Have the values available that you configured in Sumo Logic. See Set Up SAML for Single Sign-On for instructions on configuring Sumo Logic for SAML.
To configure ADFS to authenticate Sumo Logic users, perform the following tasks.
Add Relying Party Trust
The relying party trust configuration is required for the connection between Sumo Logic and ADFS.
- Complete the provisioning steps in Set Up SAML for Single Sign-On.
- Open the ADFS Management application, select the Relying Party Trusts folder, and select Actions > Add a new Standard Relying Party Trust to open the wizard. Click Start.
- Select Enter Data About the Party Manually and click Next.
- Enter a display name and notes (optional), and click Next.
- Select AD FS profile and click Next.
- Keep the default certificate settings and click Next.
- Select Enable Support for the SAML 2.0 WebSSO protocol. Enter the SP initiated login path supplied during the Sumo Logic SAML configuration, and click Next. See the figure for an example.
- Enter a relying party trust identifier, replacing subdomain with the base domain for the specific service endpoint the customer uses. Examples:
- If you want to configure multi-factor authentication (optional), refer to ADFS documentation for instructions. If not, keep the default selection I do not want to configure. Click Next.
- Select Permit all users to access this relying party and click Next. If you want to limit access to a smaller subset of all ADFS authenticated users, select Deny all users access to this relying part, then create an issuance authorization rule that allows only that subset of users based on group membership.
- Review your settings, keep the check box selected, and then click Close to exit and move to the next task, where you will specify claim rules.
Create claim rules
After creating the relying party trust, create the claim rules and update the relying party trust as needed. The editing interface opens automatically when you complete the Relying Party Trust wizard.
The claim rule requires an Email Attribute in the assertion, either the SAML Subject or another SAML attribute per the SAML configuration. The value of the Email Attribute must be a valid email address. It is used to uniquely identify the user in the organization.
Sumo Logic only validates that the email address format is valid, not that the email address actually exists during login. Using a non-existing email address will work, but will reduce the ability of the user to receive some system notifications and access third-party services that require the user to verify email address ownership.
- Click Add Rule. Select the Send LDAP Attributes as Claims template and click Next.
- Enter a name for the claim rule, select Active Directory as the attribute store, and select E-Mail Addresses for both the LDAP attribute and outgoing claim type. Click OK to save the rule.
- Click Add Rule to create another rule. Select Transform an Incoming Claim as the template and clickNext.
- Enter a name for the claim rule, and specify the following settings:
- Incoming Claim Type: Email Address
- Outgoing Claim Type: Name ID.
- Outgoing Name ID Format: Email.
- Select Pass through all claim values.
- Click OK to save the settings and OK again to close the rule editing window.
Adjusting the trust settings
There are a few relying party trust settings that aren’t accessible through the wizard.
- To specify these settings, select the relying party trust entry in the ADFS Management application and select Actions > Properties.
- On the Identifiers tab, specify the display name. Enter your relying party identifier and click Add.
- Edit the SAML Assertion Consumer Endpoint URL to point to the Assertion Consumer URL that the SumoLogic SAML configuration specifies.
- Click the Add SAML button to add a SAML Logout POST binding & Trusted URL that points to the signout page for your server.
- On the Endpoints tab, click Add to include a new endpoint and specify the following:
- Endpoint type: SAML Logout.
- Binding: POST.
- Trusted URL: Specify a URL.
- URL ADFS server
- ADFS SAML endpoint you noted earlier
- The string '?wa=wsignout1.0'
The resulting URL should have the format in this example:
- On the Advanced tab, select SHA-1.
- Click OK to complete and save your changes.
You can now test the ADFS SSO implementation by attempting to log in from the login URL. If you have any trouble, return to Sumo Logic and perform the following steps:
- Choose Manage > Security > SAML.
- Select the Debug Mode check box and click Save.
- Test again.
This time, the error message will include a debug link to help you troubleshoot the problem.