To configure OneLogin to sign in users into Sumo Logic using SAML, follow those steps.
In OneLogin, do the following:
- In OneLogin, navigate to Apps > Find apps and search for Sumo Logic. Click Add.
If you are using a different datacenter from US1 (https://service.sumologic.com) please use the connector Sumo Logic Multi and select the right datacenter for your company. You can find your datacenter by viewing the Sumo URL in the address bar.
Example: US2 = service.us2.sumologic.com, etc..
- In the Add Sumo Logic screen select for the app to be used by the Organization. Press Continue.
- Type your Sumo Logic Configuration ID into the Configuration ID field within the Configuration tab. For now, just enter a random value. Once you have created the SAML configuration in Sumo Logic, you will have to grap this ID from the end of the Authentication Request URL provided by Sumo Logic.
- Under the Single Sign-on tab copy the HTTP Endpoint under SAML Endpoints and the Issuer URL to the clipboard for use in Sumo Logic later. Set the credentials to Configured by admin and select a default Email value of email or something equivalent to email to use as the Sumo Logic credential. Select First Name and Last Name for the First and Last Name fields.
- Under the Access Control tab choose which roles will have access to Sumo Logic.
In Sumo Logic, do the following:
- Navigate to SAML in the security tab.
- Select to perform a new SAML Configuration.
- In the SAML Configuration enter your Configuration Name (e.g. onelogin).
- Enter the Issuer URL you copied earlier into the Issuer field.
- Enter the HTTP Endpoint you copied earlier into the Authn Request URL field.
- Navigate to OneLogin. Go to Security>SAML. Copy the x.509 certificate and paste it into the X.509 Certificate textbox.
- For Email Attribute select Use SAML subject.
- Under Roles select Do not modify if you do not want to use Just In Time Provisioning, otherwise select default roles for users when signing in for the first time.
- Leave SP Initiated unchecked.
- To enable Just In Time Provisioning select On Demand provisioning with First Name Attribute of firstname and Last Name Attribute of lastname.
- Enter https://app.onelogin.com/client/apps into the Logout Page field.
- Click Save to save the SAML configuration.
- Once saved, select SAML in Sumo Logic again. Copy the number at the end of the Authentication Request field. This will be the Configuration ID in step 3 of the OneLogin configuration.
To test do the following:
- Login to OneLogin.
- Make sure you are logged out of Sumo Logic.
- Click the Sumo Logic icon on your dashboard. This should log you into Sumo Logic.
If you're not using the same Email in Sumo Logic as in OneLogin, do the following:
- Click Apps, then Company Apps.
- Edit the Sumo Logic application.
- Navigate to the Logins tab.
- Locate your user and click Edit.
- Type a new email into the Email field and click Update.
- Navigate to the portal and re-test by clicking the Sumo Logic icon.
Sumo Logic also support Just in Time Provisioning, which will allow you to create users on the fly. Whenever a user is given access to Sumo Logic in the portal of OneLogin via Access Control that user can be created if he or she doesn't already have a Sumo Logic Account. Select First Name and Last Name credentials for JIT Provisioning. Enter Default Roles within Sumo Logic.
Important Security Note! Access Keys are NOT controlled by SAML. This means that if a user has been turned off on the OneLogin side, their Sumo Logic Access Keys would still be valid. For this reason, administrators should audit users regularly and disable Access Keys when necessary.
By default, administrators can create new Sumo Logic forms-based logins in addition to SAML-provisioned users. This creates the need to either audit your accounts or ask Sumo Logic Support to enable SAML Lock Down. SAML Lock Down disables the ability for users to log in directly to Sumo Logic using username and password.
There are also a few minor changes to user management behavior, such as not sending an email when a user’s email account is modified. File a Sumo Logic Support request to enable this feature.