Under Redirect URI select Single Page Application and input https://app.scoutdns.com/login/sso/ in the field. When complete press the Register button at the bottom.
Set Token Type
Next you will need to set token type. This can be found under the Authentication subtab for Platform Configurations under the app you just registered.
Configure API Permissions
Now you must configure the OpenID API permissions in order to have ScoutDNS check Entra ID user access settings. Navigate to API Permissions on the App Registration subtab. You will need set the following permissions:
User.Read' - to sign in and read basic user info. (this is set by default)
'openid' - to sign in as well.
'profile' - to read user's profile
'email' - to also read user email address. It will be used for identifying user in our system.
The first one is set for you. To add the other three, you will need to select Add a Permission. Choose Microsoft Graph and select the three addition options shown under Open Id Permissions. The press Add Permissions button at bottom of page.
Create and Assign Application Roles
The next step involves creating the application roles that will be mapped to the ScoutDNS side. You need at least one role. Navigate to the App Roles subtab and choose Create App Role at top center. We recommend naming the roles as follows setting the Display name and value as the same. You can enter a description for clarification. Choose to enable the app role via the checkbox.
ScoutDNS_Admin
ScoutDNS_Viewer
You can now assign specific users and/or groups to your application. Exit App Registration and navigate to Enterprise Application. Then select ScoutDNS and add a user/group as desired and assign the role as needed.
Setup ScoutDNS portal for SSO
Now we need to configure the ScoutDNS side for SSO. Under Access Management choose the SSO sub-tab at the top left. Ensure enable connection is on.
Input Client and Tenant ID
You will need to input the Client ID and Tenant ID from your Entra ID App Registration page in the ScoutDNS app you registered.
From Entra ID copy the Application (client) ID and paste into the Client ID field on the ScoutDNS portal. Next, copy the Directory (tenant) ID entry and paste into the ScoutDNS portal for the Tenant field.
Map Entra ID Roles to ScoutDNS
At this point let's set the roles as entered in to Entra ID so they can be matched on the ScoutDNS side. Enter the role for both Admin and Viewer as shown above. Now this save.
Link ScoutDNS Login Page
You can now copy the unique login URL that Entra ID will need to access ScoutDNS. Copy your unique URL from the ScoutDNS portal. Finally, return to the App Registration section and under the ScoutDNS registration you created, navigate to Branding and Properties. Paste your unique ScoutDNS Login URL into the Entra ID Home Page URL field and save.
That's it. From this point you simply need to assign the application and make visible to users as desired in Entra ID.
A few things to remembers:
SSO will disable all ScoutDNS platform Admin and Viewer accounts. These user types will now only be allowed to login view Entra Id SSO. Super Admin and Organization operator accounts are exempt from SSO. For the Super Admin account, it can act now as a backup in case something were to happen with the Entra ID connection. Be sure to enable 2FA. Organization operators are exempt as this account type is meant to work with external organization, partner, or end customer accounts. Keep in mind that Organization Operators have limited permissions for both Manager and Viewer.
Related Articles
Organizations - Configuration and Management of Multi-Tenant Use
ScoutDNS provides two levels of tenancy. The primary inherent level allows any operator to be a member of any number of accounts and could have different roles depending on each account setting. The second level enabled though the Organizations tab ...Relay - Setup and Configure
ScoutDNS supports a Relay configuration which allows operators to install a lightweight service inside their network. The relay is a local forwarding resolver service that processes queries inside the operator network while relaying public queries to ...Quick Start Setup Guide - WAN Forwarding
There are three methods you can use to protect your networks and users with ScoutDNS. 1) WAN Forwarding: involves configuring ScoutDNS with your WAN IP address and then forwarding DNS queries from inside your network us our anycast resolver IPs. ...Configurable Objects and Their Associations
ScoutDNS is built around object-based configuration to make management and deployment at scale easier. In this article we will explore the different configurable objects and explain their associations. Allow/Block List Allow/Block List Description ...Prevent DNS Work-Around for Users
Some users on your network may try to bypass ScoutDNS resolvers by changing the DNS servers in their device network settings when allowed. This can result in undesired content access on network assets along with increased security risk. The good news ...