There are two main ways to log into Cloud: using a login/password created in Cloud itself or using SSO.
Where possible, using single sign-on (SSO) is recommended, as it has a number of benefits. SSO allows you to centrally manage accounts in a third-party system you're already using. This simplifies management tasks, eliminates the need for each user to have multiple login/password combinations and allows you to enforce your own security policies, among other things.
Cloud supports both OpenID Connect (OIDC) and SAML for setting up SSO. Any identity provider (IdP) that supports at least one of these options is a suitable candidate for use with Cloud. Azure Active Directory, Google and Okta are just a few examples of identity providers that you can log into Cloud with. SSO can be set up quickly and easily, as explained in the below steps.
1. Open SSO connection popup in Cloud
Enabling SSO is currently an irreversible action. Make sure you actually want to enable the SSO connection before proceeding, as you won't be able to delete a fully enabled SSO connection.
As the user setting up the SSO connection for a particular domain, you'll first need to log into Cloud using a regular Cloud-created login/password combination.
Select a site and then click the Settings module in the bottom-left corner of your screen.
Go to the Single Sign-On menu and click Add SSO Connection. In the resulting popup, select the type of SSO connection you want to set up and Continue.
Cloud supports two types of SSO connections, SAML (Security Assertion Markup Language) and OIDC (OpenID Connect). Which one you choose will depend on the identity provider you're using and the type(s) it supports. If you're using Azure AD as your IdP for instance, SAML is a suitable SSO connection type.
2. Exchange SSO connection details between Cloud and IdP
Once you've selected your preferred SSO connection type, you are asked to enter a descriptive name for the connection, and several pieces of information regarding the connection. This is information you'll gather from your identity provider (IdP).
Conversely, you'll also need to take some of the info provided in the Cloud popup and input it in your IdP configuration. The location to input the necessary info for the SSO connection will differ depending on the IdP you are using.
Only Azure AD and Okta are currently supported by the Lansweeper Support team. We have linked setup instructions for Azure AD and Okta, but there are many more identity providers you can use.
Sample SSO setup instructions for Azure AD and Okta:
3. Configure attributes of SSO connection on IdP side
Cloud's underlying SSO login process requires a user to have an email address and for that email address to be verified. In the attribute setup of your SSO connection on the IdP side, make sure your IdP is configured to send both the user's email and an email_verified attribute to Cloud.
Our knowledge base contains more specific attribute setup instructions for Azure AD and Okta, but the process is similar for other identity providers.
Do not skip this step. Adding these attributes is important as they are required by Cloud's underlying SSO login process.
4. Add, verify, enable your domain
Once you've exchanged all of the necessary details between Cloud and your IdP, Continue in the Cloud popup. You are now asked to submit the domain(s) you want to configure the SSO connection for.
Select Add Domain and submit your domain name with the format yourdomain.com.
Copy the code presented in the popup. You will need to add this code as a TXT record to your domain's DNS provider to verify the domain. If necessary, consult the website and documentation of your specific DNS provider for up-to-date instructions on how to set up the TXT record.
Select Got it when done and wait a few minutes for the DNS verification to automatically happen, or manually click Verify Domain. Once your domain is verified, make sure to enable it for SSO by selecting Enable domain.
Enabling a domain is currently an irreversible action. Make sure you actually want to enable the domain and manage your domain's SSO connection before proceeding, as you won't be able to delete a fully enabled SSO connection. Your submitted domain configuration is applied to that domain for all Cloud sites as well, not just your own. Other users in the same domain will be able to use your submitted SSO settings when logging into any site in Cloud, but they will not be able to reconfigure the SSO connection.
5. Log in with SSO
At this point, once you've set up your SSO connection and have verified that it is working, new or existing Cloud users in your domain should be able to log into Cloud by selecting Log in with Single Sign-On. They will be asked for their email address prior to starting the SSO login process.
- Users who already created a login/password in Cloud, prior to SSO being enabled for their domain, are by default able to log into Cloud with either their old login details or SSO. When they log in with SSO for the first time, they will be asked to link their old Cloud account with their new SSO one.
- Users who did not already create a login/password in Cloud will only be able to log in with SSO if SSO is configured for their domain. They will not be able to create another user account in Cloud itself.
You can combine SSO either with Cloud-configured MFA (multi-factor authentication) or the MFA of your IdP. That way, you can add an extra layer of security to the login process. If you already have MFA set up or even enforced in your IdP, it will automatically be part of the Cloud SSO login process for your domain users.
6. Enforce SSO
You can optionally enforce the use of SSO by all users in your site.
Go to the Configuration module. In the Site settings menu, you can enable Force login with SSO to access this site. If a user subsequently tries to log into your site with a Cloud-created login/password, they will be denied site access. Site owners will still be able to log in using the Cloud-created login/password in case of issues with your domain's SSO setup.
7. Add more SSO connection managers
Optionally, you can also add more managers to your SSO connection for redundancy and security purposes. This means you are not dependent on a single person to manage the SSO connection.
Lansweeper Cloud SSO with Microsoft Active Directory Federation Services
Follow the Tech Note from Lansweeper at https://community.lansweeper.com/t5/cloud/how-to-set-up-cloud-sso/ta-p/64566 to configure the lansweeper side.
As part of that you will need your Signing Certificate from the ADFS Server in pem format, and your login, and logout URLs
Note: Your certificate provider will have a pem version of your cert if not you can use openssl to convert it to .pem
(openssl x509 -in <certname>.cer -outform PEM -out <certname>.pem [replace <certname> with the name of your certificate])
The Output of the Lansweeper side will give you the following that you will need to configure ADFS
- The Entity ID which is the Relying party Identifier on the ADFS Relying Party Trust
- Assertion Consumer Service (ACS) URL which will be used for the SAML Assertion Consumer POST and SAML Assertion Consumer Artifact endpoints
- SingleLogout Service (SLO) URL which will be the SAML Logout POST and SAML Logout Redirect endpoints
In addition, you will need to turn on Idp-Initiated Single Sign on and download the SAMPL Certificate which is the encryption and signing certificates in ADFS.
To actually be able to login you need to configure the claim issuance policy
There are 2 parts to this one is to get the e-mail address from Active Directory and the other is to send it to Lansweeper as the Name ID for login.
