PARTNERS

Authentication

Fill in the information in these fields:

Note

Fields marked with * are mandatory.

Login security

122476_6.png
  • Enforce two-factor authentication.

    The two-factor authentication (2FA) adds an extra layer of security to GravityZone accounts, by requiring an authentication code in addition to Control Center credentials.

    This feature requires downloading and installing the Google Authenticator, Microsoft Authenticator, or any two-factor TOTP (Time-Based One-Time Password Algorithm) authenticator app - compatible with the standard RFC6238 - on the user's mobile device, then linking the app to the GravityZone account and using it with each Control Center login. The Authentication app generates a six-digit code each 30 seconds. To complete the Control Center login, after entering the password, the user will have to provide also the six-digit authentication code.

    Two-factor authentication is enabled by default when creating a company. After that, at login, a configuration window will prompt users to enable this feature. Users will have the option to skip enabling 2FA for three times only. At the fourth login attempt, skipping the 2FA configuration will not be possible and the user will not be allowed to log in.

    If you want to deactivate the 2FA enforcement for all GravityZone accounts in your company, just uncheck the option. You will be prompted with a confirmation message before the changes come into effect. From this point on, users will still have 2FA activated, but they will be able to deactivate it from their account settings.

    Note

    • You can view the 2FA status for a user account in the Accounts page.

    • If a user with 2FA enabled cannot log in to GravityZone (because of new device or lost secret key), you can reset its two-factor authentication activation from the user account page, under Two-factor authentication section. For more details, refer to User Accounts.

  • Set maximum password age to 90 days.

    This option enables the password expiration policy. Users need to change their passwords sooner than the specified age. Otherwise, they will not be able to log in to GravityZone anymore.

  • Lock out accounts after 5 login attempts with invalid passwords.

    This option limits the number of consecutive invalid passwords to prevent attacks. When the counter reaches the threshold, the account is locked out and the user needs to reset their password.

    The policy applies to the accounts created in GravityZone.

    A notification will be sent out to all company’s users when the account lockout option is being enabled on a certain company.

Configure single sign-on using SAML

122476_7.png

GravityZone supports service provider(SP) initiated single sign-on (SSO) as a simple and secure alternative to the classic login with username and password.

This method requires integration with 3rd party identity providers (IdP) using SAML 2.0, such as AD FS, Okta, and Azure AD, that authenticate GravityZone users and provide them access to Control Center.

This is how GravityZone SSO works:

  1. Users enter their email addresses in the GravityZone login page.

  2. GravityZone creates a SAML request and it forwards the request and the users to the identity provider.

  3. Users are required to authenticate with the identity provider.

  4. After authentication, the identity provider sends a response to GravityZone in the form of an XML document signed with an X.509 certificate. Also, the identity provider redirects users to GravityZone.

  5. GravityZone retrieves the response, validates it with the certificate fingerprint, and allows users to log in to Control Center with no other interaction from them.

Users continue to automatically log in to Control Center as long as they have an active session with the identity provider.

To enable SSO for a company, you need to do the following:

  1. Configure the identity provider to use GravityZone as service provider. For supported identity providers and configuration details, refer to this article.

  2. In the company details page, under Configure single sign-on using SAML, enter the identity provider metadata URL in the corresponding box.

  3. Configure users under the company to authenticate with their identity provider. For details, refer to Managing User Authentication Methods.

To disable single sign-on for a company you manage, delete the identity provider metadata URL.

After disabling single sign-on for a company, users will automatically switch to log in with GravityZone credentials. Users can obtain new passwords by clicking the Forgot password? link on the Control Center login page and following the instructions.

After re-enabling SSO for a company, users will continue to log in to Control Center with GravityZone credentials. You need to configure manually each account to use SSO again.

Note

Click the Next button in the lower right side of the screen to proceed to the next screen.