Before you start
- Read the "Limitations section" on Set Up SAML for Single Sign-On.
- If you plan to manage Sumo role assignments on Okta, before you proceed, make sure that you have:
- Configured an Okta group for each Sumo role, with the same name as the Sumo role. For example, you should have an “Administrator” group in Okta, just as you have an “Administrator” role in Sumo.
- Assigned your Sumo users to the appropriate Okta groups, based on the Sumo roles you want to assign to each user.
Step 1: Configure basic SAML settings in Okta
- Log in to your Okta organization as a user with administrative privileges.
- Click Admin.
- Click Add Applications.
- Click the Create New App shortcut.
- On the Create a New Application Integration page, select the SAML 2.0 option, then click Create.
- General Settings.
- App Name. Enter a name for the Sumo Logic integration app.
- App Logo. (Optional) Upload the logo you want to appear for the app in the Okta portal.
- Visibility. Use these options if you don’t want the Sumo Logic integration app to appear to users in the Okta portal or mobile app.
- Click Next.
- In the General section under SAML Settings:
- Single sign on URL. Paste in this placeholder URL:
http://example.com/saml/sso/example-okta-com
You will get the actual URL to enter when you perform Step 5: Configure SAML in Sumo, and enter them when you perform Step 6: Complete SAML configuration in Okta. - Use this for Recipient URL and Destination URL. Click the checkbox.
- Single sign on URL. Paste in this placeholder URL:
- Audience URI (SP Entity ID). Enter the domain name of the Sumo Logic deployment that your Sumo account resides in. For example:
https://service.us2.sumologic.com
- In the Attribute Statements section under SAML Settings add three attribute statements:
- For Name, enter ”firstName” and select user.firstName from the Value pulldown.
- For Name, enter ”lastName” and select user.lastName from the Value pulldown.
- For Name, enter ”Email” and select user.email from the Value pulldown.
Step 2: Configure Okta to send role assignments to Sumo (Optional)
In this step, you configure Okta to send group membership information in the SAML assertions it sends, so that Sumo can assign roles to a user at each logon. This allows you to manage Sumo role assignments in Okta. If you don’t want manage Sumo roles in Okta, click Next at the bottom of the Create SAML Integration page and proceed to Step 3 below.
These instructions assume that:
- You have configured a set of groups on Okta whose names match the names of the roles defined in Sumo.
- You have assigned each user in Okta to the Okta groups that maps to the roles you want the user to have.
There are two sides to the configuration. You'll configure a Group Attribute Statement in Okta and a Roles Attribute in Sumo Logic, eachh with the same value. Okta will include that attribute value in the SAML assertions it sends to Sumo.
- Name. Enter something like “Sumo_Role” and make a note of it. Later, when you configure SAML in Sumo Logic, you’ll enter the same value in the Roles Attribute field.
- Name Format. Leave unspecified.
- Filter. In the left-side field, choose one of the options from the pulldown, to select the type of match expression you are going to enter:
- Starts with. Useful of all the names of the Okta groups with Sumo users all begin with the same string.
- Equals. Useful if there is a single Okta group for Sumo users.
- Contains. Useful if all the names of the Okta groups with Sumo users all contain the same string.
- Matches regex. Use this option if you can’t specify your groups using any of the other filter types.
- In the right-side field, enter a string or regular expression, depending on the filter type you chose. In the screenshot above, the filter type is Matches regex, and the regex
Foo|A.*
will match the Okta group “Foo” and groups whose names begin with the letter “A”. - Click Next at the bottom of the Create SAML Integration page to proceed.
Step 3: Enter Okta feedback info
In Step 3 "Feedback", select I'm an Okta customer adding an internal app, and This is an internal app that we have created, then click Finish.
Step 4: View Okta SAML settings for Sumo
In this step, you view the SAML settings generated by Okta that you’ll need when complete the SAML configuration in Sumo.
- On Sign On Methods section appears. Click View Setup Instructions.
- The page displays the information you need to do Step 5: Configure SAML in Sumo. Keep the page open.
Step 5: Configure SAML in Sumo
This section has instructions for configuring basic SAML in Sumo Logic.
- Go to Administration > Security > SAML.
- Click Add Configuration.
- The Add Configuration page appears.
- Configuration Name. Enter a name to identify the SSO policy (or another name used internally to describe the policy).
- Debug Mode. Select this option if you'd like to view additional details if an error occurs when a user attempts to authenticate. For more information, see View SAML Debug Information.
- Issuer. Paste in the Identity Provider Issuer that Okta presented in Step 4: View Okta SAML settings for Sumo.
- X.509 Certificate. Paste in the certificate that Okta presented in that was presented in the Step 4: View Okta SAML settings for Sumo.
- Attribute mapping. Select Use SAML Subject.
- Roles Attribute. (Required if you performed the steps in Step 2: Configure Okta to send role assignments in Sumo). If you specify the Roles Attribute option, Sumo Logic assigns roles to a user every time the user logs in. Roles are configured by your Okta administrator and assigned as part of the SAML assertion.
- Click the Roles Attribute checkbox. The Roles Attribute field appears.
- Roles Attribute. Enter the Group attribute name, for example "Sumo_Role", you defined in Step 2: Configure Okta to send role assignments in Sumo.
- On-demand provisioning. If you configure this feature, Sumo Logic will create a new user’s account the first time the user accesses Sumo Logic using Okta. For instructions, see On-Demand Provisioning.
- Logout Page. When a Sumo user logs out of Sumo Logic or if the user’s session times out, they will be redirected to the logout page you specify. For example, you could redirect users to their Okta homepage, substituting your Okta domain in the following URL:
https://YourOktaDomain.onelogin.com/app/UserHome
- Click Save.
- To view the details of your configuration, select it the Configuration List. Keep the panel open. When you complete the Okta configuration in Step 3 below, you will copy the Authentication Request and Assertion Consumer values into Okta.
Step 6: Complete SAML configuration in Okta
- Go back to the Okta Admin Panel.
- Go to the General tab.
- Under SAML Settings, click Edit.
- The General Settings page appears. Click Next.
- The Edit SAML Integration pane appears.
- Single Sign On URL. Change to the Assertion Consumer URL from your Sumo Logic SAML settings, which you obtained in the last step of Step 5: Configure SAML in Sumo.
- Use this for Recipient URL and Destination URL. Deselect the checkbox.
- Recipient URL and Destination URL. Enter the Authentication Request URL from your Sumo Logic SAML settings, which you obtained in the last step of Step 5: Configure SAML in Sumo into both fields.
- Audience URI (SP Entity ID). This field is not required unless you configure SP-initiated authentication. For more information see SP-initiated login.
- Click Next and then Finish.
Sumo Logic is now linked with Okta.
Step 7: Add Okta users to the Sumo Logic app in Okta
- Click the Directory tab. Click the user you want to add to the app.
- Click Assign Applications.
- Click Assign on the row for the application to which you want to add the user.
- Click Save and Go Back.
- Click Done.
The Sumo Logic app you configured should now appear on the user’s Okta work page. To check that the integration works, have the user click the app icon, and verify that they are logged onto Sumo Logic.
Configure optional SAML features
Configure SP-initiated login
This section has instructions for setting up SP-initiated login. When SP initiated login has been enabled, your SAML configuration will appear as an additional authentication option within your subdomain-enabled account login page.
- On the Sumo Add Configuration page, click the SP Initiated checkbox.
- Login Path. Enter a unique identifier for your org. You can specify any alphanumeric string (with no embedded spaces), provided that it is unique to your org. (You can't configure a Login Path that another Sumo customer has already configured).
If you enter a Login Path that is not unique across all Sumo orgs, Sumo issues this error:
SP Initiated login path in use. Please enter a different path.
- Authn Request URL. Paste in the Identity Provider Single Sign-On URL that Okta presented in Step 4: View Okta SAML settings for Sumo.
- Sign Authn Request. (Optional) If you select this option, Sumo will send signed Authn requests to your IdP. When you click this option, a Sumo-provided X-509 certificate is displayed. You can configure your IDP with this certificate, to verify the signature of the Authn requests sent by Sumo.
Configure On-Demand Provisioning
If you configure on-demand provisioning, Sumo Logic automatically creates a user account the first time a user logs on to Sumo on using Okta single single-on. When user clicks the Sumo Logic app in Okta, Okta sends a SAML assertion to Sumo with the info necessary to create the user account, and to assign that user to Sumo roles.
To configure on-demand provisioning, you supply the First Name and Last Name attributes Okta uses to identify users, and the Sumo roles you want to assign to the accounts created.
- Click the On Demand Provisioning checkbox.
- First Name. Enter the name of the attribute used in your Okta deployment for first name. It might be different than this example:
firstName
- Last Name. Enter the name of the attribute used in your Okta deployment for first name. It might be different than this example:
lastName
- On Demand Provisioning Roles. Specify the Sumo RBAC roles you want to assign when user accounts are provisioned. (The roles must already exist in Sumo.) If you enter multiple roles, put commas in between them. For example:
Analyst, CollectorManager