Authenticating with OpenID Connect

Security Requirements and Controls

LogScale supports authenticating with any provider following the OpenID Connect standard. When OpenID Connect is configured, LogScale accepts OpenID tokens issued by the OpenID Connect provider (LogScale acts as a resource in OpenID Connect terms). This is useful if you are running LogScale behind a proxy that handles authentication.

In addition to acting as a resource, LogScale can also act as a client responsible for authenticating users (a relying party in OpenID Connect terms). This is similar to other OAuth authentication flows LogScale supports.

Configuration

To configure your organization to use OpenID for authentication, there are a few steps:

  • Click tab Identity Providers from the menu on the left

  • Click the Add IDP Configuration pull-down menu and select OIDC.

    Adding OIDC Identity Provider

    Figure 44. Adding OIDC Identity Provider


    Note

    If you still only have a free or trial account, you won't be able to add an identity provider or see this pull-down menu.

  • Click + Add domain to add a domain, this will be the one that your users will be able to use to log into LogScale.

    Add Domain

    Figure 45. Add Domain


  • Enter the domain name, only the domain name without a leading or trailing text or slashes. For example, you'd enter example.com, not https://example.com/login.

  • Hit Confirm to save it.

  • Provide details related to the identity provider and your domain, to fill in the configuration form.

    The information needed in the form is the following:

    • Name — Name of the OpenID provider.

    • Client ID — Client ID of your OpenID application.

    • Client Secret — Client secret of your OpenID application.

    • OIDC Well Known Endpoint — Returns the OpenID Connect configuration values from the providers Well-Known Configuration Endpoint.

    • Issuer — URL to the OpenID provider. The provider URL must match the issuer reported by the OpenID provider exactly.

    • User Claim — The name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.

    • Authorization Endpoint — A URL to the endpoint a user should be redirected to when authorizing.

    • Token Endpoint Authorization Method — The authentication method used to authenticate LogScale against the token endpoint. Can either be client_secret_basic or client_secret_post for placing the client id and secret in either basic auth or post data, respectively. Defaults to client_secret_basic, or client_secret_post if client_secret_basic is not supported as per the discovery endpoint.

    • Scopes — List of scopes to add in addition to the default requested scopes (openid, email, and profile).

    • Store SSO debug logs in LogScale — If this is checked off, the debugging logs for the configuration will be stored in the humio-organization-activity view.

    • User Info Endpoint — A URL to the user info endpoint used to retrieve user information from an access token.

    • Registration Endpoint — Protected Resource through which you can be registered at an Authorization Server.

    • Token Endpoint — A URL to the token endpoint used to exchange a authentication code to an access token.

    • JWKS Endpoint — A URL to the JWKS endpoint for retrieving keys for validating tokens.

  • If you use LogScale to synchronize groups from the single sign-on provider, enable Let identity provider handle group membership in LogScale, and give it a value that matches the value in the single sign-on provider.

  • When you're finished, click Save.