Directly contact our Support Team

Configure GravityZone Cloud single sign-on with Azure AD

GravityZone Cloud supports single sign-on (SSO) with various identity providers that use SAML 2.0 as authentication standard.

This article describes how to configure GravityZone Cloud single sign-on with Azure Active Directory (Azure AD). For other identity providers, refer to this article.

Prerequisites and requirements

  • You have a Microsoft Azure account with Azure AD Premium license activated and with Global Administrator or Co-admin role.
  • You have a GravityZone Cloud administrator account to manage users, your company and other companies.
  • GravityZone users have Azure AD accounts with the same email addresses.
important Important:
  • As GravityZone administrator, you can configure single sign-on for users from your company and from companies under your management. You cannot enable SSO for your own GravityZone account due to security reasons.
  • Users must be under companies that have SSO enabled. While SSO is active, users cannot log in with GravityZone credentials.
  • Email addresses are case sensitive with GravityZone SSO. Therefore, username@company.domain is different from UserName@company.domain and USERNAME@company.domain. If the email address from GravityZone does not match the email address from the identity provider, the user will receive a login error message when trying to connect to Control Center.

Configuring Azure AD

To enable single sign-on with Azure Active Directory, you need to configure a non-gallery application. For generic information about configuring SAML-based single sign-on to non-gallery applications in Azure, you can also refer to this Microsoft KB article.

This is how you create and configure a non-gallery Azure application:

Set up [your application]

Click the View step-by-step instructions link to view the documentation related to your application.

  1. Log in to the Azure portal: https://portal.azure.com.
  2. In the left-side menu, go to Azure Active Directory.
  3. In the new left-side menu, click Enterprise Applications.
  4. At the upper-side of the page, click +New application.
  5. In the Add an application section, click Non-gallery application.
  6. In the Add your own application section, enter a relevant name (for example, GravityZone SSO) and click Add.
  7. In the Users and groups menu, click +Add user to assign users or user groups to this application.

  8. Next, in the left-side menu, click Single sign-on and SAML.
  9. In the Set up Single Sign-On with SAML page, complete the following sections:

    Basic SAML Configuration

    1. Click the pencil icon to edit.
    2. Configure the following fields:
      • Identifier (Entity ID). Enter https://gravityzone.bitdefender.com/sp
      • Reply URL (Assertion Consumer Service URL). Enter https://gravityzone.bitdefender.com/sp/login
      • Sign on URL. Enter https://gravityzone.bitdefender.com/sp/login
      • Relay State. Skip. This is a parameter to specify where the application to redirect the user after the authentication is completed.
      • Logout URL. Enter https://gravityzone.bitdefender.com/sp/logout
    3. Click Save.

    Return to the setup page.

    User Attributes & Claims

    1. Click the pencil icon to edit.
    2. Configure the following fields:
    3. Name. Enter a username.
    4. Source. Select Attribute.
    5. Source attribute. From the drop-down menu, select user.mail.
    6. Click Save.

    Return to the setup page.

    SAML Signing Certificate

    1. Click the pencil icon to edit.
    2. In the configuration page, enter an email address for certificate expiry reminders.
    3. Click Save.

    Return to the setup page.

    The SAML Signing Certificate section also displays the App Federation Metadata URL. This is the identity provider metadata URL, which you need in GravityZone Control Center, when configuring single sign-on for your company or a company under your management. Click Copy to clipboard button to copy and paste the URL somewhere at hand or keep this window open in your browser.

    Set up [your application]

    Click the View step-by-step instructions link to view the documentation related to your application.

Enabling SSO in GravityZone

After configuring your application in Azure, go to GravityZone Control Center to enable SSO for companies and users. You cannot enable single sign-on for users under companies that do not have SSO enabled.

  1. Enabling SSO for companies
  2. Changing the authentication method for users

1. Enabling SSO for companies

This is how you enable SSO for your company:

  1. Go to Configuration > Authentication Settings page.
  2. Under Cofigure Single Sign-on using SAML, enter the identity provider metadata URL in the corresponding field.

    The identity provider metadata URL is App Federation Metadata URL from Azure.

    If you have saved the URL already, copy it here. If not, go to Azure Portal > Azure Active Directory > Enterprise application > [your application] > Set up single sign on. The App Federation Metadata URL is available in the SAML Signing Certificate section. Click Copy to clipboard button to copy the URL and paste it in GravityZone.

  3. Click Save.

This is how you enable SSO for a company under your management:

  1. Go to the Companies page.
  2. In the table, click the company’s name.
  3. Under Configure Single Sign-on using SAML, enter the identity provider metadata URL in the corresponding field.

    The identity provider metadata URL is App Federation Metadata URL from Azure.

    If you have saved the URL already, copy it here. If not, go to Azure Portal > Azure Active Directory > Enterprise application > [your application] > Set up single sign on. The App Federation Metadata URL is available in the SAML Signing Certificate section. Click Copy to clipboard button to copy the URL and paste it in GravityZone.

  4. Click Save.

2. Changing the authentication method for users

After enabling SSO for a company, GravityZone user accounts under that company become available for changing their authentication method.

Change the authentication method for users one by one, as follows:

You must enable single sign-on for one GravityZone user at a time. The user must be under a company that uses SSO.

  1. Go to the Accounts page.
  2. In the table, click the user’s name.
  3. Under Settings and Privileges, go to Authentication method and select Login using your Identity Provider.
  4. Click Save.
note Note:
To test single sign-on with Azure AD, go to https://gravityzone.bitdefender.com/, enter a valid email address (other than the one of your GravityZone administrator account) and click Next. If you are already authenticated with Azure, you will automatically log in Control Center.
Can't find a solution for your problem? Open an email ticket and we will answer the question or concern in the shortest time possible.

Rate this article:

Submit