Skip to main content

Configuring Datto RMM single sign-on (SSO) with an identity provider

The Datto RMM integration through the Datto RMM App supports single sign-on (SSO) with such 3rd party identity providers such as AD FS, Okta and Microsoft Entra ID.

How single sign-on works

By using single sign-on, you can log in to Datto RMM App by authenticating with an identity provider.

This is how SSO works with Datto RMM App:

  1. You go to Datto RMM App login page and enter the SSO alias configured for your Datto tenant.

    datto_rmm_app_login_sso_p_464407_en.png

  2. Datto RMM App creates a SAML request and it forwards the request and the user to the identity provider configured for your tenant.

  3. You are redirected to the identity provider page, where you must authenticate.

  4. After successfully authenticating with the identity provider, the user is redirected back to Datto RMM App.

  5. Datto RMM App retrieves the response and validates it with the certificate fingerprint.

    Afterwards, Datto RMM App allows you to log in with no other interaction.

With SSO enabled, you are redirected to the Companies page in Datto RMM App when entering your alias on the login page, if there is an active session with the identity provider.

Requirements

To enable SSO in Datto RMM App, the following conditions are required:

  • You have an active Datto RMM App integration available.

  • You have an active user account in Okta, Microsoft Entra ID or AD FS with administrative rights that allow you to configure SSO.

Creating the signature certificate

First, you must configure the signature certificate that you use later when configuring the identity provider.

To create the certificate, follow these steps:

  1. Open a new file in a text editor.

  2. Paste the following string in the text file:

    -----BEGIN CERTIFICATE-----
MIIHBjCCBe6gAwIBAgIQCKJrXDyd6XMZkrOnCqZhlTANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBEaWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMzEwMTYwMDAwMDBaFw0yNDA5MjgyMzU5NTlaMG8xCzAJBgNVBAYTAlJPMRIwEAYDVQQHEwlCdWNoYXJlc3QxGDAWBgNVBAoTD0JpdGRlZmVuZGVyIFNSTDEyMDAGA1UEAxMpYXV0aG9yaXphdGlvbi1zZXJ2aWNlLnJtbS5iaXRkZWZlbmRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIGblUq/eAJOEZEmuFzB91hM6nQXUlt2IZ/gViCz8c8qUhzVLEmXJAwUJ4MqGYwwNUOIln1u78oR5NRaKLWywukRepB69Lsu9hzJyV6KzLZN28b8MIhWlk+1Ve6lXnvyEn3PP2qArgPXhmitPEUae3zz7uwVIlQb1VrhRBDJ3s3UP+abs7MhSjUw2ktd9SiTGnOTiAy2yEbIPpyCf/knajs4T6mzYFWcWDG4FIBwIMfg+KxiQdsYmWnMdu325JY9CGLenr2pBrDc5AvfCRrbpKJIBWjVMCXOTGxlQiVzkyIADMKAoMgg8atsw8P0VjDb5il5a9F+3lkf3ZZZT4zOrJAgMBAAGjggO8MIIDuDAfBgNVHSMEGDAWgBS3a6LqqKqEjHnqtNoPmLLFlXa59DAdBgNVHQ4EFgQUm1nC297JMW0f+nXSI5ngsLi2T3IwYwYDVR0RBFwwWoIpYXV0aG9yaXphdGlvbi1zZXJ2aWNlLnJtbS5iaXRkZWZlbmRlci5jb22CLXd3dy5hdXRob3JpemF0aW9uLXNlcnZpY2Uucm1tLmJpdGRlZmVuZGVyLmNvbTA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjwYDVR0fBIGHMIGEMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABizezSUkAAAQDAEcwRQIgV2qOnwRp1Ikc/AMms+tro0JtO9vSibGva6QXJazoBwsCIQCYrTLBc4pg8jL62DVoGpMsALICf/dOnT+Q8IL91A2HYgB2AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABizezSWwAAAQDAEcwRQIgNo3jPCCu8ukmit5GQrBG6Sz0L1t8OLCOq8kqmsrLyToCIQCkc0hZk64kV9IlQNs8G2lRfSp9YHCA69IvIrUHiOw9QQB3ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABizezSVsAAAQDAEgwRgIhAMUnOwQB61usbMlPZonGbHlm/i1GKWEpoiLJgVfQeRL7AiEAq8WhpeQPFdxjQV4S6wWIrc1rKBHp5dJQXeS/WIQe96MwDQYJKoZIhvcNAQELBQADggEBADV648DzryptjzCFtsBcz9NkMFi6Oa4wZhA+Dxc41JBFj9mLiz5rFVsKI5fs6uFyjpEh1FjRE80dv4j5BFwWRAedaslG63Jj7dMUmbo91Qk0lbtbuv3Rt6+akz8PxquojktapKY/vFSx2LaWfRr7jR8GYqTY7HQFrvhVOTOXxbA/180l4wsfHkClf11pETe9EQws6XU7Gzxab0q7SRvv9nxfxvz/GPlhRipjV0SdzatF+mqXJbdFaCkdNhcC4I9iuBLqU04I/GxYKx+oBG7Eys/riQAvvdn5dYV731jGRZmXSPLYCVPLqI9Iv2v5Z6GDh0k1V0SuAjkyHEIFdAIP4kQ=
-----END CERTIFICATE-----

    Warning

    Due to an incompatibility issue, remove -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- from the certificate if you use AD FS as identity provider.

    Other identity providers, such as Okta and Entra ID, accept or even require these tags.

  3. Save the file as bitdefender_authservice.cer

The certificate has a limited validity period. Return to this article on the expiration date to recreate the certificate.

Configuring the identity provider

Configuring single sign-on may vary from one identity provider to another. However, identity providers require almost the same elements to integrate with Datto RMM App:

  • Single Sign-on URL - the location where the SAML assertion is sent with a HTTP POST. Also known as Assertion Consumer Service (ACS) URL.

    Required value: https://authorization-service.rmm.bitdefender.com/api/saml/assertionconsumerservice

  • Service Provider Entity ID - The application unique identifier that is the intended audience of the SAML assertion. Also known as Audience URL.

    Required value: https://authorization-service.rmm.bitdefender.com

  • Name ID format - refers to the format supported by the identity provider. Service and identity providers communicate with each other using a name identifier related to a user.

    Preferably set to <UserEmail>.

  • Service Provider Issuer - this is usually the Entity ID and the service provider use this information for verification.

    Required value: https://authorization-service.rmm.bitdefender.com

Note

Datto RMM App does not support single logout.

Configuring AD FS

To configure AD FS as identity provider for single sign-on, follow these steps:

  1. Add a relying party trust

  2. Create claim rules

  3. Update the certificate

Adding a relying party trust

The connection between Datto RMM App and AD FS is defined using a relying party trust. To add it, follow these steps:

  1. Log in to the server where AD FS is installed.

  2. Launch the AD FS Management application.

  3. In the application, select Relying Party Trusts > Add Relying Party Trust...

  4. In the Add Relying Party Trust Wizard window, on the Welcome page, select Claims aware and click Start.

    datto_rmm_app_adfs_welcome_p_464410_en.png

  5. On the Select Data Source page, select Enter data about the relying party manually.

    datto_rmm_app_adfs_data_source_p_464410_en.png

  6. Click Next.

  7. On the Specify Display Name page, enter the name of the service provider. For example, BitdefenderAuthorizationService.

    datto_rmm_app_adfs_display_name_p_464410_en.png

  8. Click Next.

  9. On the Configure Certificate page, click Next.

    datto_rmm_app_adfs_configure_certificate_p_464410_en.png

  10. On the Configure URL page, follow these steps:

    1. Select Enable support for the SAML 2.0 WebSSO protocol.

    2. Under Relying party SAML 2.0 SSO service URL, enter the following URL: https://authorization-service.rmm.bitdefender.com/api/saml/assertionconsumerservice

    3. Click Next.

      datto_rmm_app_adfs_configure_url_p_464410_en.png

  11. On the Configure Identifiers page, enter the following URL for relying party trust identifier: https://authorization-service.rmm.bitdefender.com

    datto_rmm_app_adfs_configure_identifiers_p_464410_en.png

  12. Click Add, then Next.

  13. On the Choose Access Control Policy page, select Permit everyone.

    datto_rmm_app_adfs_access_control_p_464410_en.png

  14. On the Ready to Add Trust page, go to the Endpoints tab and verify the following URL has been added under SAML Assertion Consumer Endpoints:

    https://authorization-service.rmm.bitdefender.com/api/saml/assertionconsumerservice with binding POST

    datto_rmm_app_adfs_ready_to_add_p_464410_en.png

  15. On the Finish page, select Configure claims issuance policy for this application.

    datto_rmm_app_adfs_finish_p_464410_en.png

  16. Click Close.

Creating claim rules

After adding a relying party trust, you need to create claim rules:

  1. In the AD FS Management application, click Edit Claim Issuance Policy...

  2. Click Add Rule to create a new rule.

    datto_rmm_app_adfs_add_rule_p_464410_en.png

  3. In Add Transform Claim Rule Wizard, on the Choose Rule Type page, select Send LDAP Attributes as Claims as claim rule template.

    datto_rmm_app_adfs_rule_template_p_464410_en.png

  4. Click Next.

  5. On the Configure Claim Rule page, do this:

    1. In the Claim rule name box, enter a relevant name. For example, LdapNameID.

    2. For Attribute store, select Active Directory.

    3. In the table below, under LDAP Attribute (Select or type to add more), select User-Principal-Name.

    4. Under Outgoing Claim Type (Select or type to add more), select Name ID.

      Edit_Claims_03.PNG

  6. Click OK, then Apply.

Upload the signature certificate

The integration of Datto RMM App with AD FS requires a signature certificate. To create the certificate, refer to Creating the signature certificate.

Note

For the certificate to be valid with AD FS, make sure you removed -----BEGIN CERTIFICATE----- and ----END CERTIFICATE----- from it.

To upload the signature certificate, follow these steps:

  1. In the left-side menu of AD FS Management application, go to Relying Party Trusts.

  2. In the central panel, select the relying party trust you created.

  3. In the Properties window, go to the Signature tab.

    datto_rmm_app_trust_properties_p_464410_en.png

  4. Click Add.

    datto_rmm_app_trust_add_certificate_p_464410_en.png

  5. In the new window, select All Files (*.*) in the drop-down menu and upload the certificate.

  6. In the Properties window, click Add and OK.

    datto_rmm_app_trust_apply_certificate_p_464410_en.png

Configuring Okta

You must configure an Okta application that will connect Okta platform to Datto RMM App.

To configure an application, follow these steps:

  1. Log in to Okta Admin Console.

  2. If not already selected, click Admin next to your username to access the settings that allow you to configure applications.

    okta_sso_admin_p_464412_en.png

  3. In the left-side menu, go to the Applications section and click Create App Integration.

    okta_sso_create_app_p_464412_en.png

  4. In the Create a new app integration window, select SAML 2.0 as sign-in method and click Next.

    okta_sso_select_saml_p_464412_en.png

  5. On the Create SAML Integration page, under the General Settings tab, follow these steps:

    1. Enter an app name (for example, Datto App).

    2. Optionally, upload a logo image and set your app’s visibility.

    3. Click Next.

    okta_sso_app_name_p_464412_en.png

  6. On the Configure SAML page, follow these steps:

    1. Under Single sign on URL, enter https://authorization-service.rmm.bitdefender.com/api/saml/assertionconsumerservice

      Also select the check box for Use this for Recipient URL and Destination URL.

    2. Under Audience URL (SP Entity ID), enter https://authorization-service.rmm.bitdefender.com

    3. For Name ID format, select EmailAddress.

    4. Click the Show Advanced Settings link to add more configuration details.

      okta_sso_settings_general_p_464412_en.png

    5. For Response, select Signed.

    6. For Assertion Signature, select Signed.

    7. For Signature Algorithm, select RSA-SHA256.

    8. For Digest Algorithm, select SHA256.

    9. For Assertion Encryption, select Unencrypted.

    10. For Signature Certificate, click Browse files... to upload the signature certificate that you have previously created in Creating the signature certificate.

    11. After you upload the certificate, the options for Enable Single Logout and Signed Requests become active. Do not select neither Allow application to initiate Single Logout nor Validate SAML requests with signature certificates.

    12. Under SP Issuer, enter https://authorization-service.rmm.bitdefender.com

    13. For Authentication context class, select PasswordProtectedTransport.

    14. For Honor Force Authentication, select Yes.

    15. For SAML Issuer ID, leave the default value: http://www.okta.com/${org.externalKey}

      Leave the rest of the fields blank, including Attribute Statements (optional) and Group Attribute Statements (optional).

      okta_sso_settings_advanced_p_464412_en.png

    16. Click Next.

  7. On the Feedback page, select I'm an Okta customer adding an internal app.

  8. Click Finish.

    okta_sso_app_feedback_p_464412_en.png

After finishing the configuration, Okta will redirect you to a page containing details about the application you have created. Follow these additional steps:

  1. In the Sign On tab, click the Copy button under the Metadata details section.

    This will copy a URL of the XML file which contains the metadata details that you have to paste in Datto RMM App to enable SSO. Keep it at hand for future use.

    okta_sso_metadata_url_p_464412_en.png

  2. Go to the Applications page in Okta to view the status of your application. The application must be active.

  3. Click the configuration button to assign the application to users, to user groups, or to deactivate it.

    okta_sso_assign_users_p_464412_en.png

Configuring Microsoft Entra ID

You must configure a non-gallery application that will connect Entra ID to Datto RMM Companion APP. To configure a non-gallery application, follow these steps:

  1. Log in to Azure portal.

  2. On the welcome page, go to Microsoft Entra ID.

    datto_rmm_app_entra_p_464414_en.png

  3. In the left-side menu, go to Enterprise applications.

  4. At the upper-side of the page, click + New application.

    datto_rmm_app_entra__newapp_p_464414_en.png

  5. In the Browse Microsoft Entra Gallery section, click + Create your own application.

    datto_rmm_app_entra_create_p_464414_en.png

  6. In the Create your own application section, follow these steps:

    1. Enter a relevant name (for example, Datto RMM App).

    2. Select Integrate any other application your don't find in the gallery (Non-gallery).

    3. Click Create.

    datto_rmm_app_entra_appname_p_464414_en.png

  7. On the Overview page of your application, go to Users and groups.

    datto_rmm_app_entra_users_groups_p_464414_en.png

  8. Click + Add user/group user to assign users or user groups to your application.

    datto_rmm_app_entra_add_user_p_464414_en.png

  9. On the Add Assignment page, go to Users and groups and click None Selected.

    datto_rmm_app_entra_none_selected_p_464414_en.png

  10. In the right-side panel, select users to assign to the application and click Select.

    datto_rmm_app_entra_select_user_p_464414_en.png

  11. Back in the Add Assignment page, click Assign to confirm the users attached to your application.

  12. Go to the Single sign-on section and click SAML.

    datto_rmm_app_entra_saml_p_464414_en.png

  13. On the Set up Single Sign-On with SAML page, complete the following sections:

    • Basic SAML Configuration

    • Users Attributes & Claims

    • SAML Signing Certificate

    The options for these sections are detailed below.

    datto_rmm_app_entra_setup_sso_p_464414_en.png

Basic SAML Configuration

In the Basic SAML Configuration section, follow these steps:

  1. Click the pencil icon to edit.

  2. Configure the following fields:

    • Identifier (Entity ID). Enter https://authorization-service.rmm.bitdefender.com

    • Reply URL (Assertion Consumer Service URL). Enter https://authorization-service.rmm.bitdefender.com/api/saml/assertionconsumerservice

    datto_rmm_app_entra_basic_saml_p_464414_en.png

  3. Click Save.

Return to the setup page.

User Attributes & Claims

In the Attributes & Claims section, follow these steps:

  1. Click the pencil icon to edit.

  2. On the new page, click the + Add new claim option.

  3. Configure the following fields:

    • Name. Enter a name for this claim.

    • Source. Select Attribute.

    • Source attribute. From the drop-down menu, select user.mail.

    datto_rmm_app_entra_manage_claim_p_464414_en.png

  4. Click Save.

Return to the setup page.

SAML Certificates

In the SAML Certificates section, follow these steps:

  1. For Token signing certificate, click the pencil icon to edit.

    datto_rmm_app_entra_saml_certificates_p_464414_en.png

  2. In the configuration page, enter an email address for certificate expiry reminders.

    datto_rmm_app_entra_certificate_token_p_464414_en.png

  3. Click Save.

  4. Back in the setup page, go to Verification certificates (optional) and click the pencil icon to edit.

  5. In the configuration page, select Require verification certificates and click to upload the certificate that you have previously created in Creating the signature certificate.

    datto_rmm_app_entra_verification_certificate_p_464414_en.png

  6. Click Save.

Return to the setup page.

The SAML Signing Certificate section also displays the App Federation Metadata URL.

This is the metadata URL, which you need to add in Datto RMM App when configuring single sign-on.

Click the Copy to clipboard button to copy and paste the URL somewhere at hand or keep this window open in your browser for future use in Datto RMM App.

datto_rmm_app_entra_metadata_url_p_464414_en.png

Configuring Datto RMM App

After you have configured the identify provider, you must enable single sign-on in Datto RMM App. Follow these steps:

  1. In Datto RMM App, go to System > Authentication.

  2. Under Manage Single Sign-On, enter the the following details:

    • For alias, enter a name.

      The name must be unique (not used by other Datto tenants) and can contain at least five alphanumeric characters. You can use the hyphen (-) as a character.

    • For metadata URL, enter the link you have previously saved when finished configuring the corresponding application in the identity provider.

    datto_rmm_app_system_auth_p_300614_en.png

  3. To enable single sign-on, click Save Changes.

Next time you log in to Datto RMM App with just your alias.

Disabling single sign-on

To disable single sign-on with Datto RMM App, follow these steps:

  1. In Datto Companion APP, go to System > Authentication.

  2. Delete the alias and metadata URL.

  3. Click Save Changes.

  4. Click Disable in the confirmation window.

In this section: