Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Before you proceed with the SSO integration, make sure the following conditions have been met:
You must be logged into the Parallels My Account and have access to your organization’s business account, where the license key has been previously registered. See this chapter for more details.
You must understand what email domain(s) your end-users will use for SSO.
You must either have admin access to the DNS host(s) of the corresponding domain(s) to be able to add a verification TXT record(s) or be able to ask your IT service for assistance.
You must either have admin access, which enables you to configure enterprise applications in your IdP Directory, or be able to request support from the IT admin who has the required permissions.
Once the above requirements are met, proceed to the next step.
Follow the steps below one by one to integrate Parallels My Account with Microsoft Entra ID.
A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it and read the instructions carefully.
Add one or more domains your organization uses.
Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.
Make sure to add only the domains your organization can control.
The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.
Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:
Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service. The description below illustrates the registration procedure for Microsoft Entra ID. It is assumed that you have the permissions required to register and configure enterprise applications with Entra ID. To register a Parallels enterprise application with Microsoft Entra ID:
Log into the Microsoft Entra ID portal using an account that has the privileges required to register and configure enterprise applications for your organization.
On the , choose Microsoft Entra ID from the services gallery to open the landing page.
Choose Enterprise applications in the Manage section on the left-hand side panel to open the page with the list of the enterprise applications registered with your organization.
Click
Once the Parallels enterprise application registration in the IdP Directory is completed, switch back to the integration at Parallels My Account, expand the section of Step 2, and select the Configuration in the IdP Directory is done option at the bottom of the section. Then proceed to the next step.
You must create user groups associated with the Parallels Desktop application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should have business account admin privileges in the Parallels ecosystem. At least one user group is required for adding users with admin access to your organization’s business account registered with Parallels. Once the group is created, you should add the group's name and ID in Step 3 of the integration configurator page in Parallels My Account.
Start with creating the group in the IdP Directory. To do so, switch to your IdP management portal and follow the standard procedure of creating a user group and associating it with the Parallels enterprise application, as provided by your Organization’s IdP. The description below illustrates the registration procedure for Microsoft Entra ID. It is assumed that you have appropriate permissions that allow you to manage user groups in Entra ID. To create a user group for the Parallels enterprise application in Microsoft Entra ID:
Log into the Microsoft Entra ID portal using the account which has privileges for managing user groups and configuring enterprise applications. 9
On the , choose Microsoft Entra ID in the services gallery to open the Entra ID landing page.
Choose Groups in the Manage section on the left-hand side panel to open the page with the list of the user groups registered in your tenant.
Click New group
Once the required groups have been created in the IdP Directory and associated with the Parallels app, switch back to the Parallels My Account . If everything is set, move on to the next step.
SAML 2.0 integration between Parallels My Account and your organization’s IdP allows your organization's users to activate their copies of Parallels Desktop for Mac Enterprise Edition using Single Sign-On (SSO) while your admins can use it to log into the business account registered with Parallels using their main corporate login credentials.
To complete this step, you must copy certain parameters from your Parallels My Account to the settings section of the Parallels application registered in the IdP Directory and then copy certain data provided in the IdP Directory to the Parallels My Account admin panel.
The following description illustrates the procedure for Entra ID. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Entra ID. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice.
Expand the Step 4 section on the in Parallels My Account. Note that there are two groups of parameters in the section. The first group has two values, Service Provider Entity ID and Assertion Consumer Service URL, which must be copied from Parallels My Account to the IdP Directory. The second group includes three parameters – Identity Provider Entity ID, Identity Provider SSO URL, and Public Certificate. The values for these parameters must be copied from your IdP Directory to Parallels My Account.
There are two ways to copy the parameters between Parallels My Account and the IdP Directory: via metadata files (assuming your IdP software supports transferring those parameters via external files) or manually.
Begin with copying the first group of parameters — Service Provider Entity ID and Assertion Consumer Service URL (both values are pre-set automatically and cannot be changed) from Parallels My Account to the IdP Directory.
Click Download a metadata file link in the subtitle of the group to save these parameters to the external metadata file. To transfer the values of the parameters from the metadata file to the IdP Directory, follow these steps:
Log into the Microsoft Azure portal using the account which has privileges for configuring enterprise applications.
Choose MS Azure Home > Entra ID > Enterprise applications, select the Parallels enterprise application from the list, click on it to open the application’s home page, and choose Single sign-on in the Manage section on the left-hand side panel to open the page for configuring the Single Sign-On method for the enterprise application.
When on the Single Sign-On configuration page, choose SAML as the Single Sign-On method. The page for configuring a Single Sign-on with SAML will open.
Alternatively, you can set up the basic SAML configuration manually. To do so, perform steps 1-3 as described above in the section. When on the Set up Single Sign-on with SAML page, click Edit in the section (1) Basic SAML Configuration. A popup panel will open with the properties of the basic SAML configuration (the values won’t be set). Copy the value of the Service Provider Entity ID from Parallels My Account to the Identifier (Entity ID) box in the IdP Directory. Copy the value of Assertion Consumer Service URL from Parallels My Account to the Reply URL (Assertion Consumer Service URL) box in the IdP Directory. Click Save at the top of the panel to save the configuration. Close the Basic SAML Configuration panel.
Proceed to configure Attributes & Claims by adding the “user.groups” claim on the xn page in Entra ID as described above (refer to step 6 above in the section).
Next, copy the three parameters from MS Azure’s Set up Single Sign-on with SAML settings to My Account. On the Single Sign-on page, scroll to 4. Set up Application Name and copy the value of the Login URL to the Identity Provider SSO URL field in My Account. Next, copy the value of Entra ID Identifier to the Identity Provider Entity ID field in My Account. And finally, under the SAML Certificates section, click to download the Certificate (Base64) file and copy the file’s contents to the Public Certificate field in My Account.
Finally, select the Configuration in the IdP Directory is done option at the bottom of the section and click Save in Parallels My Account to confirm that you have finished the configuration procedure in the IdP Directory. Proceed to the next step.
SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory.
It is assumed that your IdP software supports SCIM. For this reason, the SCIM Support option in the Step 5 section on the integration configurator page in the Parallels My Account is enabled by default. If your IdP does not support SCIM, disable the option and move on to the next step.
The following description is based on the assumption that SCIM is supported.
To configure provisioning via SCIM, you must copy two parameters: SCIM Base URL and Bearer Token (both values are pre-set automatically and cannot be changed) from the Step 5 section of the in Parallels My Account to the IdP Directory.
The description below illustrates the procedure for Microsoft Entra ID. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Entra ID. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice. To configure SCIM settings at the IdP management portal:
Log into the Microsoft Azure portal using the account that has privileges for configuring enterprise applications.
Choose MS Azure Home > Entra ID > Enterprise applications. Select the Parallels enterprise application in the list, click on it to open the application’s home page, and choose Provisioning in the Manage section on the left-hand side panel to open the page for configuring the provisioning settings of the enterprise application.
On the Provisioning page, click Get Started. It opens the page where you can configure the provisioning settings.
Once the provisioning settings in the IdP Directory have been saved, switch back to Parallels My Account and select the Configuration in the IdP Directory is done option at the bottom of the section to confirm that you have finished the configuration procedure in the IdP Directory. Then, continue to the next step.
Add users and administrators to their respective groups created in Step 3 (described above) to permit them to activate their copies of Parallels Desktop (users) and log into Parallels My Account (administrators) using their corporate login credentials. To do so, switch to the IdP management portal and follow the conventional procedure (as provided by the IdP software) for adding users to the groups. Once it is done, or if you plan to add users later, select the Configuration in the IdP Directory is done option at the bottom of the section.
The backup login can be used to access your organization’s business account registered with Parallels bypassing Single Sign-On in the event of an SSO malfunction. By default, the backup login is set to the email address of the currently logged-in user. If you want to define a different backup login, add more users first on the Users page of the in Parallels My Account. The new user must log into the business account at least once before they can be designated as a backup login.
Warning: Once you have completed the integration process and activated the SSO functionality, only users from the Administrators group in your IdP signing in via SSO will retain access to managing the Parallels business account. All previous administrative privileges based on logins and passwords will become inactive.
Your designated backup login will continue to work.
Follow the instructions to begin the process of configuring SSO integration in Parallels My Account:
Log into your Parallels account using your email address and password (but not using the Continue with SSO option). We recommend that you use your corporate email address and a password that is different from your main one. Go to the page, and make sure that your business account is selected as the current workspace in the top-left corner.
Click the item in the business account navigation menu (top-right corner).
Click Create your own application to start the procedure of registering a new custom enterprise app. The popup panel Create your own application opens on the right.
Type the name of the application (the actual name remains at your discretion), choose the Integrate any other application you don't find in the gallery (Non-gallery) option, click Create and wait while the new enterprise application is being created. You will end up on the landing page of your new Parallels enterprise application.
When on the page for creating a new group, specify:
Group type: Security,
Name and description of the group at your discretion,
Membership type: Assigned.
Click Create and wait while the group is being created.
Once the group is created, it appears on the list of groups automatically. Select the group from the list (click on it) to open the page with the group’s properties.
Repeat steps 3, 4, 5, and 6 once again. Your goal is to set up two groups, one for the admins of your organization’s Parallels business account and another for the users of Parallels Desktop for Mac Enterprise Edition, who will be granted permission to activate their copies via SSO. If your admins also need to be able to use Parallels Desktop for Mac, add them to both groups. Note: Please make sure that the respective group names on the IdP side and the Parallels My Account side match precisely. This will help you avoid potential problems, as some IdPs use group names in their identification and authorization processes.
Copy the names of the specified groups and the Object ID (assigned automatically) to Parallels My Account. To do so, switch back to the Parallels My Account integration configuration page, expand the Step 3 section, click on Click to edit on the respective group, paste the group name and ID into the corresponding input fields, and click Save. Repeat twice for the Parallels Business Account Admins and Parallels Desktop Users groups.
Switch back to the Microsoft Azure portal and associate both groups with the Parallels app. To do so:
Choose MS Azure Home > Entra ID > Enterprise applications;
Select the Parallels application from the list and click on it to open its home page;
Select Users and groups on the side panel on the left;
Click Add user/group;
In Add Assignment, click on None Selected under Users and Groups to launch group selection;
Select the groups created in Step 4, and click Select;
Finally, click Assign.
Make sure to link both groups, the administrators and the users.
While on the Parallels application’s home page in MS Azure Home, select Properties in the left-hand side panel, scroll down to the Assignment Required setting, and make sure it’s enabled.
On the same page, make sure that the Visible to users option is disabled.
Click Save at the top of the page.
Switch to your IdP integration page in My Account, scroll down to, and expand Step 4 ("Configure SAML integration"). Under Service Provider Settings, click the Download a metadata file link to download the metadata.xml file.
Return to the Set up Single Sign-on with SAML page and click Upload metadata file at the top of the page to open the popup dialog that allows you to select the file. Select the file you have previously downloaded from Parallels My Account, then click Add to load the data from the selected file. The popup panel opens with the properties of the basic SAML configuration loaded from the metadata file.
Check that the following parameters are set: Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and the values of the parameters match those in the respective Parallels My Account section. Click Save.
On the left pane, choose Single sign-on. Select Attributes and Claims, then Edit, then click Add a group claim.
In Group Claims, select All Groups and click Save.
To close the configuration, click Close at the top of the panel on the right. Then, return to the SAML-Based Sign-On page.
On the SAML-Based Sign-On page, under the SAML Certificates section, locate Federation Metadata XML and click Download.
Switch to your IdP integration page in My Account, scroll down to and expand Step 4 ("Configure SAML integration"). Under Identity Provider Settings, click on the Upload a metadata file link and select the downloaded XML file.
Select the Configuration in the IdP Directory is done option at the bottom of the section and click Save to finish the configuration. Proceed to the next step.
When on the configuration page, set Provisioning Mode to "Automatic", then expand the Admin Credentials section and set the Tenant URL to SCIM Base URL (retrieve the value from Parallels My Account), Secret Token to Bearer Token (retrieve the value from Parallels My Account).
Click Save to save the changes.
[IMPORTANT] While in the Manage section of the Provisioning page, open the Attribute mapping tab and click on Provision Microsoft Entra ID Users. There, under the Attribute Mappings section, locate the externalId parameter, click Edit, change the Source attribute parameter from mailNickname to objectId, and click OK. Click Save in the top left corner. Note that without this step, there may be a mixup in product license provisioning between users with similar names.
Return to Overview (Preview) in the left side panel and click Start provisioning in the top-left corner.
Once on the Business Profile page, choose the SSO menu item in the top-right corner to open the IdP Integration configurator page.
When on the IdP Integration configurator page, click Start Configuring to begin setting up the integration between the Parallels My Account service and your identity provider. You will have to complete the configuration in 7 steps. Each step is represented on the page by a separate list item. Uncompleted steps are marked as gray, and the successfully completed ones become green. The configuration process is successfully completed when all seven items on the list are marked green.
Start with Step 1 (Configure Your Organization's Domain(s)), then continue until all seven steps are completed. Click on the title of each step’s section to expand it, and follow the instructions provided. The SSO integration will not start working until all the steps are complete. However, completing all steps at once is not mandatory—you can interrupt the process at any time and continue later. The information entered at the previous steps persists between sessions. Read the sub-chapters in this section for step-by-step setup guides specific to one of the officially supported IdP providers. If your provider is not on the list but supports SAML 2.0 and SCIM 2.0, we recommend referring to the steps described in the Entra ID sub-chapter and applying them according to your IdP's documentation.
When all configuration steps are completed (marked green), the Activate Integration button becomes available at the top of the page. Click the button to activate the integration between Parallels My Account and your Organization’s IdP. You can deactivate the integration anytime by clicking the Deactivate button at the top of the page.
Once the above steps have been completed, proceed to the respective chapter that covers integration with your IdP provider.
$ dig TXT {yourdomain}.{com}
Integration between Parallels My Account and corporate Identity Providers (IdP) like Microsoft Entra ID, Okta, Ping Identity, JumpCloud, or Google Workspace enables Single Sign-On (SSO) login to Parallels My Account and automatic provisioning and revocation of Parallels product licenses to end users in your organization. The organization’s business account admins can log into My Account using their company's standard authentication procedure, while the end-users can activate Parallels products on their devices via Single Sign-On.
Even if your organization does not use Parallels Desktop for Mac Enterprise Edition, you may benefit from the SSO integration with My Account. Such integration provides more control over the users with administrative access to the Parallels product licenses stored in the organization’s business account registered with Parallels.
Warning: Once you have completed the integration process and activated the SSO functionality, only users from the Administrators group in your IdP signing in via SSO will retain access to managing the Parallels business account. All previous administrative privileges based on logins and passwords will become inactive.
Your designated backup login will continue to work.
Once the integration is configured, you can grant access to the organization’s business account to administrators by adding them to the Parallels Business Account Admins group in your Identity Provider’s directory. At the same time, deleting or blocking an administrator account in your Identity Provider automatically deprives them of access to Parallels My Account.
In this section, we provide detailed instructions on how to set up the SSO integration with Microsoft Azure/Entra ID, Okta, and Ping Identity. Even if your corporate identity provider is not on the list, you can still try setting up the integration, provided your service of choice supports SAML 2.0 and SCIM 2.0 protocols.
Once the integration is completed, the administrators will be able to sign into the company's My Account page using the Continue with SSO button at , while Parallels Desktop for Mac users will be able to activate their local copies of the app using the SSO option.
Below is the chart that outlines the setup process. Please note that the is optional.
Single Sign-On (SSO) is one of the options offered for activating Parallels Desktop for Mac. Users who choose this option will see a window that looks like this:
Some users might skip this dialog by clicking Cancel. In this case, you can instruct them on how to re-start the SSO-based activation procedure manually. To start the SSO-based activation:
In the application's menu, choose Parallels Desktop → Account & License... and select the Continue with SSO option.
Note: Users SHOULD NOT enter their corporate login email and password directly on the Sign-In to Parallels Account dialog. They are supposed to log in to their corporate account managed by the Organization’s IdP, not to a Parallels account!
On the Sign-In to Parallels Account dialog, clicking Business Edition (at the bottom of the dialog, on the left) opens the Activate Business Edition dialog.
On the Enter Enterprise Key dialog, clicking Continue with SSO (at the bottom of the dialog, on the left) opens the dialog, which prompts the user to enter the corporate email address. This is where the product activation procedure via Single Sign-On starts!
Users should type their corporate email address in the popup dialog that is opened by clicking Continue with SSO, then click Next.
Attention: If a particular user's account still won't activate using SSO, go back to your Identity Provider's settings and make sure that the user is included in the main user group for Parallels Desktop, as described in the SSO integration setup procedure.
Follow the steps below one by one to integrate Parallels My Account with Google Workspace.
A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it, and read the instructions carefully.
Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.
Make sure to add only the domains your organization can control.
The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.
Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:
Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service.
With Google Workspace, it is simpler to first create the necessary user groups for the app. At least two groups are required: one for users with business account privileges in Parallels My Account (enabling them to manage issuing license seat quotas etc.) and at least one for the users who need to activate Parallels Desktop for Mac on their computers.
To create a group in Google Workspace, do the following:
Launch your Google Admin console and use the left-hand side panel to expand the Directory section and choose Groups.
Click on Create group to launch the procedure of creating a group.
Fill out the required details, make sure to activate the Security label, and click Next.
On the next page, select the security settings as you see fit and click Create Group to finish the process.
Choose Add members at the next step and populate the group. Note: Remember that anyone who needs to activate Parallels Desktop for Mac with their Google Workspace login must be included in the main Parallels Desktop users group, even if they are already included in the group for business account administrators.
Remember to repeat the process to create at least two groups, one for users with business account privileges in Parallels My Account (enabling them to manage issuing license seat quotas, etc.) and at least one for the users who need to activate Parallels Desktop for Mac on their computers.
The below process describes setting up a new Enterprise Application for Google Workspace:
Launch your Google Admin console and use the left-hand side panel to expand the Apps section and choose Web and mobile apps.
Open the Add app drop-down menu and choose the Add custom SAML app option.
Fill out the name and description for the Parallels app.
In the next step, copy the presented values from Google Workspace to Step (4) Configure SAML Integration section of the Parallels page the following way:
SSO URL (Google Workspace) -> Identity Provider SSO URL (Parallels My Account)
Entity ID (Google Workspace) -> Identity Provider Entity ID (Parallels My Account)
Certificate (Google Workspace) -> Public Certificate (Parallels My Account).
At the next step, Service Provider Details, use the values from the Step (4) Configure SAML Integration section of the Parallels page to copy the following parameters:
Assertion Consumer Service URL (Parallels My Account) -> ACS URL (Google Workspace)
Service Provider Entity ID (Parallels My Account) -> Entity ID (Google Workspace)
Set the remaining parameters to the following values:
The next step, Attribute mapping, is very important, and you should pay close attention to setting all the parameters correctly, keeping the spelling and capitalization exactly as presented. Use the Add Mapping button to map the following value pairs:
Basic Information > First name (Google Directory attribute) -> displayName (App attribute).
Basic Information
Under the Group membership section, choose the groups of Parallels My Account administrators and Parallels Desktop users created previously and map them to the app attribute groups.
Click Finish to complete the setup process.
Switch back to the SSO setup page in Parallels My Account and mark Step (2) Register the Parallels Enterprise App and Step (4) Configure SAML Integration as complete.
Proceed to the next step.
Having created the user groups in the previous step, you should add the groups' names and IDs to the respective fields Step (3) Configure User Groups Mapping of the integration configurator page in Parallels My Account.
Take the following steps.
Launch your Google Admin console and use the left-hand side panel to expand the Directory section and choose Groups.
Copy the group's name to a notepad app for both the Administrators and the Users group.
Switch to the Parallels My Account integration page, expand Step (3) Configure User Groups Mapping, and use the click to edit links to copy the respective group's name into BOTH FIELDS, UUID and Display Name, for administrators, and click Save.
Take care to use the correct values for each group.
Mark Step (3) Configure User Groups Mapping as complete.
Once the required groups have been created in the IdP Directory and associated with the Parallels app, move on to the next step.
The SAML 2.0 is supposed to be configured for the Parallels enterprise application registered with Google Workspace at the time of the Parallels enterprise application registration (refer to chapter (2) Register Parallels enterprise app and configure SAML settings earlier in this document for more details).
Make sure to check the Step 4 section on the integration configurator page at Parallels My Account. All fields must be filled in, and the Configuration in the IdP Directory is done option must be enabled.
If everything is set, proceed to the next step.
SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory.
Warning: At this point, Parallels does not support SCIM integration for Google Workspace.
Due to the lack of SCIM integration, the administrator will have to manually add and remove users in Parallels My Account, as well as on the Google Workspace side.
To revoke a license on the Parallels My Account side, follow these steps:
Open the Virtual Machines page of the Parallels Management Portal and identify the machine using the following three parameters: User name, Computer name, and Parallels Desktop state. The latter will help you spot the machines activated using SSO.
Write down the computer name of the Mac where you need to revoke the license.
Open the Parallels My Account main page, select the Enterprise product card, and click on the Registered Computers link.
Select the target Mac using the checkbox on the left, and use the Actions menu in the top right corner to deactivate the license.
On the Parallels My Account SSO setup page, expand Step (5) Configure SCIM Integration and make sure the Enable SCIM Support checkbox is unticked.
Continue to the next step.
For users to be able to make use of the application to sign or activate with Parallels, they have to be created and added to the groups tied to the Enterprise Application.
If you need to add more users to the groups created in step (2), open your Google Admin console and use the left-hand side panel to expand the Directory section and choose Groups. Point your mouse at a specific group and use the Add members button to populate it with users as required.
Once it is done, or if you plan to add users later, switch back to the Parallels My Account SSO setup page, expand Step (6) Add Users to Application Groups, and mark the Configuration in the IdP Directory is complete checkbox at the bottom of the section.
The backup login can be used to access your organization’s business account registered with Parallels, bypassing Single Sign-On in the event of an SSO malfunction. By default, the backup login is set to the email address of the currently logged-in user. If you want to define a different backup login, add more users first on the Users page of the Business Profile section in Parallels My Account. The new user must log into the business account at least once before they can be designated as a backup login.
Warning: Once you have completed the integration process and activated the SSO functionality, only users from the Administrators group in your IdP signing in via SSO will retain access to managing the Parallels business account. All previous administrative privileges based on logins and passwords will become inactive.
Your designated backup login will continue to work.
By default, the integration process between Parallels My Account and your identity provider, described in , implies that all users of Parallels Desktop for Mac in your company will end up in one user group.
However, as explained in , it may be beneficial to spread your end users across multiple groups, depending on their departments or functions within the company. This will enable administrators to provision tailored or set their own restrictions for each individual group of users, as described in of the Parallels Management Portal section of this guide.
Attention: All the users that need to activate Parallels products using SSO still have to also be included in the main user group created as part of the .
The goal of this chapter is to explain the intricacies of the grouping process and prevent potential activation or policy application issues. As a result of these procedures, you will end up with distinctive groups of Parallels Desktop users tied to specific sublicense keys, to which you can apply specific policies and restrictions and provision different golden images.
$ dig TXT {yourdomain}.{com}Leave the Start URL field blank.
Under the Name ID section, set the Name ID format to EMAIL, and Name ID to Basic Information > Primary email.
Primary emailnameEmployee Details > Employee ID (Google Directory attribute) -> objectidentifier (App attribute).
Warning: Under no circustances should you attempt to configure a multi-group setup without first establishing a working, well-tested configuration with just one user group as described in the main SSO integration guide and having a working plan how to revert to that.
You may choose to divide your company's Parallels Desktop users into entirely new groups or use the groups that already exist in your IdP setup. However, we strongly recommend you to plan before acting:
Create an organizational chart with all planned subdivisions.
List the concrete differences in their access requirements that may warrant individual virtual machine images and the application of specific policies. Check the list of available policies here.
Itemize the number of Parallels Desktop licenses that each group may need. Consider, which users need guaranteed access, and which groups will suffice on "first come, first served" principle. Compare the sum total of required licenses with the overall number of license seats in your Parallels Desktop Enterprise Edition setup. Create the respective subgroups in Parallels My Account to see if the numbers add up.
For the purposes of this guide, the most important term on your IdP's side is a unique group identifier, which, depending on your IdP, can also be known as UUID, Object ID, or group name. Another important term is a SAML token: a file which contains information about a user and is sent by IdP to the service provider (in this case, Parallels) during the SSO authentication process. The individual meaningful pieces of information in SAML tokens are called claims.
What binds these three terms together is that certain claims in SAML tokens contain group identifiers, allowing Parallels service to see what groups the authenticated user is included in on the IdP side.
Some IdPs allow administrators to create hierarchical user group structures to better reflect the organizational structure of the company, e.g., a "Product" group that would include subgroups like "Engineers", "Designers", "QA", etc. In this case, a member of the "Engineers" subgroup would have at least two group identifiers in their SSO claim: one for the "Product" group, and one for the "Engineers" subgroup.
With the above information in mind, your overall process to divide the Parallels Desktop for Mac users in your organization into individually managed groups should include the following steps:
Evaluate which existing groups of users may need which specific policies and restrictions. Read this chapter carefully.
Plan the user allocation. Consider how many users from each affected group may need to activate and use Parallels Desktop for Mac, which will require guaranteed service (reserved sublicense keys), and which will be better off on a first-come, first-served basis (dynamic sublicense keys). Read more about the difference .
Ensure the correct settings of the Parallels Desktop application on your IdP side so that the SAML token exchanged during the SSO authentication process includes the group identifiers for all the groups a user belongs to. In Microsoft Azure/Entra ID, follow this path Home → Entra ID (formerly AD) → Enterprise applications → Select Application → Single sign-on → 2. Attributes & Claims -> Edit and make sure the Group Claims setting is set to All Groups and not Groups assigned to the application.
Once you make this change, the Parallels service will receive information about all user groups a given user is a member of on a SSO sign-on attempt, and will deduct the seat from a specific license key accordingly. Note: In the case of Okta, you have to map pre-existing groups to the application directly.
[IMPORTANT] Ensure that your Microsoft Azure/Entra ID setup identifies users correctly:
Go to MS Azure Home > Entra ID (formerly AD) > Enterprise applications.
Select the Parallels enterprise application in the list, click on it to open the application’s home page, and choose Provisioning in the Manage section on the left-hand side panel.
To benefit from tailored policies and license key quotas, create sublicense keys as directed in . To map a user group on the IdP side with a specific sublicense key, take this group's group identifier and add it to the selected key in Parallels My Account. In the case of Microsoft Azure/Entra ID, the group identifiers can be found by following this path: Home -> Microsoft Entra ID (former AD) -> Enterprise Applications -> Select Application -> Users and groups -> Select Group -> Object ID. To paste the value in Parallels My Account, linking the group to a specific sub-license key, open Parallels My Account and follow this path: Find the Parallels Desktop for Mac Enterprise Edition product card -> Click on the Subscription Details line -> scroll down to the License Keys section. Click the cogwheel symbol to open that sublicense key's card and switch to the User Groups tab. Click Add Group and paste the group's name and UUID (Object ID) in the respective fields. Note that in the case of Okta, the user group UUIDs are the same as the group names, as described in the respective .
Now, your users can activate their copies of Parallels Desktop for Mac using their groups' assigned quotas, and you can apply group policies as you see fit.
The chart below will help you troubleshoot your multi-group setup, showing the possible reasons why an SSO process may fail.
Follow the steps below one by one to integrate Parallels My Account with Ping Identity.
A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it, and read the instructions carefully.
Follow the steps below one by one to integrate Parallels My Account with Okta.
A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it and read the instructions carefully.
Note: Without this step, there may be a mixup in product license provisioning between users with similar names.
Once you have added all the groups you want, click Save.
Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.
Make sure to add only the domains your organization can control.
The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.
Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:
Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service.
The description below illustrates the registration procedure for Ping Identity. It is assumed that you have the permissions required to register and configure enterprise applications with Ping Identity. To register a Parallels enterprise application with Ping Identity:
Log into Ping Identity here using an account that has privileges for registering and configuring enterprise applications for your organization.
[OPTIONAL] If you don't yet have an environment, launch the Create Environment wizard and select the Build your own solution option using the Ping SSO service and click Next two times.
[OPTIONAL] Fill out the required parameters for the new environment, such as the name, description, type, and region. Click Finish when done.
Go back to the main page and use the drop-down menu in the top-left corner to select the right environment.
Go to the Applications section and click on the Add (+) button.
In the Add application stage, type in a name for the application you are registering (e.g., Parallels Desktop), choose SAML as your application type, and click Configure.
At the SAML Configuration step, choose the Manually Enter option and copy the respective parameter values from Step 4 (Configure SAML Integration) of the Parallels My Account as follows:
Assertion Consumer Service URL (My Account) -> ACS URLs (Ping Identity)
Service Provider Entity ID (My Account) -> Entity ID (Ping Identity)
The next step will require you to configure mapping attributes under the Attribute Mappings section. Use the Edit button and add the attributes as follows (note that the fields are case-sensitive):
saml_subject -> User ID
displayname -> Expression: {user.name.given + ' ' + user.name.family}
groups -> Group IDs
name -> Email Address
Switch the application configuration on using the toggle:
Once the registration of the Parallels enterprise application in the IdP Directory is completed, switch back to the integration configurator page at Parallels My Account, expand the section of Step 2 and select the Configuration in the IdP Directory is done option at the bottom of the section. Then move on to the next step.
You must create user groups associated with the Parallels enterprise application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should be able to activate their copies of Parallels Desktop for Mac Enterprise Edition via Single Sign-On (SSO) and which should have business account admin privileges in the Parallels ecosystem.
At least one user group is required for adding users with admin access to your organization’s business account registered with Parallels. Once the group is created, you should add the group's name and ID in Step 3 of the integration configurator page in Parallels My Account.
Start with creating the group in the IdP Directory. To do so, switch to your IdP management portal and follow the standard procedure of creating a user group and associating it with the Parallels enterprise application, as provided by your Organization’s IdP. The description below illustrates the registration procedure for Ping Identity. It is assumed that you have appropriate permissions that allow you to manage user groups in Ping Identity. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice.
To create a user group for the Parallels enterprise application in Ping Identity:
Log into the Ping Identity portal using the account which has privileges for managing user groups and configuring enterprise applications.
On the Start page, choose Administrator environment (or any other environment what you could create before) to open the Ping Identity console page.
Using the left-hand side bar, navigate to the Groups menu in the Directory section.
You need to create two groups, one for the users who are supposed to be granted the admin permissions to access your organization’s business account registered with Parallels, and another for the regular Parallels Desktop users who are expected to sign into their copies of Parallels products via SSO.
Click the Add (+) icon to launch the group creation wizard, and type in the group name and description. Click Save and wait while the group is being created. Make sure to copy the Group ID parameters from both groups.
Using the left-hand side bar, navigate to the Applications page in the Applications section and select the Parallels app that you have set up in .
In the Parallels app card, navigate to the Access tab and click on the Edit button to open the Edit Access menu.
We strongly recommend that you deselect the option to display the Parallels app on the company portal.
Under the Groups section, select the groups created in Step 4 to connect them to the application.
Copy the group's name that you have specified and its ID to Parallels My Account. To do so, switch back to the at Parallels My Account, expand the Step 3 section, use the click-to-edit link, paste the group's name and ID in the corresponding input fields of the section Parallels Business Account Admins, and click Save. Repeat that for the Parallels Desktop users group.
Make sure you have configured both groups: for the Parallels Desktop users and for the Parallels business account admins. If everything is set, click Save at the bottom and proceed to the next step.
SAML 2.0 integration between Parallels My Account and your organization’s IdP allows your organization's users to activate their copies of Parallels Desktop for Mac Enterprise Edition using Single Sign-On (SSO) while your admins can use it to log into the business account registered with Parallels using their main corporate login credentials.
To complete this step, you must copy some parameters from your Parallels My Account to the settings section of the Parallels enterprise application registered in the IdP Directory and then copy certain data provided in the IdP Directory to the Parallels My Account admin panel.
The following description illustrates the procedure for Ping Identity. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Ping Identity. If your organization uses a different IdP service, follow the instructions provided in the chapter specific to your IdP of choice.
Expand the section of Step 4 on the integration configurator page in Parallels My Account. Note that there are two groups of parameters in the section. The first group has two values, Service Provider Entity ID and Assertion Consumer Service URL, which must be copied from Parallels My Account to the IdP Directory. The second group includes three parameters – Identity Provider Entity ID, Identity Provider SSO URL, and Public Certificate. The values for these parameters must be copied from your IdP Directory to Parallels My Account.
Parameters can be copied between Parallels My Account and the IdP Directory either via metadata files (assuming your IdP software supports transferring those parameters via external files) or manually.
The first group of parameters, Service Provider Entity ID and Assertion Consumer Service URL (both values are pre-set automatically and cannot be changed), is already copied from Parallels My Account to the IdP Directory during the creation of Enterprise Application in Step 2.
To transfer the second set of parameters from Ping IdP to My Account:
Navigate to the Application tab and click on the application that has been created in the previous step (2) Register Parallels enterprise app. Proceed to the Overview tab and click Download Metadata under Connection Details.
Switch to the IdP integration page in My Account, scroll down, and expand Step 4 ("Configure SAML integration"). Under Identity Provider Settings, click on the Upload a metadata file link and select the downloaded XML file.
Select the Configuration in the IdP Directory is done option at the bottom of the section and click Save.
Return to the Applications tab in Ping IdP and close the Configuration tab, after which ensure that the app access switch is on.
Proceed to the next step.
SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory.
It is assumed that your IdP software supports SCIM. For this reason, the SCIM Support option in the Step 5 section on the integration configurator page in the Parallels My Account is enabled by default. If your IdP does not support SCIM, disable the option and move on to the next step.
The following description is based on the assumption that SCIM is supported.
To configure provisioning via SCIM, you must copy two parameters: SCIM Base URL and Bearer Token (both values are pre-set automatically and cannot be changed) from the Step 5 section of the integration configurator in Parallels My Account to the IdP Directory.
The description below illustrates the procedure for Ping Identity. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Ping Identity. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice.
To configure SCIM settings at the Ping Identity management portal:
Open the navigation sidebar and go to Integrations → Provisioning.
Create a new SCIM connection by clicking the Add (+) and selecting New connection.
From the connection catalog, select SCIM Outbound and click Next.
Enter a name and description for this provisioning connection (the actual name and description remain at your discretion). The connection name will appear on the list once you have completed and saved the connection.
Click Next.
On the Configure authentication screen, enter the following:
SCIM Base URL. The fully qualified URL to use for the SCIM resources is .
Select the authentication method to use: OAuth2 Bearer Token.
Select the Auth Type Header
Click Save.
Turn on SCIM by toggling the switch.
Now you need to create a provisioning rule. Follow these steps:
While remaining on the Provisioning page, click the Add (+) button in the top-left corner again, and select New Rule.
Choose the name and description for the rule.
On the next page of the wizard, click on the Target box and select your newly created SCIM connection as the target by clicking on the (+) button. Click Save.
[MANDATORY] In the next step, set up the user filter by clicking the Edit button, configuring any rule to your liking, and clicking Save. Note that this step is mandatory, and the SCIM integration will not work without a working filter.
Switch to the Attribute Mapping step by clicking the respective icon. Click on the Edit button. Here, it is essential that you do two things:
Change the userName attribute value from the default Username to email. Use the respective drop-down selector in the left column to choose Email Address.
Add another mapping rule by clicking the + Add button. Map
Return to the Configuration tab and switch to the final icon, Group Provisioning. Click the Add Groups button and add all the groups as required, making sure the Parallels Desktop administrators and users groups, and any other groups that may need to activate Parallels Desktop for Mac, are added. Click Save.
Once the groups have been selected, enable the new rule and test synchronization by clicking Resync.
Switch back to Parallels My Account and select the Configuration in the IdP Directory is done option at the bottom of the section to confirm that you have finished the configuration procedure in the IdP Directory. Then continue to the next step.
Add users to the groups created in Step 3 (described earlier) to enable end users to activate their copies of Parallels Desktop for Mac Enterprise Edition using SSO and grant administrators permission to log into your organization’s business account registered with Parallels.
To do so, navigate to the Start page and choose Administrator environment (or any other environment that you might have created before) to open the Ping Identity console page. Navigate to Identifies, then Users, and create users by clicking the Add User button. Once it is done, or if you plan to add users later, select the Configuration in the IdP Directory is done option at the bottom of the section.
Once users have been created, you need to add them to the groups created above. To do so, navigate back to the Identifies tab and switch to the Groups tab. Click on the group name and add users to it.
The backup login can be used to access your organization’s business account registered with Parallels, bypassing Single Sign-On in the event of an SSO malfunction. By default, the backup login is set to the email address of the currently logged-in user. If you want to define a different backup login, add more users first on the Users page of the Business Profile section in Parallels My Account. The new user must log into the business account at least once before they can be designated as a backup login.
Warning: Once you have completed the integration process and activated the SSO functionality, only users from the Administrators group in your IdP signing in via SSO will retain access to managing the Parallels business account. All previous administrative privileges based on logins and passwords will become inactive.
Your designated backup login will continue to work.
Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.
Make sure to add only the domains your organization can control.
The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.
Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:
Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service. The description below illustrates the registration procedure for Okta. It is assumed that you have the permissions required to register and configure enterprise applications with Okta. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice. To register a Parallels enterprise application with Okta:
Log into the Okta management portal using an account that has privileges for registering and configuring enterprise applications for your organization.
On the portal’s landing page, expand the Applications section and choose the Applications item from the left-hand side panel to open the page with the list of enterprise applications registered for your organization.
Click the Create App Integration button, which is located above the list of registered applications. It opens the pop-up dialog titled Create a new app integration.
In the Create a new app integration dialog, choose SAML 2.0 as your sign-in method, then click Next.
On the next page, type the name of the application (the actual name remains at your discretion) in the App name field, then select the Do not display application icon to users option. Click Next to proceed with configuring the SAML settings for the application. SAML 2.0 integration between Parallels My Account and your organization’s IdP allows your users to activate their copies of Parallels Desktop for Mac Enterprise Edition using Sign-On (SSO) and your system administrators to use it to log into your organization’s Parallels business account. To complete this step, you must copy certain parameters from Parallels My Account and save them in the settings of the Parallels enterprise application registered with Okta, then copy some data provided by Okta and save it in Parallels My Account.
Switch to the of Parallels My Account. Expand the Step 4 section on the integration configurator page. Note that there are two sets of parameters in the section. The first set has two values, Service Provider Entity ID and Assertion Consumer Service URL, that must be copied from Parallels My Account to Okta. The second set includes three parameters—Identity Provider Entity ID, Identity Provider SSO URL, and Public Certificate. The values for these parameters must be copied from Okta to Parallels My Account.
On Okta’s Create SAML Integration page (this page should have opened after completion of Step 5, as described above), insert the values into the Single sign-on URL and Audience URI (SP Entity ID) fields, as specified below:
The Assertion Consumer Service URL value from Parallels My Account (in the Step 4 section of the integration configurator) must be copied to the Single sign-on URL input field in Okta.
The Service Provider Entity ID value from Parallels My Account (in the section of Step 4 of the integration configurator) must be copied to the
Keep the Use this for Recipient URL and Destination URL option enabled (it is enabled by default). Leave the parameters in the General section set to the defaults.
Scroll the page down to the section Attribute Statements (optional). Add the following attributes to the list (keep the text values and punctuation marks exactly as specified):
objectidentifier (Name format: Unspecified) > user.id
name (Name format: Unspecified) > user.login
Scroll down the page to the section Group Attribute Statements (optional). Add the following attribute to the list (use the name of the value and punctuation mark exactly as specified):
groups (Name format: Unspecified) > (Filter: Matches regex), set the value to .*Parallels.*, making sure to follow the syntax exactly.
ATTENTION: Th
Scroll to the bottom of the page and click Next. It opens the section Help Okta Support understand how you configured this application. Choose the option I’m an Okta customer adding an internal app, and then, once the additional section App type opens, choose the option This is an internal app that we have created.
Finally, click Finish, and once the registration process finishes, you will end up on the application’s home page.
Switch back to the at Parallels My Account, expand the Step 2 section (“Register Parallels enterprise app”), and select the option Configuration in the IdP Directory is done.
Once the registration of the Parallels enterprise application with Okta is completed, you must transfer three parameters from Okta to Parallels My Account. To do so, follow these steps:
Switch back to the Okta management portal. When on the enterprise application’s home page in Okta, ensure the currently selected tab is Sign On. Locate the View SAML Setup Instructions button on the right side of the page. Clicking the link opens the page How to Configure SAML 2.0 for %1 Application, where %1 is the name of the enterprise application registered previously. The page contains the three parameters that must be transferred to Parallels My Account. The same three parameters can also be found in the Metadata Details section of the SAML 2.0 card under More details.
Transfer the values from Okta to the Step 4 section of the integration configurator page in Parallels My Account as specified below:
The value Identity Provider Issuer from Okta must be copied to the input field Identity Provider Entity ID.
The value Identity Provider Single Sign-On URL from Okta must be copied to the input field Identity Provider SSO URL.
The content of the X.509 Certificate from Okta must be copied to the input field Public Certificate.
Instead of copying and pasting these values manually, you can download the metadata in the Okta interface and then upload the resulting XML file using the Upload a metadata file link in the Parallels My Account interface.
In the SAML 2.0 card section, locate Metadata URL under the Metadata Details section.
Copy and paste the Metadata URL into a new browser tab or window.
Use Ctrl/Cmd+S to save the metadata as an XML file.
Once you have copied the values from Okta to Parallels My Account, click the Save button in the Step 4 section on the integration configurator page at Parallels My Account and select the Configuration in the IdP Directory is done option at the bottom of the section. Then proceed to the next step.
You must create user groups associated with the Parallels enterprise application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should be able to activate their copies of Parallels Desktop for Mac Enterprise Edition using SSO and which ones should have business account admin privileges in the Parallels ecosystem. At least one user group is required for adding users with admin access to your organization’s business account registered with Parallels. Once the group is created, you should add the group's names in Step 3 of the integration configurator page in Parallels My Account.
Start with creating the group in the IdP Directory. To create a user group for the Parallels enterprise application in Okta:
Log into the Okta management portal using the account with privileges for managing user groups and configuring enterprise applications.
On the portal's landing page, expand the section Directory and choose the item Groups on the left-hand side panel to open the page with the list of the groups registered for your organization. Note: You must repeat steps 3 and 4 as described below three times: first, to create the group for Parallels Administrators, then Parallels Desktop for Mac users, and finally, to create the transit group that is supposed to be assigned to the Parallels enterprise application registered with Okta. It is required to push users from the other groups to the Parallels application.
Click the Add Group button placed above the list of groups, which opens the Add group popup dialog.
Type in the name and the group description, and click Save.
Make sure you have repeated steps 3 and 4 three times and created three separate groups as specified above.
Write down the name of the group created for the Parallels Business Account Admins. You must transfer these values to Parallels My Account later.
Next, assign the Parallels enterprise application registered with Okta to the transit group that you have created before. Make sure you are on the page with the list of groups at the Okta management portal. To assign the application to the transit group, follow the instructions below:
Find the transit group in the list of groups.
Click on the group’s item in the list to open the page with the group's details.
Click the Applications tab at the top to open the list of applications assigned to the group. Since the group is new, the list is supposed to be empty.
Click the Assign Applications button to launch the popup dialog titled Assign Applications to %1, where %1 is the name of the transit group.
Locate the Parallels enterprise application that has been registered with Okta before and click Assign.
Click Done to save the assignment. You will now see the Parallels enterprise application on the list of the transit group's assigned applications.
After that, you must create a rule to push members from the groups created for the Parallels Administrators to the Parallels enterprise application through the transit group. Make sure you are on the Okta admin portal’s page with the list of groups. To create the rule, follow these steps:
When on the page with the list of groups, click Rules at the top of the list to open the list of rules created for the groups.
Click Add Rule to create a new rule. It opens the pop-up dialog titled Add Rule.
Type the name of the rule (use whatever name you find suitable).
Choose the Use basic condition option, then select Group membership from the list below.
In the input field below, type the name of the group that has been created for the Parallels Administrators.
In the THEN Assign to input field, type in the name of the transit group.
Click Save to save the rule. Now you will see the new rule in the list of rules.
Once the rule has been created, activate it by clicking on the Actions drop-down menu on the right and then Activate.
Before proceeding, make sure that the following conditions have been met:
At least one group has been created for the Parallels Business Account Admins.
You have written down the unique names of the groups you have created for the Parallels users and admins.
An additional transit group has been created, and the Parallels enterprise application has been registered with Okta and assigned to that group.
A rule has been created that enables you to push members of both the admin and user groups to the Parallels enterprise application through the transit group.
To complete this step, switch to the integration configurator page at Parallels My Account and expand Step 3 (“Configure user groups mapping”).
Click on Click to edit on the respective group and insert the Parallels Admins group name you have written down earlier into both corresponding fields (“UUID” and “Display Name”), then do the same for the Parallels Desktop Users group section. Click Save to save the changes.
The SAML 2.0 is supposed to be configured for the Parallels enterprise application registered with Okta at the time of the Parallels enterprise application registration (refer to chapter (2) Register Parallels enterprise app and configure SAML settings earlier in this document for more details).
Make sure to check the Step 4 section on the integration configurator page at Parallels My Account. All fields must be filled in, and the Configuration in the IdP Directory is done option must be enabled.
If everything is set, proceed to the next step.
SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory. Okta supports the SCIM 2.0 protocol, which is used for this purpose.
To configure provisioning via SCIM, you must first enable provisioning for the Parallels enterprise application registered with Okta. After that, you must copy two parameters, SCIM Base URL and Bearer Token, from Parallels My Account (the section of Step 5 of the integration configurator) to Okta. Finally, you must configure the push of the user groups from Okta to Parallels through SCIM.
The description below illustrates the procedure for Okta. It is assumed that you have appropriate permissions to configure enterprise applications in Okta. To configure the provisioning settings for the Parallels enterprise application registered with Okta:
Log into the Okta management portal using the account with privileges for configuring enterprise applications.
When on the portal's landing page, choose Applications > Applications in the left-hand side panel to open the list of enterprise applications registered for your organization.
Find the Parallels enterprise application that has been registered before (refer to chapter (2) Register Parallels enterprise app and configure SAML settings earlier in this document for details). Select the application’s item from the list to open the app’s home page.
Click on the General tab to switch to the tab that displays the app’s general settings. There, click Edit in the upper right corner of the tab to switch to edit mode.
Select the option Enable SCIM Provisioning and click Save.
A new tab called Provisioning will appear at the top of the page. Click on it to open the tab where you can configure the SCIM settings for the application.
While on the Provisioning tab, click Edit in the upper right corner to switch to edit mode.
Switch to Parallels My Account, open the , and expand the Step 5 section ("Configure SCIM integration”).
Copy the values from the Step 5 section Parallels My Account to Okta, as specified below:
SCIM connector base URL (Okta): insert the value of the parameter SCIM Base URL copied from Parallels My Account.
Bearer (Okta): insert the value of the parameter Bearer Token copied from Parallels My Account. The Bearer field in Okta is not displayed by default. To make it visible, switch Authentication Mode to HTTP Header.
Enable the options Push New Users, Push Profile Updates, and Push Groups on the same page in Okta.
Insert the text userName (use the text exactly as it is provided here: userName) into the input field Unique identifier field for users.
Click Save to save the changes. Okta’s interface will revert to the Provisioning tab of the Parallels enterprise application.
Make sure the section To App is selected on the left. Click Edit to switch to edit mode. Enable the following options: Create Users, Update User Attributes, Deactivate Users. Click Save to save the changes.
Click the Push Groups tab at the top to open the tab with the list of groups from which the users are supposed to be pushed to the Parallels ecosystem. The list is supposed to be empty.
Click Push Groups > Find groups by name to open the dialog, which allows you to specify the group that must be pushed. Specify the name of the group that has been created for the Parallels Admins (refer to chapter earlier in this document for more details) and select the group when it shows up in the list. The section with additional parameters will appear below. Keep the default settings. Scroll down and click Save. You will see the new group on the list.
When you complete configuring the provisioning settings for the Parallels enterprise application in Okta, switch back to Parallels My Account and select the option Configuration in the IdP Directory is done at the bottom of the Step 5 section ("Configure SCIM integration”).
Continue to the next step.
Add users to the groups created in Step 3 (described earlier in the chapter (3) Configure user groups mapping) to enable users to activate their copies of Parallels products via SSO and administrators to access your organization’s business account registered with Parallels.
To do so, switch to Okta and follow the standard procedure for adding users to groups. Please note that no user will be able to activate their Parallels product unless they have been added to the User group.
Once it is done, switch back to the integration configurator page at Parallels My Account, expand the Step 6 section ("Add users to the application groups”) and select the option Configuration in the IdP Directory is done at the bottom of the section.
The backup login can be used to access your organization’s business account registered with Parallels, bypassing Single Sign-On in case of an SSO malfunction. By default, the backup login is set to the email address of the currently logged-in user. If you want to define a different backup login, add more users first on the Users page of the Business Profile section in Parallels My Account. The new user must log into the business account at least once before being designated as a backup login.
Warning: Once you have completed the integration process and activated the SSO functionality, only users from the Administrators group in your IdP signing in via SSO will retain access to managing the Parallels business account. All previous administrative privileges based on logins and passwords will become inactive.
Your designated backup login will continue to work.
$ dig TXT {yourdomain}.{com}$ dig TXT {yourdomain}.{com}objectidentifier -> User ID
In case pasting values into the fields does not work, use the Advanced Expressions button and paste the expression value there.
BearerCopy the contents of the Bearer Token from Parallels My Account and paste it into the respective field.
Click Test Connection and if successful, click Next.
For the User Filter Expression parameter, the exact value should be userName eq “%s”. Make sure that the N in the userName is capitalized.
The User Identifier parameter should be workEmail.
displayNameGiven NameYour attribute mapping section should look like this:
displayName (Name format: Unspecified) > user.displayName
PD Admins/PD Users), amend the filter expressSwitch to Parallels My Account interface, open the Step 4 Identity Provider Settings, click Upload a metadata file, and choose the newly created XML file.
Follow the steps below one by one to integrate Parallels My Account with JumpCloud.
A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it and read the instructions carefully.
Add one or more domains your organization uses.
Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.
Make sure to add only the domains your organization can control.
The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.
Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:
Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service.
The below process describes setting up a new Enterprise Application for JumpCloud:
Log into the JumpCloud . On the left-hand side panel, find the User Authentication section and select SSO Applications". Click the + Add New Application button on the new page.
At the Select Application step, choose the Custom Application option in the bottom right corner and click Next at the next screen.
At the Select the features you would like to enable step, choose
While you have the SSO tab of your Parallels application open on the JumpCloud side, you can also finish configuring the SAML integration. Follow these steps:
On the JumpCloud side, in the same SSO tab of your Parallels app card, scroll to the very top and click the Export Metadata button. This will download an XML file to your computer.\
On the Parallels side, go back to the SSO setup procedure, expand Step (4) Configure SAML Integration, locate the Identity Provider Settings section and use the Upload the metadata file link to upload the XML file that you have just downloaded from JumpCloud.
Note: If the upload fails for some reason, open the file in a text editor and copy the contents as directed: the value entityID into the Identity Provider Entity ID
Proceed to the next step.
You must create user groups associated with the Parallels Desktop application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should have business account admin privileges in the Parallels ecosystem. At least one user group is required to add users with admin access to your organization’s business account registered with Parallels, and one more is required for the users of Parallels Desktop for Mac. Once the group is created, you should add the group's name and ID in Step 3 of the in Parallels My Account.
Start with creating the group in the IdP Directory. To do so, switch to your IdP management portal and follow the standard procedure of creating a user group and associating it with the Parallels enterprise application, as provided by your Organization’s IdP. The description below illustrates the registration procedure for JumpCloud. It is assumed that you have appropriate permissions to manage user groups in JumpCloud. To create a user group for the Parallels enterprise application in JumpCloud:
In the JumpCloud admin console, find the User Management section on the left-hand side panel and click on User Groups.
Click on the + button to create a new group.
In the new group panel, give it a name (e.g., Parallels Desktop Administrators), and optionally, add a description and click Save Group in the bottom right corner.
At least two groups are required: one for the administrators with access to license management in Parallels My Account and one for the app users who need to activate their Parallels Desktop licenses.
Note: If any of the administrators also need to activate Parallels Desktop, you also need to add them to the user group.
Once the required groups have been created in the IdP Directory and associated with the Parallels app, move on to the next step.
The SAML 2.0 is supposed to be configured for the Parallels enterprise application registered with JumpCloud at the time of the Parallels enterprise application registration (refer the chapter earlier in this document for more details).
Make sure to check the Step 4 section on the at Parallels My Account. All fields must be filled in, and the Configuration in the IdP Directory is done option must be enabled.
If everything is set, proceed to the next step.
SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory. JumpCloud supports the SCIM 2.0 protocol, which is used for this purpose.
To set up SCIM integration with JumpCloud, do the following:
In JumpCloud, select SSO Applications from the left-hand side panel and click on the Parallels app created earlier.
In the app panel, switch to the Identity Management tab.
Select API Type: SCIM API, leave the Use mTLS authentication box unchecked, SCIM Version: SCIM 2.0, switch to the My Account , and expand Step (5) Configure SCIM Integration.
Continue to the next step.
For users to be able to make use of the application to sign or activate with Parallels, they have to be created and added to the groups tied to the Enterprise Application.
To add users to the groups created in , go to JumpCloud, select User Groups from the left-hand side panel, click on the required group, switch to the Users tab, and populate it with users as required.
Once it is done, or if you plan to add users later, switch back to the My Account SSO setup page, expand Step 6, "Add Users to Application Groups", and mark the Configuration in the IdP Directory is complete checkbox at the bottom of the section.
The backup login can be used to access your organization’s business account registered with Parallels, bypassing Single Sign-On in the event of an SSO malfunction. By default, the backup login is set to the email address of the currently logged-in user. If you want to define a different backup login, add more users first on the Users page of the in Parallels My Account. The new user must log into the business account at least once before they can be designated as a backup login.
Warning: Once you have completed the integration process and activated the SSO functionality, only users from the Administrators group in your IdP signing in via SSO will retain access to managing the Parallels business account. All previous administrative privileges based on logins and passwords will become inactive.
Your designated backup login will continue to work.
At the Enter general info step, fill out the parameters as you see fit and click Save Application in the bottom right corner. Make sure to devise a unique login URL under Advanced Settings. Note: We recommend you uncheck the box Show this application in User Portal. Clicking on the application icon from JumpCloud's user portal triggers IdP-initiated SSO, which is currently not supported.
Click Configure Application in the bottom right corner to continue setting up the Parallels application's integration with JumpCloud.
Select your application from JumpCloud's list of Configured Applications, and make sure you are switched to the SSO tab.
In the IdP Entity ID field, type in a unique name, e.g., "JumpCloudParallels".
Go to the SSO setup page of Parallels My Account, expand Step (4) Configure SAML Integration, and copy the URL parameters into the respective fields of the SSO tab on the JumpCloud side:
From Service Provider Settings/Service Provider Entity ID (Parallels) to SP Entity ID (JumpCloud);
From Service Provider Settings/Assertion Consumer Service URL (Parallels) to ACS URLs/Default URL (JumpCloud).
Note: Alternatively, you may use the Download the metadata file link on the Parallels side and the Upload Metadata button on the JumpCloud side to populate the fields automatically.
IMPORTANT! Under the Sign* section of the JumpCloud SSO settings tab, make sure to select the Assertion and Response option.
IMPORTANT! Under the Login URL section of the JumpCloud SSO settings tab, make sure to tick the Declare Redirect Endpoint box for this address to be included in the IdP metadata file.
Scroll down to the Attributes section and use the add attribute button to add the following attributes exactly as shown in the image below:
Under the GROUP ATTRIBUTES section, check the box titled include group attribute and set the parameter to groups, and click Activate SSO if it is not active yet.
Switch back to the Parallels My Account, expand Step (2) Register the Parallels Enterprise App, and check the Configuration in the IdP Directory is complete box.
<ds:X509Certificate></ds:X509Certificate>Click Save to update the configuration and check the Configuration in the IdP Directory is complete box.
Wait for the newly created group to appear on the group list and click on it to configure.
On the Details tab, scroll down to the Custom Attributes section, click the + Add Custom Attribute button, and select the type String.
In the Attribute Name field, put the name of the group attribute as specified in Step 11 of the (2) Register Parallels Enterprise App and Configure SAML Settings section above, in this case, groups.
For Attribute Value, see the address in your browser's address bar and identify the unique group ID in it, i.e., for https://console.jumpcloud.com/#/groups/user/67c0bea6ecc3120001efa8da/details, the value will be 67c0bea6ecc3120001efa8da. Write down the identifier value for later use.
Click Save Group and repeat for all the groups.
In JumpCloud, go back to the SSO Applications section, open the Parallels app, switch to the User Groups tab, check the boxes for both admin and user groups, and click Save.
Switch to the Parallels My Account integration page, expand Step (3) Configure User Groups Mapping, and use the click to edit links to fill out the group name and UUID (the value from Step 7 earlier) fields for administrators and users, as specified on the JumpCloud side, and click Save.
Take care to use the correct names and UUIDs for each group.
Copy the value of the SCIM Base URL parameter to the Base URL field on the JumpCloud side and the value of Bearer Token to the Token Key field, respectively.
On the JumpCloud side, type a user's email address that is already included in one of the groups during the group mapping configuration and click Test Connection.
Once the connection tests successfully, click Activate, switch to the Parallels My Account IdP integration page, and check the Configuration in the IdP Directory is complete box in Step (5) Configure SCIM Integration.
$ dig TXT {yourdomain}.{com}
