Question:

How do you integrate Sumo Logic with Azure Active Directory (AD) with SAML SSO? 

Answer:

Sumo Logic SAML 2.0 integration with Azure AD

NOTE: The steps below are from the new Azure Management Console. For general steps using the legacy GUI, see here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps

From Azure Management Console:

1. Go into the Microsoft Azure Management Console and select Azure Active Directory

2. Select Manage > Enterprise Applications (left menu)

3. Select Manage > All Applications (left menu)

4. Select to add a New application

5. Select Categories and then select ALL

6. Select the Non-gallery application

NOTE: There is a ‘Sumo Logic’ application in the gallery, DO NOT USE THIS.

7. Under the Add your own application page give your application a Name. Ex. Sumo Logic and select Add

Note: The name may be set to anything, we will reference this as <name> in subsequent steps of this how-to.

 

8. Select your new application from the applications list. 

9. From the left Menu select: <name> - Single sign-on

10. Select SAML-based Sign-on

11. Within the section for SAML Signing Certificate select Certificate (Base64)

12. Download the <name>.cer file.

13. Go to the <name> Configuration section found at the bottom of the current page. Copy and paste the following into a text document which will be used in your sumo logic configuration

• Login URL
• Azure AD identifier
• Logout URL

From Sumo Logic UI extracted from this link

1. Go to Administration > Security > SAML.

2. Select an existing configuration, or click the plus (+) icon to create a new configuration.

3. The Add Configuration page appears.          

4. Enter the Configuration Name to identify the SSO policy.

5. Select Debug Mode to provide error details if authentication fails.

6. Enter  Issuer using SAML Entity ID value in step 14 of previous section.

7. Open up the Base64 Certificate in a text editor and copy and paste the contents into the X.509 Certificate field in Sumo Logic.

8.  Under Attribute Mapping select Use SAML Subject.

9.  Select SP initiated Login Configuration.

• Login Path: This is unique to your organization, enter <OrganizationName>
  • For example, if you enter "OrganizationName", the login URL for the HTTP redirect binding becomes:
  • https://service.us2.sumologic.com/sumo/saml/redirect/yourcompanyname
• Authn Request URL
• This will be set to Login URL from step 13 in the Previous Section

 

10. Make sure to check the setting for Disable Requested Authentication Context

11. (OPTIONAL) On Demand Provisioning (note these labels may need to customized depending on the Identity Provider being used). Enter the appropriate values and select  Save

            a. First Name Attribute: givenname

            b. Last Name Attribute: lastname

            c. On Demand Provisioning Roles: <Sumo Logic Defined Role(s)>

12. (OPTIONAL) Select Logout Page and for the URL provide the Logout URL from Step 13 in the previous section

13. Click Add  at the bottom of the page to save the configuration and copy the Assertion Consumer to be used in the next section

 

C. Azure Management Console:

1. Select your new application from the applications list. 

2. From the left Menu select  Single sign-on for your <name> application

3. In Section 1 Basic SAML Configuration, edit the configuration.

4. For the Identifier (Entity ID) , enter https://service.us2.sumologic.com. The easiest way  to see which pod your account uses is to look at the Sumo Logic URL. If you see "us2" that means you're running on the US2 pod and service endpoint would be https://service.us2.sumologic.com. If you see "eu" or "au" you're on one of those pods , it would be https://service.eu.sumologic.com  or https://service.au.sumologic.com respectively. If none is seen, then it would be https://service.sumologic.com for the US1 deployment

5. Enter the  Assertion Consumer value copied in step 14 of previous section.

6. Select Save to update the configuration.

7. From the Left Menu, select Manage > Properties

8. Enter Yes for "Enabled for users to sign in?:" 

9. Enter Yes for "User assignment required?" (Controls whether a user must be assigned to this group or whether any user in the Azure AD tenant can use Sumo Logic. Recommended setting      is  Yes as the Sumo environment has a finite number of users)

10. Select Save to update the configuration.

11. From the Left Menu, select Manage > Users and groups

12. Select Add user (top left)

13. From the  Add Assignment, select Users and groups

14. Select <Users and groups you wish to grant access Sumo Logic>
NOTE: Azure AD SAML currently does not support nested groups.

15. Select  Select (bottom)

16. Select Assign (bottom) from Add Assignment section

17. (OPTIONAL) under<name> - Users and groups, select <Group with ROLE ASSIGNED value of ‘User’>
 NOTE: There is a bug in Azure AD that displays a ‘ROLE ASSIGNED’ value of User when this is      not actually assigned initially.

18. Select Edit Assignment

19. Select Select Role (This may say None Selected which is the bug)

20. Select User and click Select (bottom)

21. Confirm User is visible under Select Role

22. Select Assign (bottom)

D. Test SAML Authentication

Option 1. Test IDP initiated SSO login via Azure AD

https://myapps.microsoft.com/

Option 2. Test SP Initiated SSO login from Sumo Logic URL

https://service.us2.sumologic.com/sumo/saml/redirect/yourcompanyname

(URL created in the SP initiated Login Configuration in the Sumo Logic SAML configuration)