Setup Malwarebytes cloud platform single sign-on with Microsoft AD FS

Document created by jgolomb Employee on Jan 29, 2019Last modified by jgolomb Employee on Nov 8, 2019
Version 11Show Document
  • View in full screen mode

The following instructions will assist the iDP Administrator with the setup of single sign-on (SSO) for Malwarebytes Administrators into the Malwarebytes Cloud portal using Microsoft AD FS. Malwarebytes Cloud only supports SAML 2.0 authentication protocol.


Get started

  • The email address used for the cloud account must match the email address used for AD FS.

  • Administrator access to the Malwarebytes cloud console.

  • Server Manager Administrators access, or equivalent, on the local computer.

  • Ensure your environment meets the minimum operating system and external access requirements. Refer to Malwarebytes Cloud Platform Administrator Guide for details.


  • Ensure that the time set on the AD FS server is not set to a future time.


Add new relying party trust to AD FS configuration database

  1. In Server Manager, select Tools > AD FS Management > Actions > click the Start button.
    Image of Welcome screen in Microsoft AD FS.

  2. Log into the Malwarebytes cloud console and go to the Settings > Single Sign-on page. Download the Malwarebytes Service Provider Metadata.
    Image of Malwarebytes Service Provider Metadata located under the Single Sign-On setting of the Cloud Console.

  3. Back in AD FS, select Import data about the relying party from a file Browse... to locate and add the Malwarebytes metadata.xml file > click Next.
    Image of Select Data Source screen in Microsoft AD FS.

  4. Create a display name for the application that your users can easily identify. For example, Malwarebytes Cloud. Click Next when satisfied.
    Image of Specify Display Name screen in Microsoft AD FS.

  5. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time > click Next.
    Image of Configure Multi-factor Authentication Now? screen on Microsoft AD FS.

  6. Select Permit all users to access this relying party > click Next.
    Image of Choose Issuance Authorization Rules.

  7. Select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes > click Close.
    Image of the Finish screen for Microsoft AD FS.

  8. Select Add Rule... in the new dialog screen.
    Image of Issuance Transform Rules screen in Microsoft AD FS.

  9. Select Send LDAP Attributes as Claims from the drop down menu > click Next.
    Choose Rules Type screen in Microsoft AD FS.

  10. Create a Claim rule name > configure the following LDAP attributes:
    E-Mail Addresses to Outgoing Claim Type: email
    E-Mail Addresses to Outgoing Claim Type: nameid
    Image of Configure Claim Rule screen in Microsoft AD FS.

  11. Download the FederationMeta.xml from: https://YourADFSServer/federationmetadata/2007-06/federationmetadata.xml
    NOTE: Replace YourADFSServer with your ADFS server information.

  12. In Malwarebytes cloud console, upload the FederationMetadata.xml into by dragging the file into the area, or selecting the file path.
    Image of Identity Provider (IDP) Metadata menu in Malwarebytes cloud console.

  13. Toggle Enable Single Sign-On (SSO) to ON > click SAVE to complete the integration process.
    Image of Enable Single Sign-On (SSO) toggle switch in Malwarebytes cloud console.


Additional information