When configuring SAML, there are two optional features that you can use to set up how new user accounts are added, and where users are directed after logging out of Sumo Logic.
Set up On Demand provisioning
In most cases, setting up On-Demand provisioning makes adding new users very simple: the first time a user signs into Sumo Logic, an account is automatically created.
- Specify Sumo Logic roles. In order for new accounts to be created, you'll need to specify Sumo Logic RBAC roles in the SAML Configuration dialog box.
- SAML Attributes.You'll need the First Name and Last Name attributes your IdP uses to identify users.
When the account is created, Sumo Logic credentials are emailed to the user. (Users need both Sumo Logic credentials and SAML permissions.)
Add a Logout Page
Adding a Logout Page sets a specific URL where users in your organization are sent after logging out of Sumo Logic or after their session has timed out. You could choose your company's intranet, for example, or any other site that you'd prefer users in your organization access.
To add a logout page, type the URL in the dialog box, as shown here:
Use roles from your IdP
When enabled, the Roles Attribute option instructs Sumo Logic to assign roles to a user every time the user logs in. Roles are configured via your IdP and assigned as part of the SAML assertion.
Add the SAML Attribute Name from the assertion in Sumo Logic to the Configure SAML 2.0 dialog, in the Roles Attribute field.
- Each role in the assertion must be in its own AttributeValue. (Do not use a comma separated list.)
- The AttributeValue values of the SAML assertion must match the role names configured in Sumo Logic.
See the following assertion example using multiple roles:
<saml:Attribute Name="Sumo_Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Analyst</saml:AttributeValue> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Collector Manager</saml:AttributeValue> </saml:Attribute>
In this example, the SAML Attribute Name "Sumo_Role" would go in the Roles Attribute field.
Each role name, such as Analyst and Collector Manager must match roles that exist in Sumo Logic.