PRTG Manual: Single Sign-On

On the Single Sign-On tab, you can select a single sign-on (SSO) provider and configure other related settings.

This documentation refers to an administrator that accesses the PRTG web interface on a master node. Other user accounts, interfaces, or failover nodes might not have all of the options in the way described here. In a cluster, note that failover nodes are read-only by default.

If 15 minutes (900) seconds have passed since your last credential-based login and you open a setup page from a different setup page, PRTG asks you to enter your credentials again for security reasons. A dialog box appears. Enter your Login Name and Password and click OK to continue.

Requirements and Restrictions

SSO has the following requirements and restrictions.

For more information, see also section Notes.

Requirement/Restriction	Description
SSO configuration	You must first configure Microsoft Entra ID or Okta accordingly before you can integrate it into PRTG or PRTG Hosted Monitor for SSO. For example, you must register PRTG as an application. For more information, see the Knowledge Base: How to integrate Microsoft Entra ID into PRTG? For more information, see the Knowledge Base: How to integrate Microsoft Entra ID into PRTG Hosted Monitor? For more information, see the Knowledge Base: How to integrate Okta SSO into PRTG?
Freeware edition	SSO is not available for the freeware edition.
SSO users	Do not have access to the PRTG API. Cannot log on to a failover node in a cluster. Cannot change the Login Name in PRTG.

Requirement/Restriction

Description

SSO configuration

You must first configure Microsoft Entra ID or Okta accordingly before you can integrate it into PRTG or PRTG Hosted Monitor for SSO. For example, you must register PRTG as an application.

For more information, see the Knowledge Base: How to integrate Microsoft Entra ID into PRTG?
For more information, see the Knowledge Base: How to integrate Microsoft Entra ID into PRTG Hosted Monitor?
For more information, see the Knowledge Base: How to integrate Okta SSO into PRTG?

Freeware edition

SSO is not available for the freeware edition.

SSO users

Do not have access to the PRTG API.
Cannot log on to a failover node in a cluster.
Cannot change the Login Name in PRTG.

Single Sign-On Settings

Setting	Description
SSO Login	Define if you want to enable login via SSO: Disable (default) Enable
Provider	This setting is only visible if you select Enable above. Select an SSO provider from the dropdown list: Microsoft Entra ID: Use Microsoft Entra ID as the SSO provider. Okta: Use Okta as the SSO provider.
Configuration Endpoint	This setting is only visible if you select Enable above. Enter the configuration endpoint URL. Click Load Configuration to automatically fill in the values for Authorization Endpoint, Token Endpoint, JSON Web Key Set (JWKS) URI, and Issuer. If this does not work, then manually enter the values. Microsoft Entra ID URL format example: https://login.microsoftonline.com/<tenant-ID>/v2.0/.well-known/openid-configuration Make sure to replace <tenant-ID> with the directory (tenant) ID from Microsoft Entra ID. Okta URL format example: https://<your-Okta-domain>/oauth2/<authorization-server-ID>/.well-known/oauth-authorization-server You can find the URL in the field Metadata URI under Security \| API in the Okta administrator console.
Authorization Endpoint	This setting is only visible if you select Enable above. Enter the entire endpoint URL for authorization purposes, not only the server part. Microsoft Entra ID example: https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/authorize Make sure to replace <tenant-ID> with the directory (tenant) ID from Microsoft Entra ID. Okta example: https://<your-Okta-domain>/oauth2/default/v1/authorize Make sure to replace <your-Okta-domain> with the Okta domain of your application from the Okta administrator console.
Token Endpoint	This setting is only visible if you select Enable above. Enter the entire token endpoint URL, not only the server part. Microsoft Entra ID example: https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/token Make sure to replace <tenant-ID> with the directory (tenant) ID from Microsoft Entra ID. Okta example: https://<your-Okta-domain>/oauth2/default/v1/token Make sure to replace <your-Okta-domain> with the Okta domain of your application from the Okta administrator console.
JSON Web Key Set (JWKS) URI	This setting is only visible if you select Enable above. Enter the URI of the JWKS, not only the server part. Microsoft Entra ID example: https://login.microsoftonline.com/<tenant-ID>/discovery/v2.0/keys Make sure to replace <tenant-ID> with the directory (tenant) ID from Microsoft Entra ID. Okta example: https://<your-Okta-domain>/oauth2/default/v1/keys Make sure to replace <your-Okta-domain> with the Okta domain of your application from the Okta administrator console.
Issuer	This setting is only visible if you select Enable above. Enter the SSO issuer. Microsoft Entra ID example: https://login.microsoftonline.com/<tenant-ID>/v2.0 Make sure to replace <tenant-ID> with the directory (tenant) ID from Microsoft Entra ID. Okta example: https://<your-Okta-domain>/oauth2/default Make sure to replace <your-Okta-domain> with the Okta domain of your application from the Okta administrator console.
Scope	This setting is only visible if you select Enable above. Enter the scope for SSO. Microsoft Entra ID example: openid profile offline_access email api://<client-ID>/<scope-name> Make sure to replace <client-ID> with the application (client) ID from Microsoft Entra ID and the <scope-name> with a scope name. Okta example: openid offline_access email profile
Application (Client) ID	This setting is only visible if you select Enable above. Enter the application (client) ID from Microsoft Entra ID or the Client ID of your application from the Okta administrator console.
Client Secret	This setting is only visible if you select Enable above. Enter the client secret to verify the integrity of the SSO token.
Group Claim Retrieval	This setting is only visible if you select Microsoft Entra ID above. Select if you want to use an access token or GraphQL to retrieve the group claims from Microsoft Graph: Access token (default) GraphQL If you select GraphQL to retrieve the group claims, PRTG automatically adds user.read to the scope. If you select GraphQL and log in for the first time, a window opens and asks for the needed permissions. Click Accept to grant the permissions.
Endpoint Handling	This setting is only visible if you select Enable above. Define whether to select the callback from a list of callbacks or to manually enter a callback: Select from a list of endpoints (default): Select an endpoint from a list of available endpoints. Manually enter a URL: Manually enter an endpoint URL below. You need to enter a manual callback if you access PRTG via a different DNS name. For example, if you access PRTG via myPRTG.example.com but the actual DNS name of the PRTG core server is myPRTG.internal.example.com, you need to enter a manual callback.
Available Callback URLs	This setting is only visible if you select Enable and select Select from a list of endpoints (default) above. This list shows the available callbacks of this PRTG instance. Select the callbacks that your users use to connect to PRTG. If you define an HTTPS endpoint in this field, you need to configure the HTTPS endpoint as a valid redirection URI in your SSO provider's settings.
External Callback URL	This setting is only visible if you select Enable and select Manually enter a URL above. If you access PRTG via a different DNS name, define the HTTPS endpoint. This is necessary if the DNS name that you configured under Setup \| System Administration \| User Interface does not appear in the Available Callback URLs list. For example, if you access PRTG via myPRTG.example.com but the actual DNS name of the PRTG core server is myPRTG.internal.example.com, then enter myPRTG.example.com. Also make sure to add the port used by PRTG for HTTPS and the endpoint in the URL, for example: myPRTG.example.com:PORT/cb. If you define an HTTPS endpoint in this field, you need to configure the HTTPS endpoint as a valid redirection URI in your SSO provider's settings.
Available Callback URLs (for reference)	This setting is only visible if you select Enable and select Manually enter a URL above. This list shows the available callbacks URLs of this PRTG instance for reference purposes.
Test Single Sign-On Authorization Endpoint	Click Test Single Sign-On Authorization Endpoint to call the authorization endpoint to check if starting the single sign-on process will succeed. In case of errors, check the answer from the endpoint.

Save your settings. If you change tabs or use the main menu without saving, all changes to the settings are lost.

Notes

If you want to further improve the security for sign-in events, we recommend that you enable multi-factor authentication for Microsoft Entra ID or Okta.

- For more information, see the Knowledge Base: How can I enable Microsft Entra ID multifactor authentication?
- For more information, see the Knowledge Base: How can I enable Okta multi-factor authentication?

When an SSO user logs in to the PRTG web interface, PRTG automatically creates a corresponding local account on the PRTG core server.
By default, no access rights for monitoring objects, libraries, maps, or reports are set for the new user group in PRTG. This is why, initially, users in this user group do not see monitoring objects, libraries, maps, or reports. This does not apply if the new user group has administrative rights. Edit the monitoring object's settings and the settings of libraries, maps, and reports, and set access rights for the newly created user group in the respective Access Rights section.
We recommend that you set these access rights in the root group settings and use the inheritance of settings.
A local user account for an SSO user is only created if this SSO user has successfully logged in to PRTG. If you want to send email notifications to an SSO group in PRTG, using the option Send to User Group in the notification settings, a member of this SSO group must log in to PRTG at least once to receive email notifications. To avoid this, enter the email address of the SSO group in the Send to Email Address field in the notification settings and select None for the Send to User Group option.
If you want to delete an SSO group from PRTG, you must delete all users that are in this user group first. This is because SSO users always have this user group set as their primary group, and user accounts cannot be without a primary group.
If a license is not valid, is temporarily unavailable, or is being updated, SSO does not work during this time.