As of PRTG 21.2.68, you can use Azure Active Directory (Azure AD) as single sign-on (SSO) provider in PRTG. For the integration to work seamlessly, follow the steps in this article.
Steps to take:
- Step 1: Configure Azure AD
- Step 2: Configure SSO in PRTG
- Step 3: Add a user group in PRTG
1. Configure Azure AD
Follow these steps to configure Azure AD to work as SSO provider in PRTG.
- Step 1.1: Register your app
- Step 1.2: Create a client secret
- Step 1.3: Add a platform
- Step 1.4: Create a groups claim
- Step 1.5: Add a scope
- Step 1.6: Edit accessTokenAcceptedVersion
1.1 Register your app
- Log in to https://portal.azure.com.
- Go to the App registrations tab.
- Click the New registrationbutton.
- Select the newly registered app My_Registration.
- Copy the Application (client) ID and Directory (tenant) ID.
Note: You need these to configure PRTG later.
1.2 Create a client secret
- Go to the Certificates & secrets tab.
- Click the New client secret button.
- Enter a Description, for example My_Client_Secret.
- Enter the period after which the client secret expires.
- Click the Add button to save the client secret.
Important: Make sure to note the client secret now because it will not be visible again and because you need it when you configure PRTG.
1.3 Add a platform
- Go to the Authentication tab.
- Click the Add a platform button.
- Select Web.
- Enter the redirect URI under Redirect URIs. Use the format https://IP address or DNS name:port/cb. For example, https://192.0.2.0:443/cb.
Note: Make sure to add redirect URIs for the ports that PRTG uses, namely port 443 (default), port 8443 (fallback). If both 443 and 8443 are not available, PRTG sends a ticket that shows you the currently used port number. Add a redirect URI for this port until PRTG can switch back to 443 as soon as it is available again. - Click the Continue button to continue.
- Enter the redirect URI under Redirect URIs. Use the format https://IP address or DNS name:port/cb. For example, https://192.0.2.0:443/cb.
1.4 Add a groups claim
- Go to the Token Configuration tab.
- Click the Add groups claim button.
- Select Security groups and Directory roles.
- Click the Add button to save the new groups claim.
1.5 Add a scope
1.6 Edit accesstokenacceptedversion
You have now successfully configured Azure AD.
2. Configure SSO in PRTG
Now that you have configured Azure AD, you now need to configure the SSO settings in PRTG accordingly. To do so, follow these steps.
Important: Make sure that PRTG uses a connection that is encryped via SSL. For more information, see PRTG Manual: PRTG Administration Tool on Core Server System
- Log in to the PRTG web interface.
- Go to Setup | System Administration | Single Sign-On.
- Under SSO Login, select Enable.
- Under Provider, select Azure Active Directory from the dropdown list.
- Under Configuration Endpoint, enter the configuration endpoint URL as follows https://login.microsoftonline.com/<tenant-ID>/v2.0/.well-known/openid-configuration
Note: Make sure to replace <tenant-ID> with your directory (tenant) ID from Step 1.1. - Click the Load Configuration button. This automatically fills in the values in the next four fields.
Note: If this does not work, then you have to manually enter the values instead as follows. Also, make sure to replace <tenant-ID> with your directory (tenant) ID from Step 1.1.- Authorization Endpoint: https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/authorize
- Token Endpoint: https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/token
- JSON Web Key Set (JWKS) URI: https://login.microsoftonline.com/<tenant-ID>/discovery/v2.0/keys
- Issuer: https://login.microsoftonline.com/<tenant-ID>/v2.0
- Under Scope, enter offline_access email. This is from Step 1.5. The full scope entry should look like this: openid profile offline_access email api://<client-ID>/AnAPIName
- Under ClientID, enter the application (client) ID from Step 1.1.
- Under Client Secret, enter the client secret from Step 1.2.
- Under Available Callback URLs, select the URLS that your users will use to log in to PRTG. You will need to add these to the Azure app you configured in Step 1.3.
- If the URL your users use to log in to PRTG is not listed because PRTG is reachable via a different URL (for example, myPRTG.example.com for login but PRTG lists myPRTG.internal.example.com), you can use the option Manually enter a URL. PRTG still lists all available endpoints if needed for forwarding. You then need to add the URL to the Azure app you configured in Step 1.3.
Note: Azure AD and PRTG both check whether or not the callback URLs are allowed. Make sure you configure each required URL on both ends; otherwise, you will not be able to log in.
You have now configured SSO in PRTG.
3. Add a user group in PRTG
Now that you have configured SSO, you need to add a new user group in PRTG.
- Log in to the PRTG web interface.
- Go to Setup | System Administration | User Groups.
- Hover over the blue + button and select Add User Group.
- Under User Group Name, give the group a meaningful name, for example Azure AD SSO.
- Under Active Directory or Single Sign-On Integration, select Use single sign-on integration.
- Under SSO Group Access Claim, enter the groups claim that you created in Step 1.4.
Note: For claims, you can use Azure group IDs. To find a group ID, open the Azure portal and select the Groups tab. There you find a list of all groups and their object IDs. Find the object ID you need and enter it under SSO Group Access Claim. Alternatively, you can use the API name you previously configured, for example AnAPIName.
You have now successfully integrated Azure AD as SSO provider in PRTG.
Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
