Skip to main content

Configuring GravityZone Cloud single sign-on with AD FS

GravityZone Cloud supports single sign-on (SSO) with various Identity Providers (IdP) that use SAML 2.0 as authentication standard.

This topic describes how to configure GravityZone Cloud single sign-on with AD FS. For generic information on configuring other Identity Providers, refer to Configuring single sign-on using a 3rd party Identity Provider.

Prerequisites and requirements

  • You have a GravityZone Cloud administrator account to manage users, your company and other companies.

  • An Active Directory instance has been configured, where users have accounts with the same email addresses as in GravityZone.

  • AD FS service has been fully installed and configured.

  • You have a valid SSL certificate for AD FS and the fingerprint for that certificate.

Important

  • As GravityZone administrator, you can configure single sign-on for users from your company and from companies under your management. You cannot enable SSO for your own GravityZone account due to security reasons.

  • Users must be under companies that have SSO enabled. While SSO is active, users cannot log in with GravityZone credentials.

  • Email addresses are case sensitive with GravityZone SSO. Therefore, username[at]company.domain is different from UserName[at]company.domain and USERNAME[at]company.domain. If the email address from GravityZone does not match the email address from the Identity Provider, the user will receive a login error message when trying to connect to Control Center.

Configuring GravityZone Cloud single sign-on

To configure AD FS for single sign-on, you need to do the following:

Add a relying party trust

The connection between GravityZone and AD FS is defined using a relying party trust.

  1. Log in to the server where AD FS is installed.

  2. Launch the AD FS Management application.

  3. Select Trust Relationships > Relying Party Trusts.

  4. Right-click and select Add Relying Party Trust….

    70359_1_1.png
  5. In the Add Relying Party Trust Wizard window, follow these steps:

    1. On the Welcome page, click Start.

    2. On the Select Data Source page:

      1. Select the option Import data about the relying party published online or on a local network.

        70359_1_2.png
      2. In the Federation metadata address (host name or URL) box, enter the address of the service provider: https://gravityzone.bitdefender.com/sp/metadata.xml

      3. Click Next.

    3. On the Specify Display Name page, enter the name of the service provider (gravityzone.bitdefender.com) and click Next.

      70359_1_3.png
    4. On the Configure Multi-factor Authentication Now? page, select the option I do not want to configure multi-factor authentication settings for this relying party trust at this time and click Next.

      70359_1_4.png
    5. On the Choose Issuance Authorization Rules page, select the option Permit all users to access this relying party and click Next.

      Note

      You do not need configure individual access for users to single sign-on at this time, because you will manage them from GravityZone Control Center.

      70359_1_5.png
    6. On the Ready to Add Trust page:

      1. Go to the Endpoints tab and verify the following addresses have been added:

        • For SAML Assertion Consumer Endpoints: https://gravityzone.bitdefender.com/sp/login, with binding POST.

        • For SAML Logout Endpoints: https://gravityzone.bitdefender.com/sp/logout, with binding Redirect.

      2. Click Next.

        adfs-07-bis.png
    7. On the Finish page, select the option Open the Edit Claim Rules dialog for this relying party trust when the wizard closes.

  6. Click Close.

Create claim rules

After adding a relying party trust, you need to create claim rules. The Edit Claim Rules window opens once you created the trust.

  1. Click Add Rule to create a new rule.

    70359_1_7.png
  2. In Add Transform Claim Rule Wizard, follow these steps:

    1. On the Choose Rule Type page, select the template Send LDAP Attributes as Claims and click Next.

      70359_1_8.png
    2. On the Configure Claim Rule page, make the following configuration:

      1. In the Claim rule name box, enter a relevant name (for example, Email).

      2. For Attribute store, select Active Directory.

      3. In the table below, under LDAP Attribute (Select or type to add more), select E-Mail-Addresses.

      4. Under Outgoing Claim Type (Select or type to add more), select E-mail Address.

      5. Click Finish.

        70359_1_9.png
  3. Back in the Edit Claim Rules window, click Add Rule to create a new rule.

  4. In Add Transform Claim Rule Wizard, follow these steps:

    1. On the Choose Rule Type page, select the template Transform an Incoming Claim and click Next.

      70359_1_10.png
    2. On the Configure Claim Rule page, make the following configuration:

      1. In the Claim rule name box, enter a relevant name (for example, Transform).

      2. For Incoming claim type, select E-Mail Address.

      3. For Outgoing claim type, select Name ID.

      4. For Outgoing name ID format, select Email.

      5. Select Pass through all claim values.

      6. Click Finish.

        70359_1_11.png
  5. Click Apply and OK.

    70359_1_12.png

Update the certificate

AD FS is configured to use by default self-signed certificates that are valid for one non-leap year (365 days). Upon expiration, certificates can be updated automatically or manually, by using the metadata URL.

Automatic certificate update

Certificates are updated automatically if the Auto Certificate Rollover feature is enabled in AD FS. That means AD FS monitor the changes to the relying party trust, including changes in the certificates, and updates them if the case.

To enable monitoring on the AD FS server:

  1. Open Administrative Tools and then the AD FS Management application (or run mmc.exe).

  2. In the left-side menu, go to Trust Relationships > Relying Party Trusts.

  3. In the central panel, right-click on the entry corresponding to GravityZone (gravityzone.bitdefender.com) and select Properties.

    In the Monitoring tab, make sure the GravityZone SAML metadata URL (https://gravityzone.bitdefender.com/sp/metadata.xml) is displayed.

  4. Select the Monitor relying party and Automatically update relying party check boxes.

  5. Click Apply, then OK.

    AD FS starts monitoring the relying party trust for changes every 24 hours.

Manual certificate update

To manually update the certificate on the AD FS server using the GravityZone SAML metadata URL:

  1. Open Administrative Tools and then the AD FS Management application (or run mmc.exe).

  2. In the left-side menu, go to Trust Relationships > Relying Party Trusts.

  3. In the central panel, right-click on the entry corresponding to GravityZone (gravityzone.bitdefender.com) and select Properties.

  4. In the Monitoring tab, make sure the GravityZone SAML metadata URL (https://gravityzone.bitdefender.com/sp/metadata.xml) is displayed. If not displayed, enter the metadata URL and click Test URL. Wait for validation.

  5. Click OK.

  6. Close the Properties window.

  7. While still in Trust Relationships, right-click on the entry corresponding to GravityZone (gravityzone.bitdefender.com) and select Update from Federation Metadata.

  8. In the Identifiers tab, click Update.

  9. Go to the Encryption and Signature tabs and check the Effective and Expiration dates.

After updating the certificate, verify that the login through SSO is working properly.

Enable SSO in GravityZone

After configuring the Identity Provider, go to GravityZone Control Center to enable SSO for companies and to change the authentication method for users. Only users under a company with SSO enabled have the option to log in with an Identity Provider.

Enable SSO for your company

This is how you enable SSO for your company:

  1. In the upper-right corner of Control Center, go to Welcome, [your username] > My Company.

  2. In the Authentication tab, under Single Sign on using SAML, enter the Identity Provider metadata URL in the corresponding field. The other field, reserved for the GravityZone metadata URL, is non-editable.

    For AD FS, the Identity Provider metadata URL has the format: https://[:adfs_host]/FederationMetadata/2007-06/FederationMetadata.xml, where [:adfs_host] is the service FQDN.

  3. Click Save.

    gz_enable_sso_own_company_c_70359_en.png

Enable SSO for managed companies

This is how you enable single sign-on for a company under your management:

  1. Log in to GravityZone Control Center.

  2. Go to the Companies page from the left side menu.

  3. In the table, click the company’s name.

  4. Under Configure Single Sign-on using SAML, enter the Identity Provider metadata URL in the corresponding field. The other field, reserved for the GravityZone metadata URL, is non-editable.

    For AD FS, the identity provider metadata URL has the format: https://[:adfshost]/FederationMetadata/2007-06/FederationMetadata.xml, where [:adfshost] is the service FQDN.

  5. Click Save.

    gz_enable_sso_for_managed_comp_c_70359_en.png

Change the authentication method for users

After enabling SSO for a company, GravityZone user accounts under that company become available for changing their authentication method.

You can change the authentication method for users one by one, as follows:

  1. Log in to GravityZone Control Center.

  2. Go to the Accounts page from the left side menu.

  3. In the table, click the user’s name.

  4. Under Login Security, go to Authentication method and select Login using your Identity Provider.

  5. Click Save.

    gz_authentication_method_c_70359_en.png

    You can enable SSO for as many GravityZone users as you want, but not for your own administrator account.

    Note

    If the configuration page of a GravityZone user account does not display the Settings and Privileges section, then probably the company has not SSO enabled.

Test GravityZone SSO

After configuring both the identity provider and GravityZone, you can test single sign-on as follows:

  1. Log out from GravityZone.

  2. Log out from AD FS.

  3. Go to https://gravityzone.bitdefender.com/.

  4. Enter a valid email address created for testing (other than the one of your GravityZone administrator account).

  5. Click Next.

    You should be redirected to the Identity Provider's authentication page.

  6. Authenticate with your identity provider.

    You will be redirected back to GravityZone and, in a few moments, you should automatically log in to Control Center.

Disable GravityZone SSO

To disable single sign-on for your company or for a company under your management:

  1. Delete the Identity Provider metadata URL from the configuration page of that company.

  2. Click Save and confirm the action.

Users can obtain new passwords by clicking the Reset my password option on the Control Center login page and following the instructions.

To re-enable GravityZone SSO for a company, enter again the Identity Provider in the configuration page and click Save.

After re-enabling SSO, users under that company will continue to log in to Control Center with GravityZone credentials. You have to manually configure each account, one by one, to log in with the Identity Provider again.