Organizations with Enterprise accounts can provision Security Assertion Markup Language (SAML) 2.0 to enable Single Sign-On (SSO) for user access to Sumo Logic. This page has instructions for integrating Sumo with Azure AD.
Step 1: Configure Sumo as an Enterprise App in Azure AD
In this step you set up Sumo as a non-gallery Enterprise App in Azure AD.
- Go into the Microsoft Azure Management Console and select Azure Active Directory in the left-side navigation pane.
- Select Manage > Enterprise Applications in the Overview blade.
- Select Manage > All Applications.
- Click New application at the top of the All applications blade.
- Select Categories and then select ALL.
- Select Non-gallery application.
- On the Add your own application page give your application a name and click Add. Throughout this procedure, we refer to the application name as <app-name>.
- Select your new application from the applications list.
- In the left-side navigation pane, select Single sign-on.
- In the Single sign-on dialog, select Select SAML-based Sign-on.
- In the SAML Signing Certificate section, click the Download link for Certificate (Base64) to download the
- In the Set Up Sumo Logic section, copy and paste the the contents of the following fields into a text document. You will need these values when in the next step.
- Login URL
- Azure AD identifier
- Logout URL
Step 2: Configure SAML in Sumo
- Go to Administration > Security > SAML.
- Select an existing configuration, or click the plus (+) icon to create a new configuration.
- The Add Configuration page appears.
- Configuration Name. Enter a name to identify the SSO policy (or another name used internally to describe the policy).
- Debug Mode. Select this option if you'd like to view additional details if an error occurs when a user attempts to authenticate. For more information, see View SAML Debug Information.
- Issuer. Enter the Azure AD Identifier that you noted in the substep 12 of Step 1.
- X.509 Certificate: Use a text editor to open the certificate file you downloaded in substep 11 of Step 1. Copy and paste the contents of the file into the field.
- Attribute Mapping: Select Use SAML subject.
- Configure SP-initiated Login. This section has instructions for setting up SP-initiated login. In this configuration, when a Sumo user logs in, Sumo redirects the user to your IdP with a SAML AuthnRequest. The request contains the information that your IdP needs to authenticate the user. Your IdP replies to Sumo with a SAML Assertion (SAMLResponse). In the steps below, you provide the information necessary for Sumo to issue the AuthnRequest to your IdP.
Click SP Initiated Login Configuration in the Optional Settings section of the SAML configuration page. When you click this option, the Login Path and Authn Request URL fields appear.
Login Path. Enter a unique identifier for your org. You can specify any alphanumeric string (with no embedded spaces), provided that it is unique to your org. (You can't configure a Login Path that another Sumo customer has already configured). The identifier is used to generate a unique URL for user login. For example, if you enter "yourcompanyname", the login URL for the HTTP redirect binding will be:For example, if you enter "yourcompanyname", the login URL for the HTTP redirect binding will be:
And the login URL for the HTTP POST binding will be:
Authn Request URL. Enter the Login URL that you noted in the substep 12 of Step 1.
Disable Requested Authn Context. Checkmark this option.
Configure on-demand provisioning. (Optional) If you configure on-demand provisioning, Sumo Logic automatically creates a user account the first time a user logs on to Sumo.When the account is created, Sumo Logic credentials are emailed to the user. (Users need both Sumo Logic credentials and SAML permissions.) To complete this procedure, you supply the First Name and Last Name attributes Azure AD uses to identify users.
- Click the On Demand Provisioning checkbox.
- First Name Attribute. Enter:
- Last Name Attribute. Enter:
- On Demand Provisioning Roles. (Optional) Specify the Sumo RBAC roles you want to assign when user accounts are provisioned. (The roles must already exist.)
- Configure logout page. (Optional) Configure a logout page if you would like to point all Sumo users to a particular URL after logging out of Sumo Logic or after their session has timed out. You could choose your company's intranet, for example, or any other site that you'd prefer users in your organization access.
- Click the Logout Page checkbox.
- Enter the URL of the page to which you want to direct users after logging of Sumo.
- Click Add to save the configuration
- Select the new configuration from the Configuration List.
- Click Copy to copy the Assertion Consumer URL, and save it in a text file.
Step 3: Complete Azure configuration
- In the Azure Management Console, select your application from the applications list.
- From the left Menu select Single sign-on for your application
- In Section 1, Basic SAML Configuration, edit the configuration.
- Identifier (Entity ID). Enter https://service.us2.sumologic.com. The easiest way to see which pod your account uses is to look at the Sumo Logic URL. If you see "us2" that means you're running on the US2 pod and service endpoint would be https://service.us2.sumologic.com. If you see "eu" or "au" you're on one of those pods , it would be https://service.eu.sumologic.com or https://service.au.sumologic.com respectively. If none is seen, then it would be https://service.sumologic.com for the US1 deployment.
- Reply URL (Assertion Consumer URL). Paste in the URL you noted in substep 15 of Step 2.
- Click Save.
- In the left navigation pane, click Properties in the Manage section.
- Enabled for users to sign in? Enter Yes.
- User assignment required? Enter Yes. (This option controls whether a user must be assigned to this group or whether any user in the Azure AD tenant can use Sumo Logic. We recommend setting this to Yes as the Sumo environment has a finite number of users.
- Click Save.
- On the appname blade (the blade with the name of the selected app in the title), select Users and Groups.
- On the appname - User and Group Assignment blade, select the Add command
- On the Add Assignment blade, select Users and groups.
- On the Users and groups blade, select one or more users or groups from the list and then select the Select button at the bottom of the blade.
- On the Add Assignment blade, select Role. Then, on the Select Role blade, select a role to apply to the selected users or groups, and then select the OK button at the bottom of the blade.
- On the Add Assignment blade, select the Assign button at the bottom of the blade. The assigned users or groups have the permissions defined by the selected role.
Test SAML Authentication
- Test IdP-initiated authentication. Login to
https://myapps.microsoft.com/with your Microsoft credentials and click the tile for the Sumo Logic application that you created above.
- Test SP-initiated authentication. Point your browser to the URL for the HTTP redirect binding you obtained in the Login Path step (substep 9b) of Step 2, which looks like:
deploymentis your Sumo deployment, and
OrganizationNameis the Login Path you entered.