Skip to main content

Configuring Bitdefender services single sign-on with Okta

GravityZone supports single sign-on (SSO) for Bitdefender services outside GravityZone Control Center, such as MDR Portal, through the GravityZone IdP Proxy. The IdP Proxy uses SAML 2.0 as authentication standard.

This topic describes how to configure single sign-on for Bitdefender services with Okta. For generic information on configuring other Identity Providers, refer to Configuring Bitdefender services single sign-on with Okta.

Prerequisites and requirements

  • You have an Okta account with administrator privileges to create, activate and assign applications to users.

  • You have a GravityZone Cloud administrator account to manage users, your company and other companies.

  • GravityZone users have Okta accounts with the same email addresses.

  • GravityZone Control Center SSO with Okta is already configured and working. Refer to Configure GravityZone Control Center single sign-on with Okta.

  • Users are configured with the Login using your Identity Provider authentication method in GravityZone account settings.

    Note

    This option is only available after GravityZone Control Center SSO has been configured at the company level.

Important

  • Email addresses are case sensitive with GravityZone SSO. Therefore, username[at]company.domain is different from UserName[at]company.domain and USERNAME[at]company.domain. If the email address from GravityZone does not match the email address from the Identity Provider, the user will receive a login error when trying to access Bitdefender services.

  • GravityZone IdP Proxy only supports service provider initiated login. IdP-initiated login is not supported.

Configure Okta

Single sign-on for Bitdefender services requires a separate Okta application specifically for the GravityZone IdP Proxy. This is in addition to the existing application used for GravityZone Control Center SSO.

This is how you configure an Okta application for the IdP Proxy:

Extract the GravityZone IdP Proxy SAML metadata

  1. Sign in to Bitdefender GravityZone as an administrator.

  2. Click your user name in the upper-right side of the screen and select My Company.

  3. Go to the Authentication tab.

  4. Under the GravityZone IdP Proxy single sign-on section, click the button next to the GravityZone IdP Proxy SAML metadata URL* field to copy the metadata URL.

  5. Open the metadata URL in a separate tab of your browser and save the page as a `metadata.xml` file.

  6. Open the `metadata.xml` file you saved in the previous step.

  7. Copy the `<ds:X509Certificate>...</ds:X509Certificate>` value and paste it into a text editor.

  8. Add the following lines at the beginning and end of the file:

    -----BEGIN CERTIFICATE----- 
    ...
    -----END CERTIFICATE-----
  9. Save the file you created as `certificate.cer`.

Create the SAML application

  1. Log in to the Okta Admin Console.

  2. In the left-side navigation, go to Applications.

  3. Click Create App Integration.

  4. In the Create a new app integration window, select SAML 2.0 as sign-in method, and click Next.

  5. On the Create SAML Integration page, apply the following configuration:

    1. Under the General Settings tab:

      1. Enter an app name (for example, `Bitdefender IdP Proxy`).

      2. (Optional) Upload a logo image and set your app's visibility.

      3. Click Next.

    2. Under Configure SAML, follow the steps below:

      1. Under Single sign-on URL, enter the Assertion Consumer Service URL from the IdP Proxy metadata XML and select the check box for Use this for Recipient URL and Destination URL.

      2. Under Audience URI (SP Entity ID), enter the Entity ID from the IdP Proxy metadata XML.

      3. For Name ID format, select EmailAddress.

      4. For Application username, select Email.

      5. Click the Show Advanced Settings link.

      6. Apply the following configuration:

        1. For Response, select Signed.

        2. For Assertion Signature, select Signed.

        3. For Signature Algorithm, select RSA-SHA256.

        4. For Digest Algorithm, select SHA256.

        5. For Assertion Encryption, select Unencrypted.

        6. Under Signature Certificate, upload the IdP Proxy certificate (`certificate.cer`) obtained in the metadata extraction step.

        7. For Authentication context class, select PasswordProtectedTransport.

        8. For Honor Force Authentication, select Yes.

        9. For SAML Issuer ID, leave the default value: `http://www.okta.com/${org.externalKey}`.

        Leave the rest of the fields blank, including Attribute Statements (optional) and Group Attribute Statements (optional).

    3. Click Next.

  6. Under Feedback, select I'm an Okta customer adding an internal app and click Finish.

After finishing the configuration, Okta will redirect you to a page containing details about the application you have created.

Assign users to the application

  1. In the Okta Admin Console, go to the application you just created.

  2. Go to the Assignments tab.

  3. Click Assign and select Assign to People or Assign to Groups.

  4. Select the relevant users or groups and click Assign for each, then click Done.

Get the Okta metadata URL

  1. In the Okta Admin Console, go to the application you created.

  2. Go to the Sign On tab.

  3. Under the SAML Signing Certificates section, find the active certificate and click Actions > View IdP metadata.

  4. Copy the URL from the browser address bar — this is the Identity Provider metadata URL you will need for GravityZone.

    Note

    You can also right-click the View IdP metadata link and select Copy link address to get the URL directly.

  5. Go to the Applications page in Okta to verify the status of your application. The application must be Active.

Enable SSO for Bitdefender services in GravityZone

After configuring single sign-on in Okta, go to GravityZone Control Center to enable SSO for Bitdefender services.

Enable SSO for your company

This is how you enable SSO for Bitdefender services for your company:

  1. In the upper-right corner of Control Center, click the user icon and then select My Company.

  2. In the Authentication tab, under GravityZone IdP Proxy single sign-on, enter the identity provider metadata URL in the Identity provider metadata URL (IdP Proxy) field. The other field, reserved for the GravityZone IdP Proxy SAML metadata URL, is non-editable.

  3. Click Save.

Enable SSO for managed companies

This is how you enable single sign-on for Bitdefender services for a company under your management:

  1. Log in to GravityZone Control Center.

  2. Go to the Companies page from the left side menu.

  3. In the table, click the company's name.

  4. Under GravityZone IdP Proxy single sign-on, enter the identity provider metadata URL in the Identity provider metadata URL (IdP Proxy) field. The other field, reserved for the GravityZone IdP Proxy SAML metadata URL, is non-editable.

  5. Click Save.

Verify the authentication method for users

Users must have their authentication method set to Login using your Identity Provider in GravityZone account settings. If GravityZone Control Center SSO is already configured and users are already logging in with your Identity Provider, no additional changes are needed.

If any users still use GravityZone credentials:

  1. Log in to GravityZone Control Center.

  2. Go to the Accounts page from the left side menu.

  3. In the table, click the user's name.

  4. Under Login Security, go to Authentication method and select Login using your Identity Provider.

  5. Click Save.

Test Bitdefender services SSO

After configuring both the identity provider and GravityZone, you can test single sign-on as follows:

  1. Log out from any Bitdefender services.

  2. Log out from Okta.

  3. Open MDR portal in a browser.

  4. You should be redirected to the IdP Proxy, which will redirect you to Okta's authentication page.

  5. Authenticate with your identity provider.

    You will be redirected back to MDR portal and granted access.

Note

The IdP Proxy does not support IdP-initiated login, but only service provider initiated login. Therefore, you can test the single sign-on by going directly to the Bitdefender service (for example, MDR Portal), not by clicking the application's logo in Okta.

Disable Bitdefender services SSO

To disable single sign-on for Bitdefender services for your company or for a company under your management:

  1. Delete the Identity Provider metadata URL from the Identity provider metadata URL (IdP Proxy) field in the configuration page of that company.

  2. Click Save and confirm the action.

This does not affect GravityZone Control Center SSO, which remains configured separately.

To re-enable SSO for Bitdefender services, enter again the identity provider metadata URL in the Identity provider metadata URL (IdP Proxy) field and click Save.