How do you integrate Sumo Logic with Azure Active Directory (AD) with SAML SSO?
Sumo Logic SAML 2.0 integration with Azure AD
NOTE: The steps below are from the new Azure Management Console. For general steps using the legacy GUI, see here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
From Azure Management Console:
1. Go into the Microsoft Azure Management Console and select Azure Active Directory
2. Select Manage > Enterprise Applications (left menu)
3. Select Manage > All Applications (left menu)
4. Select to add a New application
5. Select Categories and then select ALL
6. Select the Non-gallery application
NOTE: There is a ‘Sumo Logic’ application in the gallery, DO NOT USE THIS.
7. Under the Add your own application page give your application a Name. Ex. Sumo Logic and select Add
Note: The name may be set to anything, we will reference this as <name> in subsequent steps of this how-to.
8. Select your new application from the applications list.
9. From the left Menu select: <name> - Single sign-on
10. Select SAML-based Sign-on
11. Within the section for SAML Signing Certificate select Certificate (Base64)
12. Download the <name>.cer file.
13. Go to the <name> Configuration section found at the bottom of the current page. Copy and paste the following into a text document which will be used in your sumo logic configuration
- Login URL
- Azure AD identifier
- Logout URL
From Sumo Logic UI extracted from this link
1. Go to Administration > Security > SAML.
2. Select an existing configuration, or click the plus (+) icon to create a new configuration.
3. The Add Configuration page appears.
4. Enter the Configuration Name to identify the SSO policy.
5. Select Debug Mode to provide error details if authentication fails.
6. Enter Issuer using SAML Entity ID value in step 14 of previous section.
7. Open up the Base64 Certificate in a text editor and copy and paste the contents into the X.509 Certificate field in Sumo Logic.
8. Under Attribute Mapping select Use SAML Subject.
9. Select SP initiated Login Configuration.
- Login Path: This is unique to your organization, enter <OrganizationName>
- For example, if you enter "OrganizationName", the login URL for the HTTP redirect binding becomes:
- Authn Request URL
- This will be set to Login URL from step 13 in the Previous Section
10. Make sure to check the setting for Disable Requested Authentication Context
11. (OPTIONAL) On Demand Provisioning (note these labels may need to customized depending on the Identity Provider being used). Enter the appropriate values and select Save
a. First Name Attribute: givenname
b. Last Name Attribute: lastname
c. On Demand Provisioning Roles: <Sumo Logic Defined Role(s)>
12. (OPTIONAL) Select Logout Page and for the URL provide the Logout URL from Step 13 in the previous section
13. Click Add at the bottom of the page to save the configuration and copy the Assertion Consumer to be used in the next section
C. Azure Management Console:
1. Select your new application from the applications list.
2. From the left Menu select Single sign-on for your <name> application
3. In Section 1 Basic SAML Configuration, edit the configuration.
4. For the Identifier (Entity ID) , enter https://service.us2.sumologic.com. The easiest way to see which pod your account uses is to look at the Sumo Logic URL. If you see "us2" that means you're running on the US2 pod and service endpoint would be https://service.us2.sumologic.com. If you see "eu" or "au" you're on one of those pods , it would be https://service.eu.sumologic.com or https://service.au.sumologic.com respectively. If none is seen, then it would be https://service.sumologic.com for the US1 deployment
5. Enter the Assertion Consumer value copied in step 14 of previous section.
6. Select Save to update the configuration.
7. From the Left Menu, select Manage > Properties
8. Enter Yes for "Enabled for users to sign in?:"
9. Enter Yes for "User assignment required?" (Controls whether a user must be assigned to this group or whether any user in the Azure AD tenant can use Sumo Logic. Recommended setting is Yes as the Sumo environment has a finite number of users)
10. Select Save to update the configuration.
11. From the Left Menu, select Manage > Users and groups
12. Select Add user (top left)
13. From the Add Assignment, select Users and groups
14. Select <Users and groups you wish to grant access Sumo Logic>
NOTE: Azure AD SAML currently does not support nested groups.
15. Select Select (bottom)
16. Select Assign (bottom) from Add Assignment section
17. (OPTIONAL) under<name> - Users and groups, select <Group with ROLE ASSIGNED value of ‘User’>
NOTE: There is a bug in Azure AD that displays a ‘ROLE ASSIGNED’ value of User when this is not actually assigned initially.
18. Select Edit Assignment
19. Select Select Role (This may say None Selected which is the bug)
20. Select User and click Select (bottom)
21. Confirm User is visible under Select Role
22. Select Assign (bottom)
D. Test SAML Authentication
Option 1. Test IDP initiated SSO login via Azure AD
Option 2. Test SP Initiated SSO login from Sumo Logic URL
(URL created in the SP initiated Login Configuration in the Sumo Logic SAML configuration)