Skip to main content

Configuring Bitdefender services single sign-on with Microsoft Entra ID

GravityZone supports single sign-on (SSO) for Bitdefender services outside GravityZone Control Center, such as MDR portal, through the GravityZone IdP Proxy. The IdP Proxy uses SAML 2.0 as authentication standard.

This topic describes how to configure single sign-on for Bitdefender services with Microsoft Entra ID (formerly Azure Active Directory). For generic information on configuring other identity providers, refer to Configuring single sign-on for Bitdefender services using a 3rd party identity provider.

Configuring SSO with Microsoft Entra ID involves many small steps, mostly in the Microsoft Entra admin center, so follow the procedure described below carefully.

Note

Microsoft Entra ID was formerly known as Azure Active Directory (Azure AD). The functionality is the same; only the product name and admin portal have changed.

Prerequisites and requirements

  • You have a Microsoft Entra ID account with at least the Cloud Application Administrator or Application Administrator role assigned.

  • You have a GravityZone Cloud administrator account to manage users, your company and other companies.

  • GravityZone users have Microsoft Entra ID accounts with the same email addresses.

  • GravityZone Control Center SSO with Microsoft Entra ID is already configured and working. Refer to Configuring GravityZone Control Center single sign-on with Entra ID.

  • Users are configured with the Login using your Identity Provider authentication method in GravityZone account settings.

    Note

    This option is only available after GravityZone Control Center SSO has been configured at the company level.

Important

  • Email addresses are case sensitive with GravityZone SSO. Therefore, username[at]company.domain is different from UserName[at]company.domain and USERNAME[at]company.domain. If the email address from GravityZone does not match the email address from the identity provider, the user will receive a login error when trying to access Bitdefender services.

  • GravityZone IdP Proxy only supports service provider initiated login. IdP-initiated login is not supported.

Configure Microsoft Entra ID

To enable single sign-on for Bitdefender services with Microsoft Entra ID, you need to configure a **separate** enterprise application for the GravityZone IdP Proxy. This is in addition to the existing application used for GravityZone Control Center SSO.

This is how you create and configure the application:

Extract the GravityZone IdP Proxy SAML metadata

  1. Log in to GravityZone Control Center as an administrator.

  2. Click your user name in the upper-right side of the screen and select My Company.

  3. Go to the Authentication tab.

  4. Under the GravityZone IdP Proxy single sign-on section, click the button next to the GravityZone IdP Proxy SAML metadata URL field to copy the metadata URL.

  5. Open the metadata URL in a separate tab of your browser.

    Keep it open for reference during the Microsoft Entra configuration. You will need the Entity ID and Assertion Consumer Service URL values from the metadata.

Set up your application

  1. Log in to the Microsoft Entra admin center: https://entra.microsoft.com.

  2. In the left-side navigation, go to Identity > Applications > Enterprise applications.

  3. At the top of the page, click + New application.

  4. Click Create your own application.

  5. In the Create your own application panel, enter a relevant name (for example, Bitdefender IdP Proxy), select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

Assign users and groups

  1. In the application overview page, go to Users and groups in the left-side navigation.

  2. Click + Add user/group.

  3. In the Add Assignment page, click None Selected under Users and groups.

  4. In the right-side panel, select the users or groups that should have access to Bitdefender services through the IdP Proxy and click Select.

  5. Back in the Add Assignment page, click Assign to confirm.

Configure SAML single sign-on

  1. In the application's left-side navigation, go to Single sign-on.

  2. Select SAML as the single sign-on method.

  3. In the Set up Single Sign-On with SAML page, complete the following sections:

Basic SAML Configuration

  1. Click the pencil icon to edit.

  2. Configure the following fields using values from the IdP Proxy metadata:

    1. Identifier (Entity ID). Enter the Entity ID from the IdP Proxy metadata XML.

    2. Reply URL (Assertion Consumer Service URL). Enter the Assertion Consumer Service URL from the IdP Proxy metadata XML.

    3. Sign on URL. Enter the same Assertion Consumer Service URL.

    4. Relay State. Leave blank.

    5. Logout URL. Leave blank.

  3. Click Save.

Return to the setup page.

Attributes & Claims

  1. Click the pencil icon to edit.

  2. Verify the Unique User Identifier (Name ID) claim:

    • Source attribute should be set to user.mail.

    • Name identifier format should be set to Email address.

    If the default configuration uses user.userprincipalname, this is also acceptable as long as the UPN matches the email address configured in GravityZone.

  3. Click Save if you made changes.

Return to the setup page.

SAML Certificates

  1. In the SAML Certificates section, verify that a signing certificate is active.

  2. Copy the App Federation Metadata Url. This is the identity provider metadata URL you will need for GravityZone. Click the copy icon next to the URL.

    Note

    Keep this URL at hand. You will paste it in GravityZone Control Center in the next step.

Enable SSO for Bitdefender services in GravityZone

After configuring your application in Microsoft Entra ID, go to GravityZone Control Center to enable SSO for Bitdefender services.

Enable SSO for your company

This is how you enable SSO for Bitdefender services for your company:

  1. In the upper-right corner of Control Center, click the user icon and then select My Company.

  2. In the Authentication tab, under GravityZone IdP Proxy single sign-on, enter the identity provider metadata URL in the Identity provider metadata URL (IdP Proxy) field. The other field, reserved for the GravityZone IdP Proxy SAML metadata URL, is non-editable.

    Paste the App Federation Metadata Url you copied from the Microsoft Entra admin center.

    If you did not save it, go to Microsoft Entra admin center > Identity > Applications > Enterprise applications > [your application] > Single sign-on. The App Federation Metadata Url is available in the SAML Certificates section.

  3. Click Save.

Enable SSO for managed companies

This is how you enable single sign-on for Bitdefender services for a company under your management:

  1. Log in to GravityZone Control Center.

  2. Go to the Companies page from the left side menu.

  3. In the table, click the company's name.

  4. Under GravityZone IdP Proxy single sign-on, enter the identity provider metadata URL in the Identity provider metadata URL (IdP Proxy) field. The other field, reserved for the GravityZone IdP Proxy SAML metadata URL, is non-editable.

    Paste the App Federation Metadata Url you copied from the Microsoft Entra admin center.

  5. Click Save.

Verify the authentication method for users

Users must have their authentication method set to **Login using your Identity Provider** in GravityZone account settings. If GravityZone Control Center SSO is already configured and users are already logging in with your Identity Provider, no additional changes are needed.

If any users still use GravityZone credentials:

  1. Log in to GravityZone Control Center.

  2. Go to the Accounts page from the left side menu.

  3. In the table, click the user's name.

  4. Under Login Security, go to Authentication method and select Login using your Identity Provider.

  5. Click Save.

Test Bitdefender services SSO

After configuring both the identity provider and GravityZone, you can test single sign-on as follows:

  1. Log out from any Bitdefender services.

  2. Log out from Microsoft Entra ID / Microsoft 365.

  3. Open MDR portal in a browser.

  4. You should be redirected to the IdP Proxy, which will redirect you to the Microsoft login page.

  5. Authenticate with your identity provider.

    You will be redirected back to MDR portal and granted access.

Note

GravityZone IdP Proxy does not support IdP-initiated login, but only service provider initiated login. Therefore, you can test the single sign-on by going directly to the Bitdefender service (for example, MDR portal), not by clicking the application in Microsoft Entra ID.