Configuring GravityZone Control Center single sign-on with Entra ID
GravityZone Cloud supports single sign-on (SSO) with various Identity Providers (IdP) that use SAML 2.0 as authentication standard.
This topic describes how to configure GravityZone Cloud single sign-on with Entra ID (previously Azure Active Directory) from Microsoft. For generic information on configuring other identity providers, refer to Configuring single sign-on using a 3rd party identity provider.
Configuring SSO with Entra ID involves many small steps, mostly in the Entra ID portal, so follow the procedure described below carefully.
Note
Microsoft Entra ID was formerly known as Azure Active Directory (Azure AD). The functionality is the same; only the product name and admin portal have changed.
Prerequisites and requirements
You have a Microsoft Entra ID account with at least the Cloud Application Administrator or Application Administrator role assigned.
You have a GravityZone Cloud administrator account to manage users and your company.
GravityZone users have Entra ID accounts with the same email addresses.
Important
As GravityZone administrator, you can configure single sign-on for users from your company and from companies under your management. You cannot enable SSO for your own GravityZone account due to security reasons.
SSO and two-factor authentication (2FA) cannot be used simultaneously. When you enable SSO for a user, 2FA is disabled for that user.
Email addresses are case sensitive with GravityZone SSO. Therefore, username[at]company.domain is different from UserName[at]company.domain and USERNAME[at]company.domain. If the email address from GravityZone does not match the email address from the Identity Provider, the user will receive a login error message when trying to connect to Control Center.
GravityZone only supports service provider initiated login. IdP-initiated login is not supported.
Configure MicrosoftEntra ID
To enable single sign-on with Entra ID, you need to configure a non-gallery application. For generic information about configuring enterprise applications, you can also refer to this Microsoft KB article.
This is how you create and configure an enterprise application for GravityZone Control Center SSO:
Set up your application
Log in to the Microsoft Entra admin center: https://entra.microsoft.com.
In the left-side navigation, go to Identity > Applications > Enterprise applications.
At the top of the page, click + New application.
Click Create your own application.
In the Create your own application panel, enter a relevant name (for example,
Bitdefender GravityZone), select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.
Assign users and groups
In the application overview page, go to Users and groups in the left-side navigation.
Click + Add user/group.
In the Add Assignment page, click None Selected under Users and groups.
In the right-side panel, select the users or groups that should have access to GravityZone through SSO and click Select.
Back in the Add Assignment page, click Assign to confirm.
Configure SAML single sign-on
In the application's left-side navigation, go to Single sign-on.
Select SAML as the single sign-on method.
In the Set up Single Sign-On with SAML page, complete the following sections:
Basic SAML Configuration
Click the pencil icon to edit.
Configure the following fields:
Identifier (Entity ID). Enter
https://gravityzone.bitdefender.com/spReply URL (Assertion Consumer Service URL). Enter
https://gravityzone.bitdefender.com/sp/loginSign on URL. Enter
https://gravityzone.bitdefender.com/sp/loginRelay State. Leave blank.
Logout URL. Enter
https://gravityzone.bitdefender.com/sp/logout
Click Save.
Return to the setup page.
User Attributes & Claims
Click the pencil icon to edit.
Verify the Unique User Identifier (Name ID) claim:
Source attribute should be set to
user.mail.Name identifier format should be set to Email address.
If the default configuration uses
user.userprincipalname, this is also acceptable as long as the UPN matches the email address configured in GravityZone.Click Save if you made changes.
Return to the setup page.
SAML Signing Certificate
In the SAML Certificates section, verify that a signing certificate is active.
Copy the App Federation Metadata Url. This is the Identity Provider metadata URL you will need for GravityZone. Click the copy icon next to the URL.
Note
Keep this URL at hand. You will paste it in GravityZone Control Center in the next step.
The SAML Signing Certificate section also displays the App Federation Metadata URL. This is the Identity Provider metadata URL, which you need to add in GravityZone Control Center when configuring single sign-on for your company or a company under your management. Click Copy to clipboard button to copy and paste the URL somewhere at hand or keep this window open in your browser.
Enable SSO in GravityZone Control Center
After configuring your application in Microsoft Entra ID, go to GravityZone Control Center to enable SSO.
Enable SSO for your company
This is how you enable SSO for GravityZone Control Center for your company:
In the upper-right corner of Control Center, click the
user icon and then select My Company.In the Authentication tab, under GravityZone Control Center single sign-on, enter the identity provider metadata URL in the corresponding field. The other field, reserved for the GravityZone metadata URL, is non-editable.
Paste the App Federation Metadata Url you copied from the Microsoft Entra admin center. If you did not save it, go to Microsoft Entra admin center > Identity > Applications > Enterprise applications > [your application] > Single sign-on. The App Federation Metadata Url is available in the SAML Certificates section.
Click Save.

Change the authentication method for users
After enabling SSO for a company, GravityZone user accounts under that company become available for changing their authentication method.
You can change the authentication method for users one by one, as follows:
Log in to GravityZone Control Center.
Go to the Accounts page from the left side menu.
In the table, click the user’s name.
Under Login Security, go to Authentication method and select Login using your Identity Provider.
Click Save.
Note
You cannot enable SSO for your own administrator account.
When you switch a user to Login using your Identity Provider, their GravityZone password is invalidated. They will only be able to log in through the identity provider.
Tested identity providers
The following identity providers have been officially tested with GravityZone SSO:
Log out from GravityZone.
Log out from Azure.
Enter a valid email address created for testing (other than the one of your GravityZone administrator account).
Click Next.
You should be redirected to the identity provider's authentication page.
Authenticate with your identity provider.
You will be redirected back to GravityZone and, in a few moments, you should automatically log in to Control Center.
Next steps
Choose the configuration guide that matches your needs:
Delete the Identity Provider metadata URL from the configuration page of that company.
Click Save and confirm the action.
Users can obtain new passwords by clicking the Reset my password option on the Control Center login page and following the instructions.
To re-enable GravityZone SSO for a company, enter again the identity provider in the configuration page and click Save.
After re-enabling SSO, users under that company will continue to log in to Control Center with GravityZone credentials. You have to manually configure each account, one by one, to log in with the identity provider again.