This page has instructions for integrating OneLogin and Sumo Logic to allow Sumo Logic users to sign on to Sumo Logic using OneLogin SSO.
Before you start
Read the "Limitations section" on Set Up SAML for Single Sign-On.
Step 1: Configure a SAML app in OneLogin
- In OneLogin, choose Applications from the Applications menu.
- On the Applications page, click Add App.
- One the Find Applications page, search for Sumo Logic.
- If your Sumo Logic deployment is not US1 (https://service.sumologic.com) select Sumo Logic Multi and choose your deployment. You can determine your deployment from the URL you use to access Sumo Logic. For example, in the following URL, the deployment is “us2”:
- On the the Add Sumo Logic page:
- Display Name. This is the display name that will appear on your OneLogin portal page. Edit as desired.
- Visible in portal. Toggle this option off if you do not want Sumo Logic to appear on your OneLogin portal page.
- Icons. If desired, you can upload different icons.
- Click Save.
- Click Configuration in the left-nav.
- On the Application details page:
- Country. Select your Sumo deployment from the pulldown list.
- Configuration ID. You’ll get the Configuration ID when configure the Sumo Logic side of the configuration, from the end of the Authentication Request URL provided by Sumo Logic. For now, just enter some placeholder text.
- Click Save.
- Click Parameters in the left-nav.
- Credentials are. Set the credentials to "Configured by admin".
- Email. Select a default Email value of email or something equivalent to email to use as the Sumo Logic credential.
- First Name. Select “First Name”.
- Last Name. Select “Last Name”.
- On the SSO tab:
- Copy the Issuer URL and the SAML 2.0 Endpoint to supply when you configure Sumo Logic in Step 2 below.
- Click View Details for the X.509 Certificate.
- On the cert page, click Download to download the X509 certificate.
- On the Access tab, choose which roles will have access to Sumo Logic.
- Click Save.
Step 2: Configure SAML in Sumo
This section has instructions for configuring SAML in Sumo Logic.
Go to Administration > Security > SAML.
- Click + Add Configuration to create a new configuration.
- The Add Configuration page appears.
- Configuration Name. Enter a name to identify the SSO policy (or another name used internally to describe the policy).
- Debug Mode. Select this option if you'd like to view additional details if an error occurs when a user attempts to authenticate. For more information, see View SAML Debug Information.
- Issuer. Paste in the Issuer URL you copied from the OneLogin SSO page, as described above.
- X.509 Certificate. Paste in the certificate you downloaded from the OneLogin SSO page, as described above.
- Attribute mapping. Select "Use SAML subject".
- SP-initiated Login. (Optional) This configuration enables a Sumo user to initiate login from the Sumo Logic web app. LoginPath. To configure this option, see Configure SP-initiated login.
- Roles Attribute. (Optional). To configure this option, see Configure on-demand role provisioning.
- On Demand Provisioning. (Optional). See Configure on demand provisioning below.
- Logout Page. When a Sumo user logs out of Sumo Logic or if the user’s session times out, they will be redirected to the page you specify. If you want users to be redirected to your OneLogin portal page, enter
your-domainis your company's OneLogin domain.
- Click Add.
- To view the details of your configuration, select it the Configuration List. Copy the number at the end of the Assertion Consumer field, following the final forward slash ( / ) in the URL. You'll paste into the OneLogin Configuration page in the Step 3, below.
Step 3: Complete SAML configuration in OneLogin
- Return to OneLogin.
- Select the Sumo Logic SAML app.
- On the Configuration page, enter the number you copied from the Authentication Request in Sumo into the Configuration ID field.
- Click Save.
This section has instructions for configuring several optional SAML features.
Configure SP-initiated login
This configuration enables a Sumo user to initiate login from the Sumo Logic web app. Sumo redirects the user to OneLogin with a SAML AuthnRequest with the information that OneLogin needs to authenticate the user. OneLogin replies to Sumo with a SAML Assertion (SAMLResponse).
- LoginPath. Enter a unique identifier for your org. You can specify any alphanumeric string (with no embedded spaces), provided that it is unique to your org. (You can't configure a Login Path that another Sumo customer has already configured). The identifier is used to generate a unique URL for user login. For example, you could enter
- Authn Request URL. Enter the SAML 2.0 Endpoint URL that you copied from the OneLogin SSO page, as described above.
- Disable Requested Authentication Context. (Optional). Leave unchecked.
- Sign Authn Request. (Optional). Leave unchecked.
Configure on-demand account provisioning
If you configure on-demand account provisioning, Sumo Logic automatically creates a user account the first time a user tries to access Sumo Logic from your OneLogin portal page. To configure this behavior, you update your OneLogin integration in Sumo Logic, providing the First Name and Last Name attributes One Login uses to identify users, and the role or roles you want to assign to the accounts when they are created.
In Sumo Logic, open your OneLogin integration application for editing.
- Click the On Demand Provisioning checkbox.
- First Name. Enter:
- Last Name. Enter:
- On Demand Provisioning Roles. Specify the Sumo RBAC roles you want to assign when user accounts are provisioned. (The roles must already exist in Sumo Logic.)
- Click Save to save the SAML configuration.
Configure on-demand role provisioning
If you configure on-demand role provisioning, Sumo Logic assigns roles to a user every time the user logs in. Roles are configured by your OneLogin administrator and assigned as part of the SAML assertion. Each role name that you want to assign to users must match roles that exist in Sumo Logic and in OneLogin.
- In Sumo Logic, open your OneLogin integration application for editing.
- Click the Roles Attribute checkbox. The Roles Attribute field appears.
- Roles Attribute. Enter:
- Click Save.