GravityZone Cloud supports single sign-on (SSO) with 3rd party identity providers that use SAML 2.0, such as AD FS, Okta and Azure AD. This article describes how to configure GravityZone Cloud single sign-on using a 3rd party identity provider.

• Overview
• Prerequisites and requirements
• Configuring GravityZone SSO
• Testing GravityZone SSO
• Disabling GravityZone SSO

Important: GravityZone SSO has been officially tested with AD FS, Okta and Azure AD, but it may to work with other identity providers using SAML 2.0. This article includes links to dedicated procedures for configuring AD FS, Okta and Azure AD, as well as general information about configuring other identity providers. If GravityZone SSO fails with another identity provider than those officially supported, this may happen because of that specific identity provider. Contact the Bitdefender Technical Support Team for possible recommendations, but this is not guaranteed for all identity providers.

Overview

GravityZone single sign-on allows users to log in to Control Center by authenticating with an identity provider, as a more simple and secure method than GravityZone credentials, as users do not need to remember or renew their passwords.

GravityZone supports service provider (SP) initiated single sign-on, which implies the following user authentication flow:

1. Users go to https://gravityzone.bitdefender.com/, enter their emails, and click Next.
2. GravityZone creates a SAML request and forwards the request and the users to the identity provider, asking for authentication.

   

3. Users authenticate with the identity provider.
4. After authentication, the identity provider sends an authentication response in the form of an XML document signed with an X.509 certificate and sends the information to GravityZone. The identity provider redirects users back to GravityZone.
5. GravityZone retrieves the response and validates it with the certificate fingerprint, allowing the users to log in to Control Center with no other interaction from them.

As long as the users have an active session with the identity provider, they continue to automatically log in to GravityZone Control Center.

Prerequisites and requirements

To enable GravityZone SSO, the following conditions are required:

• You have a GravityZone Cloud administrator account to manage users, your company and other companies.
• You have an account with an identity provider (AD FS, Okta, Azure AD, etc.) to configure single sign-on.
• GravityZone users have accounts with their identity providers with the same email addresses.

Important: As GravityZone administrator, you can configure single sign-on for users from your company and from companies under your management. You cannot enable SSO for your own GravityZone account due to security reasons. Users must be under companies that have SSO enabled. While SSO is active, users cannot log in with GravityZone credentials. Email addresses are case sensitive with GravityZone SSO. Therefore, [email protected] is different from [email protected] and [email protected]. If the email address from GravityZone does not match the email address from the identity provider, the user will receive a login error message when trying to connect to Control Center.

Configuring GravityZone SSO

To enable GravityZone single sign-on, you must do the following:

1. Configure the identity provider to use GravityZone as service provider.
2. Enable SSO in GravityZone. This step involves two stages:
   1. Enable SSO for your company or for companies under your management.
   2. Change the authentication method for GravityZone users, one by one.

      Note: You must enable SSO for a company before changing the authentication method for the users under that company. Please remember that you cannot enable SSO for your own GravityZone account.

1. Configuring the identity provider

Configurating single sign-on may vary from one identity provider to another. However, identity providers require almost the same elements to integrate with GravityZone:

• Single Sign-on URL – the location where the SAML assertion is sent with a HTTP POST. Also known as Assertion Consumer Service (ACS) URL. For GravityZone, the single sign-on URL is https://gravityzone.bitdefender.com/sp/login.
• Service Provider Entity ID – The application unique identifier that is the intended audience of the SAML assertion. Also known as Audience URL. The Entity ID for GravityZone is https://gravityzone.bitdefender.com/sp.
• Name ID format – refers to the format supported by the identity provider. Service and identity providers communicate with each other using a name identifier related to a user. For GravityZone, the name ID format is emailAddress.
• Single Logout URL – the location where the logout response is sent. For GravityZone, the single logout URL is https://gravityzone.bitdefender.com/sp/logout.
• Service Provider Issuer – this is usually the Entity ID and the service provider use this information for verification. For GravityZone, the single sign-on URL is https://gravityzone.bitdefender.com/sp/login.

You may find these elements in the GravityZone metadata URL document: https://gravityzone.bitdefender.com/sp/metadata.xml.

For your company, the GravityZone metadata URL is displayed in the Configuration > Authetication Settings page from GravityZone Control Center.

For a company under your management, the GravityZone metadata URL is displayed in the company details from the Companies page.

For details on how to configure certain identity providers, refer to this articles:

• Configure GravityZone Cloud single sign-on with AD FS
• Configure GravityZone Cloud single sign-on with Okta
• Configure GravityZone Cloud single sign-on with Azure AD

2. Enabling SSO in GravityZone

After configuring the identity provider, go to GravityZone Control Center to enable SSO for companies and users. Only users under a company with SSO enabled have the option to log in with an identity provider.

1. Enabling SSO for companies.
2. Changing the authentication method for GravityZone users

1. Enabling SSO for companies

This is how you enable SSO for your company:

1. Go to Configuration > Authentication Settings page.
2. Under Cofigure Single Sign-on using SAML, enter the identity provider metadata URL in the corresponding field. The other field, reserved for the GravityZone metadata URL, is non-editable.
3. Click Save.
   

This is how you enable SSO for a company under your management:

1. Go to the Companies page.
2. In the table, click the company’s name.
3. Under Configure Single Sign-on using SAML, enter the identity provider metadata URL in the corresponding field. The other field, reserved for the GravityZone metadata URL, is non-editable.
4. Click Save.
   
    

2. Changing the authentication method for users

After enabling SSO for a company, GravityZone user accounts under that company become available for changing their authentication method.

You can change the authentication method for users one by one, as follows:

1. Go to the Accounts page.
2. In the table, click the user’s name.
3. Under Settings and Privileges, go to Authentication method and select Login using your Identity Provider.
4. Click Save.

   

You can enable SSO for many users as you want, but not for your own administrator account.

Note: If the configuration page of a GravityZone user account does not display the Settings and Privileges section, then probably the company has not SSO enabled.

Testing GravityZone SSO

After configuring both the identity provider and GravityZone, you can test single sign-on as follows:

1. Log out from GravityZone.
2. Log out from your identity provider (AD FS, Azure AD, Okta, etc.).
3. Go to https://gravityzone.bitdefender.com/.
4. Enter a valid email address created for testing (other than the one of your GravityZone administrator account).
5. Click Next.

   You should be redirected to the identity provider's autenthication page.

6. Authenticate with your identity provider.

   You should be redirected back to GravityZone and, in a few moments, you should automatically log in to Control Center.

Disabling GravityZone SSO

To disable single sign-on for your company or for a company under your management:

1. Delete the identity provider metadata URL from the configuration page of that company.
2. Click Save and confirm the action.

After disabling single sign-on for a company, users will automatically switch to log in with GravityZone credentials.

Users can obtain new passwords by clicking the Forgot password? link on the Control Center login page and following the instructions.

To re-enable GravityZone SSO for a company, enter again the identity provider in the configuration page and click Save.

After re-enabling SSO, users under that company will continue to log in to Control Center with GravityZone credentials. You have to manually configure each account, one by one, to log in with the identity provider again.