Integrate Sumo with Azure AD
|Account Type||Account Level|
|Cloud Flex||Trial, Enterprise|
|Credits||Trial, Essentials, Enterprise Operations, Enterprise Security, Enterprise Suite|
Organizations with Enterprise accounts can provision Security Assertion Markup Language (SAML) 2.0 to enable Single Sign-On (SSO) for user access to Sumo Logic. This section has instructions for integrating Sumo with Azure AD.
Configure Sumo as an Enterprise App in Azure AD
In this step you set up Sumo as an Enterprise App in Azure AD.
The steps below are for the new Azure Management Console. For general steps for using the legacy GUI, see Configure single sign-on to applications that are not in the Azure Active Directory application gallery in Azure help.
Go into the Microsoft Azure Management Console and select Azure Active Directory in the left-side navigation pane.
Select Enterprise Applications.
Select Manage > All Applications.
Click New application at the top of the All applications blade.
Search for SumoLogic.
Select the SumoLogic tile.
Enter a name for your application and click Create. Throughout this procedure, we refer to the application name as \<app-name>.
From the Overview tab, click Get Started in the Set up single sign-on tile.
Click the SAML tile on the Single sign-on page.
Click Edit in the Basic SAML Configuration page.
In the Basic SAML Configuration pane:
Select https://service.sumologic.com as the default Identifier (Entity ID) and use the trash can icon to delete the other Entity IDs in the list. (You'll update this in a later step.)
Enter https://service.sumologic.com as the Reply URL (Assertion Consumer Service URL). (You'll update this in a later step.)
Click Save at the top of the pane, and then close the pane.
In the SAML Signing Certificate tile, click the Download link for Certificate (Base64) to download the
In the Set Up \<app-name> section, copy and paste the contents of the following fields into a text document. You will need these values when in the next step.
Azure AD identifier
Do not close the Setup Single Sign-On with SAML window, you will return later for additional configuration steps.
Configure SAML in Sumo Logic
Go to Administration > Security > SAML.
Select an existing configuration, or click Add Configuration to create a new configuration.
The Add Configuration page appears.
Configuration Name. Enter a name to identify the SSO policy (or another name used internally to describe the policy).
Debug Mode. Select this option if you'd like to view additional details if an error occurs when a user attempts to authenticate. For more information, see View SAML Debug Information.
Issuer. Enter the Azure AD Identifier that you noted in the substep 13 of Configure Sumo as an Enterprise App in Azure AD.
X.509 Certificate. Use a text editor to open the certificate file you downloaded in substep 12 of Configure Sumo as an Enterprise App in Azure AD. Copy and paste the contents of the file into the field.
Attribute Mapping. Select Use SAML subject.
Configure SP-initiated Login. (Optional) This step has instructions for setting up SP-initiated login. When SP-initiated login has been enabled, your SAML configuration will appear as an additional authentication option within your subdomain-enabled account login page. SP initiated login requires a custom Sumo Logic subdomain. If a custom subdomain has not yet been configured for your org, following the instructions in the Change account subdomain section of the Manage Organization topic.
Click SP Initiated Login Configuration in the Optional Settings section of the SAML configuration page. When you click this option, the following configurations appear.
Authn Request URL. Enter the Login URL that you noted in the substep 13 of Configure Sumo as an Enterprise App in Azure AD.
Disable Requested Authn Context. Checkmark this option.
Select Binding Type. Click Post.
Sign Authn Request. Leave this option deselected.
Configure on-demand provisioning. (Optional) If you configure on-demand provisioning, Sumo Logic automatically creates a user account the first time a user logs on to Sumo.When the account is created, Sumo Logic credentials are emailed to the user. (Users need both Sumo Logic credentials and SAML permissions.) To complete this procedure, you supply the First Name and Last Name attributes Azure AD uses to identify users.
Click the On Demand Provisioning checkbox.
First Name Attribute. You might need to provide the full attribute path, which can vary based on the ADFS version (the actual path can be seen in the SAML assertion). Here is an example:
Last Name Attribute. You might need to provide the full attribute path, which can vary based on the ADFS version (the actual path can be seen in the SAML assertion). Here is an example:
On Demand Provisioning Roles. Specify the Sumo RBAC roles you want to assign when user accounts are provisioned. (The roles must already exist.)
Configure logout page. (Optional) Configure a logout page if you would like to point all Sumo users to a particular URL after logging out of Sumo Logic or after their session has timed out. You could choose your company's intranet, for example, or any other site that you'd prefer users in your organization access.
- Click the Logout Page checkbox.
- Enter the URL of the page to which you want to direct users after logging of Sumo.
Click Add to save the configuration
Select the new configuration from the Configuration List.
Copy the following field values and save them in a text file. You'll need them in the steps to follow.
- Assertion Consumer URL
- Entity ID
Complete Azure configuration
In Section 1, Basic SAML Configuration, edit the configuration.
Identifier (Entity ID). If you configured selected SP initiated login, replace https://service.sumologic.com with the Entity ID you copied in substep 14 of Configure SAML in Sumo Logic.
Reply URL (Assertion Consumer URL). Replace https://service.sumologic.com with the Assertion Consumer URL you copied in substep 14 of Configure SAML in Sumo Logic.
In the left navigation pane, click Properties in the Manage section.
Enabled for users to sign in? Enter Yes.
User assignment required? Enter Yes. (This option controls whether a user must be assigned to this group or whether any user in the Azure AD tenant can use Sumo Logic. We recommend setting this to Yes as the Sumo environment has a finite number of users.
In the left navigation pane, click Users and Groups in the Manage section.
Select Add user/group.
Add the Users or Roles that should have access to login to Sumo Logic and then click Assign.
Test SAML Authentication
On the Azure Single Sign-on page click Test.
Click the Sign in as current user radio button and then Test sign in.
You should be redirected and logged into your Sumo Logic account. If you have enabled SP Initiated Login, you can also go to your Sumo Logic account subdomain login page and select the new SAML login option that appears.