Dome9 delivers full visibility, control and faster time to protection as organizations scale in AWS, Azure, and Google Cloud environments.

With Privileged Access Service, you can choose single-sign-on (SSO) access to the Dome9 web application with IdP-initiated SAML SSO (for SSO access through the Admin Portal) or SP-initiated SAML SSO (for SSO access directly through the Dome9 web application) or both. Providing both methods gives you and your users maximum flexibility.

Note:   SP-initiated SSO for Dome9 is automatically enabled when the SAML feature is activated.

If Dome9 is the first application you are configuring for SSO through Privileged Access Service, read these topics before you get started:

Dome9 requirements

Before you configure the Dome9 web application for SSO, you need the following:

  • An active Dome9 account in the Super User role.

  • An additional user enabled for SSO and in the Super User role.

    This is necessary because making the account owner an SSO user creates the risk of account lockout if there is an SSO failure. Specifying a different user as the SSO user ensures that you can always log in as the account owner, as long as you have the password.

  • A signed certificate.

    You can either download one from Admin Portal or use your organization’s trusted certificate.

Configuring Dome9 for single sign-on

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the Centrify Admin Portal, see Optional configuration settings.

  1. In the Identity Provider Configuration area of the Trust page, expand the certificate area and select the certificate that you want to use for the application, then click Download.

  2. Open a new tab in your web browser.

    Note:   It is helpful to open the Dome9 web application and the CentrifyAdmin Portal simultaneously to copy and paste settings between the two browser windows.

  3. Go to the following URL and sign in as a super user:
  4. In the Dome9 admin portal, go to Administration > Account Settings, then click SSO.

  5. Click Enable.

    The SSO Configuration screen appears.

  6. Open the certificate that you downloaded earlier in a text editor, then copy the contents and paste them into the web application's certificate field.

  7. Enter a value in the Account ID field.

    You can use any string as long as it does not include a period or @ symbol. You will use the Account ID later to form the ACS URL.

  8. In the Identity Provider Configuration area of the Trust page, expand Issuer and then click Copy to copy the Issuer value, then paste it in the Issuer field in the Dome9 SSO Configuration.

  9. In the Identity Provider Configuration > Manual Configuration area of the Trust page, copy the Idp endpoint url value and then paste it in the Idp endpoint url field in the Dome9 SSO Configuration.

  10. In the Service Provider Configuration > Manual Configuration area of the Trust page, replace the DOME9-ACCOUNT-ID portion of the ACS URL with the Account ID value you entered in the Dome9 SSO Configuration screen.

  11. Click Save in both the Admin Portal and Dome9's SSO Configuration screen.

Dome9 specifications

Each SAML application is different. The following table lists features and functionality specific to Dome9.



Support details

Web browser client



Mobile client


Although Dome9 offers a mobile application, SSO is not supported.

SAML 2.0



SP-initiated SSO



IdP-initiated SSO



Force user login via SSO only



Separate administrator login
after SSO is enabled



User or Administrator lockout risk


SSO users do not get a password; SSO failure would lockout SSO users.

Just-In-Time provisioning



Multiple User Types


You might need to add users with SSO enabled.

Self-service password