on 11-28-2021 07:30 PM - edited on 03-30-2023 03:02 PM by Nils
There are two main ways to log into Cloud: using a login/password created in Cloud itself or using SSO.
Where possible, using single sign-on (SSO) is recommended, as it has a number of benefits. SSO allows you to centrally manage accounts in a third-party system you're already using. This simplifies management tasks, eliminates the need for each user to have multiple login/password combinations and allows you to enforce your own security policies, among other things.
Cloud supports both OpenID Connect (OIDC) and SAML for setting up SSO. Any identity provider (IdP) that supports at least one of these options is a suitable candidate for use with Cloud. Azure Active Directory, Google and Okta are just a few examples of identity providers that you can log into Cloud with. SSO can be set up quickly and easily, as explained in the below steps.
As the user setting up the SSO connection for a particular domain, you'll first need to log into Cloud using a regular Cloud-created login/password combination.
Select a site and then click the Settings module in the bottom-left corner of your screen.
Go to the Single Sign-On menu and click Add SSO Connection. In the resulting popup, select the type of SSO connection you want to set up and Continue.
Cloud supports two types of SSO connections, SAML (Security Assertion Markup Language) and OIDC (OpenID Connect). Which one you choose will depend on the identity provider you're using and the type(s) it supports. If you're using Azure AD as your IdP for instance, SAML is a suitable SSO connection type.
Once you've selected your preferred SSO connection type, you are asked to enter a descriptive name for the connection, and several pieces of information regarding the connection. This is information you'll gather from your identity provider (IdP).
Conversely, you'll also need to take some of the info provided in the Cloud popup and input it in your IdP configuration. The location to input the necessary info for the SSO connection will differ depending on the IdP you are using.
Only Azure AD and Okta are currently supported by the Lansweeper Support team. We have linked setup instructions for Azure AD and Okta, but there are many more identity providers you can use.
Sample SSO setup instructions for Azure AD and Okta:
Cloud's underlying SSO login process requires a user to have an email address and for that email address to be verified. In the attribute setup of your SSO connection on the IdP side, make sure your IdP is configured to send both the user's email and an
email_verified attribute to Cloud.
Our knowledge base contains more specific attribute setup instructions for Azure AD and Okta, but the process is similar for other identity providers.
Once you've exchanged all of the necessary details between Cloud and your IdP, Continue in the Cloud popup. You are now asked to submit the domain(s) you want to configure the SSO connection for.
Select Add Domain and submit your domain name with the format
Copy the code presented in the popup. You will need to add this code as a TXT record to your domain's DNS provider to verify the domain. If necessary, consult the website and documentation of your specific DNS provider for up-to-date instructions on how to set up the TXT record.
Select Got it when done and wait a few minutes for the DNS verification to automatically happen, or manually click Verify Domain. Once your domain is verified, make sure to enable it for SSO by selecting Enable domain.
At this point, once you've set up your SSO connection and have verified that it is working, new or existing Cloud users in your domain should be able to log into Cloud by selecting Log in with Single Sign-On. They will be asked for their email address prior to starting the SSO login process.
You can combine SSO either with Cloud-configured MFA (multi-factor authentication) or the MFA of your IdP. That way, you can add an extra layer of security to the login process. If you already have MFA set up or even enforced in your IdP, it will automatically be part of the Cloud SSO login process for your domain users.
You can optionally enforce the use of SSO by all users in your site.
Go to the Configuration module. In the Site settings menu, you can enable Force login with SSO to access this site. If a user subsequently tries to log into your site with a Cloud-created login/password, they will be denied site access. Site owners will still be able to log in using the Cloud-created login/password in case of issues with your domain's SSO setup.
Optionally, you can also add more managers to your SSO connection for redundancy and security purposes. This means you are not dependent on a single person to manage the SSO connection.
Lansweeper Cloud SSO with Microsoft Active Directory Federation Services
Follow the Tech Note from Lansweeper at https://community.lansweeper.com/t5/cloud/how-to-set-up-cloud-sso/ta-p/64566 to configure the lansweeper side.
As part of that you will need your Signing Certificate from the ADFS Server in pem format, and your login, and logout URLs
Note: Your certificate provider will have a pem version of your cert if not you can use openssl to convert it to .pem
(openssl x509 -in <certname>.cer -outform PEM -out <certname>.pem [replace <certname> with the name of your certificate])
The Output of the Lansweeper side will give you the following that you will need to configure ADFS
In addition, you will need to turn on Idp-Initiated Single Sign on and download the SAMPL Certificate which is the encryption and signing certificates in ADFS.
To actually be able to login you need to configure the claim issuance policy
There are 2 parts to this one is to get the e-mail address from Active Directory and the other is to send it to Lansweeper as the Name ID for login.
Test Drive Lansweeper Yourself. Explore our interactive Demo or sign up for free 14-day trial.Try Now