<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: Single Sign-On

On the Single Sign-On tab, you can select an single sign-on (SSO) provider and configure other related settings.

i_round_blueThis documentation refers to an administrator that accesses the PRTG web interface on a master node. Other user accounts, interfaces, or failover nodes might not have all of the options in the way described here. In a cluster, note that failover nodes are read-only by default.

i_podIf 15 minutes (900) seconds have passed since your last credential-based login and you open a setup page from a different setup page, PRTG asks you to enter your credentials again for security reasons. A dialog box appears. Enter your Login Name and Password and click OK to continue.

i_round_redYou must first configure Azure Active Directory (Azure AD) or Okta accordingly before you can integrate it into PRTG for SSO. For example, you must register PRTG as an application.

i_round_blueIf you want to further improve the security for sign-in events, we recommend that you enable multi-factor authentication for Azure AD or Okta.

Single Sign-On Settings

Single Sign-On Settings

Single Sign-On Settings

Setting

Description

SSO Login

Define if you want to enable login via SSO:

  • Disable (default)
  • Enable

Provider

This setting is only visible if you select Enable above. Select an SSO provider from the dropdown list:

  • Azure Active Directory: Use Azure Active Directory as the SSO provider.
  • Okta: Use Okta as the SSO provider.

Configuration Endpoint

This setting is only visible if you select Enable above. Enter the configuration endpoint URL.

i_round_blueClick Load Configuration to automatically fill in the values for Authorization Endpoint, Token Endpoint, JSON Web Key Set (JWKS) URI, and Issuer. If this does not work, then manually enter the values.

Azure AD URL format example:

https://login.microsoftonline.com/<tenant-ID>/v2.0/.well-known/openid-configuration

i_round_blueMake sure to replace <tenant-ID> with the directory (tenant) ID from Azure AD.

Okta URL format example:

https://<your-Okta-domain>/oauth2/<authorization-server-ID>/.well-known/oauth-authorization-server

i_round_blueYou can find the URL in the field Metadata URI under Security | API in the Okta administrator console.

Authorization Endpoint

This setting is only visible if you select Enable above. Enter the entire endpoint URL for authorization purposes, not only the server part.

Azure AD example:

https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/authorize

i_round_blueMake sure to replace <tenant-ID> with the directory (tenant) ID from Azure AD.

Okta example:

https://<your-Okta-domain>/oauth2/default/v1/authorize

i_round_blueMake sure to replace <your-Okta-domain> with the Okta domain of your application from the Okta administrator console.

Token Endpoint

This setting is only visible if you select Enable above. Enter the entire token endpoint URL, not only the server part.

Azure AD example:

https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/token

i_round_blueMake sure to replace <tenant-ID> with the directory (tenant) ID from Azure AD.

Okta example:

https://<your-Okta-domain>/oauth2/default/v1/token

i_round_blueMake sure to replace <your-Okta-domain> with the Okta domain of your application from the Okta administrator console.

JSON Web Key Set (JWKS) URI

This setting is only visible if you select Enable above. Enter the URI of the JWKS, not only the server part.

Azure AD example:

https://login.microsoftonline.com/<tenant-ID>/discovery/v2.0/keys

i_round_blueMake sure to replace <tenant-ID> with the directory (tenant) ID from Azure AD.

Okta example:

https://<your-Okta-domain>/oauth2/default/v1/keys

i_round_blueMake sure to replace <your-Okta-domain> with the Okta domain of your application from the Okta administrator console.

Issuer

This setting is only visible if you select Enable above. Enter the SSO issuer.

Azure AD example:

https://login.microsoftonline.com/<tenant-ID>/v2.0

i_round_blueMake sure to replace <tenant-ID> with the directory (tenant) ID from Azure AD.

Okta example:

https://<your-Okta-domain>/oauth2/default

i_round_blueMake sure to replace <your-Okta-domain> with the Okta domain of your application from the Okta administrator console.

Scope

This setting is only visible if you select Enable above. Enter the scope for SSO.

Azure AD example:

openid profile offline_access email api://<client-ID>/<scope-name>

i_round_blueMake sure to replace <client-ID> with the application (client) ID from Azure Active Directory and the <scope-name> with a scope name.

Okta example:

openid offline_access email profile

Application (Client) ID

This setting is only visible if you select Enable above. Enter the application (client) ID from Azure AD or the Client ID of your application from the Okta administrator console.

Client Secret

This setting is only visible if you select Enable above. Enter the client secret to verify the integrity of the SSO token.

Group Claim Retrieval

This setting is only visible if you select Azure Active Directory above. Select if you want to use an access token or GraphQL to retrieve the group claims from Microsoft Graph.

  • Access token (default)
  • GraphQL

i_round_blueIf you select GraphQL to retrieve the group claims, PRTG automatically adds user.read to the scope.
i_round_blueIf you select GraphQL and log in for the first time, a window opens and asks for the needed permissions. Click Accept to grant the permissions.

Endpoint Handling

This setting is only visible if you select Enable above. Define whether to select the callback from a list of callbacks or to manually enter a callback:

  • Select from a list of endpoints (default): Select an endpoint from a list of available endpoints.
  • Manually enter a URL: Manually enter an endpoint URL below.
    i_round_redYou need to enter a manual callback if you access PRTG via a different DNS name. For example, if you access PRTG via myPRTG.example.com but the actual DNS name of the PRTG core server is myPRTG.internal.example.com, you need to enter a manual callback.

Available Callback URLs

This setting is only visible if you select Enable and select Select from a list of endpoints (default) above. This list shows the available callbacks of this PRTG instance. Select the callbacks that your users use to connect to PRTG.

i_round_redIf you define an HTTPS endpoint in this field, you need to configure the HTTPS endpoint as a valid redirection URI in your SSO provider's settings.

External Callback URL

This setting is only visible if you select Enable and select Manually enter a URL above. If you access PRTG via a different DNS name, define the HTTPS endpoint.

This is necessary if the DNS name that you configured under Setup | System Administration | User Interface does not appear in the Available Callback URLs list. For example, if you access PRTG via myPRTG.example.com but the actual DNS name of the PRTG core server is myPRTG.internal.example.com, then enter myPRTG.example.com. Also make sure to add the port used by PRTG for HTTPS and the endpoint in the URL, for example: myPRTG.example.com:PORT/cb.

i_round_redIf you define an HTTPS endpoint in this field, you need to configure the HTTPS endpoint as a valid redirection URI in your SSO provider's settings.

Available Callback URLs (for reference)

This setting is only visible if you select Enable and select Manually enter a URL above. This list shows the available callbacks URLs of this PRTG instance for reference purposes.

Test Single Sign-On Authorization Endpoint

Click Test Single Sign-On Authorization Endpoint to call the authorization endpoint to check if starting the single sign-on process will succeed.

i_round_blueIn case of errors, check the answer from the endpoint.

i_round_redSave your settings. If you change tabs or use the main menu without saving, all changes to the settings are lost.

Notes and Restrictions

  • SSO is not available for PRTG Hosted Monitor.
  • SSO is not available for the Freeware Edition.
  • SSO users do not have access to the PRTG API.
  • When an SSO user logs in to the PRTG web interface, PRTG automatically creates a corresponding local account on the PRTG core server.
  • Changing the Login Name in PRTG for SSO users is not supported.
  • By default, no access rights for monitoring objects, libraries, maps, or reports are set for the new user group in PRTG. This is why, initially, users in this user group do not see monitoring objects, libraries, maps, or reports. This does not apply if the new user group has administrative rights. Edit the monitoring object's settings and the settings of libraries, maps, and reports, and set access rights for the newly created user group in the respective Access Rights section.
    i_round_blueWe recommend that you set these access rights in the root group settings and use the inheritance of settings.
  • A local user account for an SSO user is only created if this SSO user has successfully logged in to PRTG. If you want to send email notifications to an SSO group in PRTG, using the option Send to User Group in the notification settings, a member of this SSO group has to log in to PRTG at least once to receive email notifications. To avoid this, enter the email address of the SSO group in the Send to Email Address field in the notification settings and select None for the Send to User Group option.
  • If you want to delete an SSO group from PRTG, you must delete all users that are in this user group first. This is because SSO users always have this user group set as their primary group, and user accounts cannot be without a primary group.
  • If a license is not valid, is temporarily unavailable, or is being updated, SSO does not work during this time.
  • SSO users cannot log on to a failover node in a cluster.

More

i_square_blueKNOWLEDGE BASE

How to integrate Azure Active Directory into PRTG?

How to integrate Okta SSO into PRTG?

How can I enable Azure AD multi-factor authentication?

Others

There are some settings that you must make in the PRTG Administration Tool. For more details, see the sections: