Skip to main content

Configuring GravityZone Control Center single sign-on with Entra ID

GravityZone Cloud supports single sign-on (SSO) with various Identity Providers (IdP) that use SAML 2.0 as authentication standard.

This topic describes how to configure GravityZone Cloud single sign-on with Entra ID (previously Azure Active Directory) from Microsoft. For generic information on configuring other identity providers, refer to Configuring single sign-on using a 3rd party identity provider.

Configuring SSO with Entra ID involves many small steps, mostly in the Entra ID portal, so follow the procedure described below carefully.

Note

Microsoft Entra ID was formerly known as Azure Active Directory (Azure AD). The functionality is the same; only the product name and admin portal have changed.

Prerequisites and requirements

  • You have a Microsoft Entra ID account with at least the Cloud Application Administrator or Application Administrator role assigned.

  • You have a GravityZone Cloud administrator account to manage users and your company.

  • GravityZone users have Entra ID accounts with the same email addresses.

Important

  • As GravityZone administrator, you can configure single sign-on for users from your company and from companies under your management. You cannot enable SSO for your own GravityZone account due to security reasons.

  • SSO and two-factor authentication (2FA) cannot be used simultaneously. When you enable SSO for a user, 2FA is disabled for that user.

  • Email addresses are case sensitive with GravityZone SSO. Therefore, username[at]company.domain is different from UserName[at]company.domain and USERNAME[at]company.domain. If the email address from GravityZone does not match the email address from the Identity Provider, the user will receive a login error message when trying to connect to Control Center.

  • GravityZone only supports service provider initiated login. IdP-initiated login is not supported.

Configure MicrosoftEntra ID

To enable single sign-on with Entra ID, you need to configure a non-gallery application. For generic information about configuring enterprise applications, you can also refer to this Microsoft KB article.

This is how you create and configure an enterprise application for GravityZone Control Center SSO:

Set up your application

  1. Log in to the Microsoft Entra admin center: https://entra.microsoft.com.

  2. In the left-side navigation, go to Identity > Applications > Enterprise applications.

  3. At the top of the page, click + New application.

  4. Click Create your own application.

  5. In the Create your own application panel, enter a relevant name (for example, Bitdefender GravityZone), select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

Assign users and groups

  1. In the application overview page, go to Users and groups in the left-side navigation.

  2. Click + Add user/group.

  3. In the Add Assignment page, click None Selected under Users and groups.

  4. In the right-side panel, select the users or groups that should have access to GravityZone through SSO and click Select.

  5. Back in the Add Assignment page, click Assign to confirm.

Configure SAML single sign-on

  1. In the application's left-side navigation, go to Single sign-on.

  2. Select SAML as the single sign-on method.

  3. In the Set up Single Sign-On with SAML page, complete the following sections:

Basic SAML Configuration

  1. Click the pencil icon to edit.

  2. Configure the following fields:

    • Identifier (Entity ID). Enter https://gravityzone.bitdefender.com/sp

    • Reply URL (Assertion Consumer Service URL). Enter https://gravityzone.bitdefender.com/sp/login

    • Sign on URL. Enter https://gravityzone.bitdefender.com/sp/login

    • Relay State. Leave blank.

    • Logout URL. Enter https://gravityzone.bitdefender.com/sp/logout

  3. Click Save.

Return to the setup page.

User Attributes & Claims

  1. Click the pencil icon to edit.

  2. Verify the Unique User Identifier (Name ID) claim:

    • Source attribute should be set to user.mail.

    • Name identifier format should be set to Email address.

    If the default configuration uses user.userprincipalname, this is also acceptable as long as the UPN matches the email address configured in GravityZone.

  3. Click Save if you made changes.

Return to the setup page.

SAML Signing Certificate

  1. In the SAML Certificates section, verify that a signing certificate is active.

  2. Copy the App Federation Metadata Url. This is the Identity Provider metadata URL you will need for GravityZone. Click the copy icon next to the URL.

    Note

    Keep this URL at hand. You will paste it in GravityZone Control Center in the next step.

The SAML Signing Certificate section also displays the App Federation Metadata URL. This is the Identity Provider metadata URL, which you need to add in GravityZone Control Center when configuring single sign-on for your company or a company under your management. Click Copy to clipboard button to copy and paste the URL somewhere at hand or keep this window open in your browser.

Enable SSO in GravityZone Control Center

After configuring your application in Microsoft Entra ID, go to GravityZone Control Center to enable SSO.

Enable SSO for your company

This is how you enable SSO for GravityZone Control Center for your company:

  1. In the upper-right corner of Control Center, click the control_center_user_menu_icon.png user icon and then select My Company.

  2. In the Authentication tab, under GravityZone Control Center single sign-on, enter the identity provider metadata URL in the corresponding field. The other field, reserved for the GravityZone metadata URL, is non-editable.

    Paste the App Federation Metadata Url you copied from the Microsoft Entra admin center. If you did not save it, go to Microsoft Entra admin center > Identity > Applications > Enterprise applications > [your application] > Single sign-on. The App Federation Metadata Url is available in the SAML Certificates section.

  3. Click Save.

    gz_authentication_sso_console_cp_1573147_en.png

Change the authentication method for users

After enabling SSO for a company, GravityZone user accounts under that company become available for changing their authentication method.

You can change the authentication method for users one by one, as follows:

  1. Log in to GravityZone Control Center.

  2. Go to the Accounts page from the left side menu.

  3. In the table, click the user’s name.

  4. Under Login Security, go to Authentication method and select Login using your Identity Provider.

  5. Click Save.

    Note

    You cannot enable SSO for your own administrator account.

    When you switch a user to Login using your Identity Provider, their GravityZone password is invalidated. They will only be able to log in through the identity provider.

Tested identity providers

The following identity providers have been officially tested with GravityZone SSO:

  1. Log out from GravityZone.

  2. Log out from Azure.

  3. Go to https://gravityzone.bitdefender.com/.

  4. Enter a valid email address created for testing (other than the one of your GravityZone administrator account).

  5. Click Next.

    You should be redirected to the identity provider's authentication page.

  6. Authenticate with your identity provider.

    You will be redirected back to GravityZone and, in a few moments, you should automatically log in to Control Center.

Next steps

Choose the configuration guide that matches your needs:

  1. Delete the Identity Provider metadata URL from the configuration page of that company.

  2. Click Save and confirm the action.

Users can obtain new passwords by clicking the Reset my password option on the Control Center login page and following the instructions.

To re-enable GravityZone SSO for a company, enter again the identity provider in the configuration page and click Save.

After re-enabling SSO, users under that company will continue to log in to Control Center with GravityZone credentials. You have to manually configure each account, one by one, to log in with the identity provider again.