<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: Single Sign-On
On the Single Sign-On tab, you can select a single sign-on (SSO) provider and configure other related settings.
This documentation refers to an administrator that accesses the PRTG web interface on a master node. Other user accounts, interfaces, or failover nodes might not have all of the options in the way described here. In a cluster, note that failover nodes are read-only by default.
If 15 minutes (900) seconds have passed since your last credential-based login and you open a setup page from a different setup page, PRTG asks you to enter your credentials again for security reasons. A dialog box appears. Enter your Login Name and Password and click OK to continue.
You must first configure Microsoft Entra ID or Okta accordingly before you can integrate it into PRTG for SSO. For example, you must register PRTG as an application.
If you want to further improve the security for sign-in events, we recommend that you enable multi-factor authentication for Microsoft Entra ID or Okta.
This setting is only visible if you select Enable above.
Select an SSO provider from the dropdown list:
Microsoft Entra ID: Use Microsoft Entra ID as the SSO provider.
Okta: Use Okta as the SSO provider.
Configuration Endpoint
This setting is only visible if you select Enable above.
Enter the configuration endpoint URL.
Click Load Configuration to automatically fill in the values for Authorization Endpoint, Token Endpoint, JSON Web Key Set (JWKS) URI, and Issuer. If this does not work, then manually enter the values.
Make sure to replace <client-ID> with the application (client) ID from Microsoft Entra ID and the <scope-name> with a scope name.
Okta example:
openid offline_access email profile
Application (Client) ID
This setting is only visible if you select Enable above.
Enter the application (client) ID from Microsoft Entra ID or the Client ID of your application from the Okta administrator console.
Client Secret
This setting is only visible if you select Enable above.
Enter the client secret to verify the integrity of the SSO token.
Group Claim Retrieval
This setting is only visible if you select Microsoft Entra ID above.
Select if you want to use an access token or GraphQL to retrieve the group claims from Microsoft Graph.
Access token (default)
GraphQL
If you select GraphQL to retrieve the group claims, PRTG automatically adds user.read to the scope. If you select GraphQL and log in for the first time, a window opens and asks for the needed permissions. Click Accept to grant the permissions.
Endpoint Handling
This setting is only visible if you select Enable above.
Define whether to select the callback from a list of callbacks or to manually enter a callback:
Select from a list of endpoints (default): Select an endpoint from a list of available endpoints.
Manually enter a URL: Manually enter an endpoint URL below. You need to enter a manual callback if you access PRTG via a different DNS name. For example, if you access PRTG via myPRTG.example.com but the actual DNS name of the PRTG core server is myPRTG.internal.example.com, you need to enter a manual callback.
Available Callback URLs
This setting is only visible if you select Enable and select Select from a list of endpoints (default) above.
This list shows the available callbacks of this PRTG instance. Select the callbacks that your users use to connect to PRTG.
If you define an HTTPS endpoint in this field, you need to configure the HTTPS endpoint as a valid redirection URI in your SSO provider's settings.
External Callback URL
This setting is only visible if you select Enable and select Manually enter a URL above.
If you access PRTG via a different DNS name, define the HTTPS endpoint.
This is necessary if the DNS name that you configured under Setup | System Administration | User Interface does not appear in the Available Callback URLs list. For example, if you access PRTG via myPRTG.example.com but the actual DNS name of the PRTG core server is myPRTG.internal.example.com, then enter myPRTG.example.com. Also make sure to add the port used by PRTG for HTTPS and the endpoint in the URL, for example: myPRTG.example.com:PORT/cb.
If you define an HTTPS endpoint in this field, you need to configure the HTTPS endpoint as a valid redirection URI in your SSO provider's settings.
Available Callback URLs (for reference)
This setting is only visible if you select Enable and select Manually enter a URL above.
This list shows the available callbacks URLs of this PRTG instance for reference purposes.
Test Single Sign-On Authorization Endpoint
Click Test Single Sign-On Authorization Endpoint to call the authorization endpoint to check if starting the single sign-on process will succeed.
In case of errors, check the answer from the endpoint.
Save your settings. If you change tabs or use the main menu without saving, all changes to the settings are lost.
When an SSO user logs in to the PRTG web interface, PRTG automatically creates a corresponding local account on the PRTG core server.
Changing the Login Name in PRTG for SSO users is not supported.
By default, no access rights for monitoring objects, libraries, maps, or reports are set for the new user group in PRTG. This is why, initially, users in this user group do not see monitoring objects, libraries, maps, or reports. This does not apply if the new user group has administrative rights. Edit the monitoring object's settings and the settings of libraries, maps, and reports, and set access rights for the newly created user group in the respective Access Rights section. We recommend that you set these access rights in the root group settings and use the inheritance of settings.
A local user account for an SSO user is only created if this SSO user has successfully logged in to PRTG. If you want to send email notifications to an SSO group in PRTG, using the option Send to User Group in the notification settings, a member of this SSO group has to log in to PRTG at least once to receive email notifications. To avoid this, enter the email address of the SSO group in the Send to Email Address field in the notification settings and select None for the Send to User Group option.
If you want to delete an SSO group from PRTG, you must delete all users that are in this user group first. This is because SSO users always have this user group set as their primary group, and user accounts cannot be without a primary group.
If a license is not valid, is temporarily unavailable, or is being updated, SSO does not work during this time.
SSO users cannot log on to a failover node in a cluster.