Authentication and identity providers

Authentication is the process of verifying the identity of a user, system, or entity attempting to access a resource. Authentication is distinct from authorization, which determines what an authenticated user is allowed to do within a system.

The following diagram shows an example of a standard OAuth/OIDC flow that LogScale supports. (Your actual flow may differ, depending on your identity provider and configuration.) A user initiates access to LogScale. LogScale redirects to the identity provider (IdP) and the user authenticates with the identity provider. The identity provider provides a token upon successful authentication and that token is forwarded to LogScale. LogScale validates the token and grants access.

sequenceDiagram participant User participant Browser participant LogScale participant IdP as Identity Provider (e.g., Okta, Azure AD) User->>Browser: Access LogScale Browser->>LogScale: Request access LogScale->>Browser: Redirect to IdP Browser->>IdP: Authentication request IdP->>Browser: Authentication prompt User->>Browser: Enter credentials Browser->>IdP: Submit credentials IdP->>IdP: Validate credentials IdP->>Browser: Authentication success + token Browser->>LogScale: Forward token LogScale->>LogScale: Validate token LogScale->>Browser: Grant access Browser->>User: Display LogScale dashboard

Falcon LogScale and Falcon Long Term Repository

Falcon Long Term Repository (FLTR) customers are provisioned through the CrowdStrike Falcon IDP. Additional users can be added through the Falcon company account management.

LogScale organization owners can add LogScale users by creating the user and sharing the sign-up URL. Alternative authentication methods are supported but must be configured by LogScale Support; users will need to login via their configured IDP.

Contact Support for assistance.

User authentication for an organization is only available for paid customers. To upgrade, contact the LogScale Sales Department. Assuming your organization is already a LogScale enterprise customer, you can use one of the identity providers or authentication methods described in these sections.

All LogScale Cloud customers must contact Support to configure their chosen identity provider (IdP). LogScale supports having multiple IdPs configured on an account, though only one can be the "default" that leverages the IdP Signon URL.

Identity providers and other authentication methods

Although you can use LogScale for authenticating users, you can also use an identity provider, or you can use reverse proxy. LogScale supports a number of IdPs which you may already be using within your existing infrastructure, however, you can only have one identity provider configured in LogScale. The following links describe the various authentication methods and direct you to information about how to configure each authentication method to work with LogScale.

  • Security Assertion Markup Language (SAML) is an open standard for authentication and authorizing data between applications. LogScale supports Active Directory Federation Services, Azure AD/Entra ID, Duo Security, PingFederate, and Okta.

  • OpenID (OIDC) is an open standard, decentralized authentication protocol.

The following chart provides a high-level overview of the features available for each authentication method.

Feature SAML OIDC LDAP OAuth Proxy
Single Sign-on Yes Yes No Yes Yes
MFA Support Yes Yes No Yes Depends
Group mapping Yes Yes Yes Limited Yes
Implementation complexity High Medium Medium Low High
Session management IdP IdP LogScale IdP Proxy
Available for Self-hosted Yes Yes Yes Yes Yes
Available for Cloud Yes Yes No No No

Requirements for identity provider configuration

Before configuring your IdP, LogScale support needs to know the following information about the IdP:

Method Requirement Description
SAML Email Field Name LogScale uses email addresses for usernames. Confirm that your IdP will pass an email address. You must know the field name used for for your chosen IdP solution for the email address.
Choose User Creation

Users either must be created in LogScale before they can log in, or "just in time" provisioned on first login.

To use this option, Support must have the required NameID to be used when creating the user.

SAML Metadata Endpoint [a] URL to the SAML metadata endpoint for your identity provider.
Single Sign-on URL

When a user tries to access LogScale the authentication flow will start by redirecting the user to the sign-on page for the IdP where the user will authenticate. LogScale Support will to know the URL to your IdP service.

Upon a successful authentication the user will be redirected back to LogScale where a LogScale-specific access token will be issued. For details about the flow see the Wikipedia article about Web Browser SSO Profiles.

Identity Provider Entity ID If you provided the SAML Metadata Endpoint, this may pull in the Identity Provider ID. Otherwise, you need to provide the entity ID from your SAML configuration.
X.509 Certificate You will need a copy of the public encryption certificate to use when communicating with your chosen IdP.
Group Field Name (Optional)

LogScale can synchronize with your IdP groups to support role groups for accessing LogScale resources. The field name of that group where that information is stored will need to be shared with LogScale support.

If group membership is enabled for the IdP used with LogScale, then if the Group name in LogScale is the same as the group name in that IDP, users will be mapped to that group automatically.

For more information on how group synchronization works, see Group Synchronization.

OIDC User Client ID Client ID of your OpenID application. Required for client setup.
Client Secret Client secret of your OpenID application. Required for client setup.
OIDC Well Known Endpoint [b] URL to the OIDC well known endpoint. LogScale uses the OpenID Connect Discovery endpoint (%OIDC_PROVIDER%/.well-known/openid-configuration) to configure the remaining parameters automatically. If your provider does not have such an endpoint, you will need to provide the information below this line in this table.
Issuer URL to the OpenID Connect provider. The provider URL must match the issuer reported by the OpenID provider exactly.
User Claim name of the claim to interpret as username in LogScale. The value in the claim must be a string.
Authorization Endpoint URL to the endpoint a user should be redirected to when authorizing.
Token endpoint authorization method Authentication method used to authenticate LogScale against the token endpoint. Can either be client_secret_basic to place the client ID and secret in basic auth, or client_secret_post to place the client ID and secret in post data.
User info endpoint Required. A URL to the user info endpoint used to retrieve user information from an access token.

[a] If you provide the SAML Metadata Endpoint this should pull in the certificate, entity ID.

[b] If you provide the OIDC Well Known Endpoint it should fill everything below what is listed under OIDC Well Known Endpoint in this table

Specific IdP solutions may have additional requirements for information. Those details are provided in the documentation of each supported IdP solution.

Gather the information above and contact Support to work with you to setup your chosen IdP service.

Group mapping between LogScale and identity providers

When using an identity provider that supports group mapping, it is important that the group names in LogScale match the group names provided in the identity provider.

For more information about group membership mapping and group synchronization, see Group Memberships and Group Synchronization.

Troubleshoot authentication

In case of issues with authentication, contact LogScale support for assistance.