Organizations with Enterprise accounts can provision Security Assertion Markup Language (SAML) 2.0 to enable Single Sign-On (SSO) for user access to Sumo Logic.
In addition to basic SAML configuration, you can choose optional on-demand user creation (via SAML 2.0 assertions), and designate custom login and/or logout portals.
SAML provisioning process
The provisioning process works as follows:
- Identify the service provider you will use for SSO. For example:
- Microsoft Active Directory Federation Services (ADFS): https://msdn.microsoft.com/en-us/library/bb897402.aspx
- Okta: http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Sumologic.html
- OneLogin: https://support.onelogin.com/hc/en-us/articles/201174134-Configuring-SAML-for-Sumo-Logic
- Configure SAML parameters in Sumo Logic.
- Configure service provider settings for Sumo Logic in the SSO system, and verify that any additional Role-Based Access Control (RBAC) roles and groups are set up.
- When provisioning is complete, users attempting to access Sumo Logic will be authenticated through the SSO system.
- SAML does not provide a deprovisioning mechanism. This means that if a user is deleted or disabled in the SSO database, it will not be reflected in Sumo Logic. However, these users would no longer be able to login to Sumo Logic via SSO. Administrators can delete these users from the Manage Data > Users and Roles > Users page (Manage > Users in classic UI) in Sumo Logic. When this is done, the user’s content is copied to the administrator who performed the deletion. The exception is access keys, and if SAML lockdown is not enabled, users would still be able to login via native accounts.
- Access keys are NOT controlled by SAML. This means that if a user has been turned off on the SSO side, their access keys would still be valid. For this reason, administrators should audit users regularly and disable access keys when necessary.
Before provisioning SAML, make sure you have the following:
- An installed Identity Provider (IdP) SSO system that supports SAML 2.0. Several SAML IdPs are available. If your organization's IdP supports SAML 2.0 you can configure SAML in Sumo Logic. Examples: Microsoft ADFS, Okta, OneLogin.
- X.509 certificate. This certificate is used to verify the signature in SAML assertions.
- Valid email address. An Email Attribute is required in the assertion: either the SAML Subject or another SAML attribute per the SAML configuration. The value of the Email Attribute must be a valid email address. It is used to uniquely identify the user in the organization.
Configure SAML in Sumo
Most of the information required for this procedure can be gathered from your IdP; the other options should be covered by your internal access policy.
- Go to Administration > Security > SAML (in classic UI, go to Manage > Security and click the SAML button).
- Select an existing configuration, or enter the name for a new configuration into the field and click Configure.
- Enter the following. See Set Up ADFS to Authenticate Sumo Logic Users for specific information about using Microsoft ADFS as a SAML solution to configure Sumo Logic users.
- Configuration Name: Enter a name to identify the SSO policy (or another name used internally to describe the policy).
- Debug Mode: Select this option if you'd like to view additional details if an error occurs when a user attempts to authenticate. For more information, see View SAML Debug Information.
- Issuer: Enter the unique URL assigned to your organization by the SAML IdP.
- Authn Request URL: Enter the URL that the IdP has assigned for Sumo Logic to submit SAML authentication requests to the IdP.
- X.509 Certificate: Copy and paste your organization's X.509 certificate, which is used to verify signatures in SAML assertions. For ADFS, the certificate required is the Token-signing ADFS X.509 certificate.
- Email Attribute: Depending on your IdP, select Use SAML subject, or select Use SAML attribute and type the email attribute name in the text box.
- SP Initiated Login Configuration: Enter a unique identifier for your organization. You can specify any alphanumeric string, provided that it is unique to your organization (for example, yourcompanyname_oursumo). The identifier is used to generate a unique URL for user login.
For example, if you enter
yourcompanyname_oursumo, the login URL becomes:
- On Demand Provisioning (optional): Select this option and specify the following attributes to have Sumo Logic automatically create accounts when a user first logs on. For more information, see Set Up Optional SAML features.
- First Name Attribute: You might need to provide the full attribute path, which can vary based on the ADFS version (the actual path can be seen in the SAML assertion). The following are examples.
- Last Name Attribute: You might need to provide the full attribute path, which can vary based on the ADFS version (the actual path can be seen in the SAML assertion). The following are examples.
- Logout Page: Select this option and enter a URL if you'd like to point all users to the URL after logging out of Sumo Logic. For more information, see Set Up Optional SAML Features.
- Roles Attribute: Enter the SAML Attribute Name that is sent by the IdP as part of the assertion. For details, see Set Up Optional SAML Features.
- Click Save.
- The following information is displayed.You'll need to provide one of these URLs when you configure settings for your IdP.
- If your IdP requires HTTP-POST binding, copy the POST URL and paste it into your IdP’s site.
- If your IdP requires HTTP-REDIRECT binding, copy the Redirect URL and paste it into your IdP’s site.
- Click Configure if you need to modify any settings. Click X to close the dialog box.
Create Multiple SAML Configurations
You can create multiple SAML configurations in Sumo. To create an additional SAML configuration, enter a name for the new configuration in the Select a configuration or create a new one field, and click Configure. Enter the settings for the new configuration, as described the previous section.