Directly contact our Support Team

Configure GravityZone Cloud single sign-on with Okta

GravityZone Cloud supports single sign-on (SSO) with various identity providers that use SAML 2.0 as authentication standard.

This article describes how to configure GravityZone Cloud single sign-on with Okta. For other identity providers, refer to this article.

Prerequisites and requirements

  • You have an Okta account to create, activate and assign applications to users.
  • You have a GravityZone Cloud administrator account to manage users, your company and other companies.
  • GravityZone users have Okta accounts with the same email addresses.
important Important:
  • As GravityZone administrator, you can configure single sign-on for users from your company and from companies under your management. You cannot enable SSO for your own GravityZone account due to security reasons.
  • Users must be under companies that have SSO enabled. While SSO is active, users cannot log in with GravityZone credentials.
  • Email addresses are case sensitive with GravityZone SSO. Therefore, username@company.domain is different from UserName@company.domain and USERNAME@company.domain. If the email address from GravityZone does not match the email address from the identity provider, the user will receive a login error message when trying to connect to Control Center.

Configuring Okta

GravityZone single sign-on requires an Okta application that will connect the two platforms.

This is how you configure an Okta application:

  1. Log in to Okta.
  2. Go to the Applications section and click Add Application.
  3. Click Create New App.
  4. In the Create a New Application Integration window, select Web as platform and SAML 2.0 as sign on method, and click Create.
  5. On the Create SAML Integration page, make the following configuration:
    1. Under General Settings, enter a name for you application (for example, GravityZone SSO) and click Next.

      Additionally, you can upload a logo image and set your app’s visibility, but these options do not affect integration with GravityZone.

    2. Under SAML Settings, fill in the following fields:
      1. Single sign on URL. Enter and select the check box for Use this for Recipient URL and Destination URL.
      2. Audience URL (SP Entity ID). Enter
      3. Name ID format. Select Email Address.

        Click the Show Advanced Settings link for more options.

      4. Response. Select Signed.
      5. Assertion Signature. Select Signed.
      6. Signature Algorithm. Select RSA-SHA256.
      7. Digest Algorithm. Select SHA256.
      8. Assertion Encryption. Select Unencrypted.
      9. Enable Single Logout. Select the check box for Allow application to initiate Single Logout to display new options.
      10. Single Logout URL. Enter
      11. SP Issuer. Enter
      12. Signature Certificate. Here you need to upload the GravityZone public certificate. For details on how to obtain this certificate, refer to this section of the article.
      13. Assertion Inline Hook. Select None (disabled).
      14. Authentication context class. Select PasswordProtectedTransport.
      15. Honor Force Authentication. Select Yes.
      16. SAML Issuer ID. Leave the default value:${org.externalKey}

      Leave the rest of the fields blank, including Attribute Statements (optional) and Group Attribute Statements (optional).

    3. Click Next.
      important Note:

      Make sure you have entered all the above data and uploaded the GravityZone certificate before proceeding further.

    4. On the next page, select I'm an Okta customer adding an internal app and click Finish.
  6. After finishing the configuration, Okta will redirect you to a page containing details about the application you have created.

    In the Sign On tab, click the Identity Provider metadata link to view the XML file of the application.

    The URL of the page that displays the XML file is the one that you have to paste in GravityZone Control Center to enable SSO. Copy the URL and keep it at hand for future use.

  7. Go to the Applications page in Okta to view the status of your application. The application must be active. Click the configuration button for assigning users, user groups, and for deactivating the application.

Obtaining the GravityZone public certificate

This section describes how to obtain the GravityZone public certificate by using the Mozilla Firefox browser.

  1. Open the Firefox browser.
  2. Go to
  3. Right-click anywhere on the page and, from the contextual menu, select View Page Info.
  4. In the Page Info window, go to the Security tab and click the View Certificate button.
  5. On the certificate page, click PEM (cert) to download the certificate on your computer.

Go back to the SAML configuration page in Okta, upload the certificate and continue configuring the identity provider.

Enabling SSO in GravityZone

After configuring single sign-on in Okta, to go to GravityZone Control Center to enable SSO for companies and users. Only users under a company with SSO enabled have the option to log in with an identity provider.

  • Enabling SSO for companies.
  • Changing the authentication method for users

    1. Enabling SSO for companies

    This is how you enable SSO for your company:

    1. Go to Configuration > Authentication Settings page.
    2. Under Cofigure Single Sign-on using SAML, enter the identity provider metadata URL from Okta in the corresponding field.
    3. Click Save.

    This is how you enable SSO for a company under your management:

    1. Go to the Companies page.
    2. In the table, click the company’s name.
    3. Under Configure Single Sign-on using SAML, enter the identity provider metadata URL from Okta in the corresponding field.
    4. Click Save.

    2. Changing the authentication method for users

    After enabling SSO for a company, GravityZone user accounts under that company become available for changing their authentication method.

    Change the authentication method for users one by one, as follows:

    1. Go to the Accounts page.
    2. In the table, click the user’s name.
    3. Under Settings and Privileges, go to Authentication method and select Login using your Identity Provider.
    4. Click Save.

    You can enable SSO for many users as you want, but not for your own administrator account.

    note Note:
    • Users can log in to GravityZone via SSO by going to, not by clicking the application’s logo in Okta.
    • If the configuration page of a GravityZone user account does not display the Settings and Privileges section, then probably the company has not SSO enabled.
Can't find a solution for your problem? Open an email ticket and we will answer the question or concern in the shortest time possible.

Rate this article: