Configuring single sign-on for Bitdefender services using a 3rd party identity provider
GravityZone supports single sign-on (SSO) for Bitdefender services outside GravityZone Control Center, such as MDR portal, through the GravityZone IdP Proxy. The IdP Proxy uses SAML 2.0 as authentication standard and acts as a centralized authentication gateway between your external identity provider and Bitdefender services.
The authentication flow works as follows:
The user navigates to a Bitdefender service (e.g., MDR portal).
The service redirects the user to the GravityZone IdP Proxy for authentication.
The IdP Proxy identifies the user's corporate identity provider and redirects them there.
The user signs in through their familiar corporate login page (with their organization's MFA, conditional access policies, etc.).
The corporate IdP confirms the user's identity back to the IdP Proxy.
The IdP Proxy translates the identity confirmation and forwards it to the Bitdefender service.
The user is granted access — no Bitdefender-specific password needed.
This entire flow happens transparently within the browser in a matter of seconds.
Important
This configuration is separate from GravityZone Control Center SSO. You must configure GravityZone Control Center SSO first, as users must already be using a 3rd party identity provider to log into GravityZone before they can use the IdP Proxy for other Bitdefender services.
The GravityZone IdP Proxy only supports service provider initiated login. IdP-initiated login is not supported.
Email addresses are case sensitive with GravityZone SSO. Therefore, username[at]company.domain is different from UserName[at]company.domain and USERNAME[at]company.domain. If the email address from GravityZone does not match the email address from the identity provider, the user will receive a login error when trying to access Bitdefender services.
Supported Bitdefender services
The following Bitdefender services support SSO through the GravityZone IdP Proxy:
MDR portal
Tested identity providers
The following identity providers have been tested with the GravityZone IdP Proxy:
AD FS (2016 or later)
Okta
Microsoft Entra ID (formerly Azure AD)
If you decide to configure other identity providers that use SAML 2.0, it can work, but the functionality is not guaranteed.
Prerequisites
A GravityZone Cloud company account with administrative privileges.
An account with a supported identity provider.
GravityZone Control Center SSO already configured with the same identity provider. Refer to Configuring GravityZone Control Center single sign-on using a 3rd party identity provider.
Users configured with the Login using your Identity Provider authentication method in GravityZone account settings.
Note
This option is available after GravityZone Control Center SSO with an external identity provider has been configured at the company level.
Users must have matching email addresses in both GravityZone and the external identity provider.
Configure the identity provider
To enable SSO for Bitdefender services through the IdP Proxy, you need to create a separate SAML application in your identity provider specifically for the IdP Proxy. This is in addition to the existing application used for GravityZone Control Center SSO.
Obtain the GravityZone IdP Proxy SAML metadata
Log in to Bitdefender GravityZone as an administrator.
Click your user name in the upper-right side of the screen and select My Company.
Go to the Authentication tab.
Under the GravityZone IdP Proxy single sign-on section, copy the GravityZone IdP Proxy SAML metadata URL (read-only field).
Use this metadata URL to import the service provider configuration into a new SAML application in your identity provider.
The Name ID attribute in the SAML application must contain the user's email address and must use the `emailAddress` Name ID format.
For step-by-step instructions specific to your identity provider, refer to:
Enable SSO for your company
In the upper-right corner of Control Center, click the user icon and then select My Company.
In the Authentication tab, under GravityZone IdP Proxy single sign-on, enter the identity provider metadata URL in the Identity provider metadata URL (IdP Proxy) field.
The other field, reserved for the GravityZone IdP Proxy SAML metadata URL, is non-editable.
Click Save.
Enable SSO for managed companies
Log in to GravityZone Control Center.
Go to the Companies page from the left side menu.
In the table, click the company's name.
Under GravityZone IdP Proxy single sign-on, enter the identity provider metadata URL in the Identity provider metadata URL (IdP Proxy) field.
The other field, reserved for the GravityZone IdP Proxy SAML metadata URL, is non-editable.
Click Save.
Verify the authentication method for users
Users must have their authentication method set to Login using your Identity Provider in GravityZone account settings. If GravityZone Control Center SSO is already configured and users are already logging in with your Identity Provider, no additional changes are needed.
If any users still use GravityZone credentials:
Log in to GravityZone Control Center.
Go to the Accounts page from the left side menu.
In the table, click the user's name.
Under Login Security, go to Authentication method and select Login using your Identity Provider.
Click Save.
Test Bitdefender services SSO
After configuring both the identity provider and GravityZone, you can test single sign-on as follows:
Open a supported Bitdefender service (for example, MDR portal) in a browser where you are not currently authenticated.
You should be redirected to the IdP Proxy, which will redirect you to your corporate identity provider's login page.
After successful authentication, you are redirected back to the Bitdefender service and granted access.
If the authentication fails, verify:
The IdP Proxy SAML application is correctly configured in your identity provider.
The metadata URL entered in the Identity provider metadata URL (IdP Proxy) field is correct and accessible.
The user's authentication method is set to Login using your Identity Provider in GravityZone account settings.
The user's email address in GravityZone matches the email in the identity provider (including case).
The Name ID format is set to `emailAddress` in the IdP application.
Disable Bitdefender services SSO
To disable single sign-on for Bitdefender services:
Delete the Identity Provider metadata URL from the Identity provider metadata URL (IdP Proxy) field in the configuration page of the company.
Click Save and confirm the action.
This does not affect GravityZone Control Center SSO, which remains configured separately.
To re-enable SSO for Bitdefender services, enter again the identity provider metadata URL in the Identity provider metadata URL (IdP Proxy) field and click Save.