Configuration & Authentication with SAML

Security Requirements and Controls

  • Change identity providers permission

Falcon LogScale and Falcon Long Term Repository

Falcon Long Term Repository (FLTR) customers are provisioned through the CrowdStrike Falcon IDP after they have been provisioned. Additional users can be added through the Falcon company account management.

LogScale organization owners can add LogScale users by creating the user and sharing the sign-up URL. Alternative authentication methods are supported but must be configured by LogScale Support; users will need to login via their configured IDP.

Please Contact Support for assistance.

Security Assertion Markup Language (SAML) is an open standard for authentication and authorizing data between applications. LogScale implements the SAML 2.0 Web Browser SSO Profile. This means authentication is delegated to an existing identity provider (IDP) which is responsible for managing user credentials.

Leveraging an existing SSO solution in an organization provides LogScale users with a seamless log-on experience: If they are already logged on through their SSO they will not be prompted for credentials. Instead, authentication will be handled transparently by LogScale and the IDP. This means LogScale will never see the credentials of the user since the authentication is delegated to the IDP. You should be able to use LogScale with any SAML 2.0 provider.

These are the identity providers that LogScale can be configured to use:

Active Dir. Federation Svc.

Azure Active Dir.

Duo Security

Okta

PingFederate

More information on these providers and how to integrate them with LogScale is presented further down.

Logging in with SAML Authentication

When SAML-based authentication has been enabled, from the login screen users must enter their corporate email address into the Single sign-on box.

Login Window

Figure 28. Login Window


Users must use the enterprise login route, even if you've configured login through a service supported natively by LogScale (i.e. Google, Github or Bitbucket).

Falcon Long Term Repository (FLTR) customers sign in with their Falcon login. If you'd like to setup your corporate IDP solution instead, please contact Support.

Configure LogScale for Cloud

Configuring an identity provider (IdP) for your cloud installation enables you to use an existing IdP that you may use with other areas of your company security for authentication.

Before configuring your IdP, LogScale needs to know the specifics about the IDP:

  • LogScale uses email addresses for usernames. Confirm that your IdP will pass an email address. If needed, you can tell LogScale the field name to reference in the SAML payload.

  • Users must be created in LogScale before they can log in. Alternatively, if you have Auto create user on successful login, we will provision the user as soon as they successfully authenticate with the IDP.

  • When a user tries to access LogScale the authentication flow will start by redirecting the user to $IDP_SIGNON_URL. Upon a successful authentication the user will be redirected back to LogScale where a LogScale-specific access token will be issued. For details about the flow see the Wikipedia article about Web Browser SSO Profiles.

  • The redirect back to LogScale is handled by the SAML Assertion Consumer Service endpoint located at http://$YOUR_LOGSCALE_URL/api/v1/saml/acs. The SAML binding used in this interaction is the HTTP POST Binding. While the logon interaction from LogScale to the IDP is done through a HTTP Redirect (GET) Binding.

  • Metadata about LogScale as a SAML Service Provider is available at http://$YOUR_LOGSCALE_URL/api/v1/saml/metadata.

Configuring SAML for LogScale Cloud

Falcon LogScale and Falcon Long Term Repository

Falcon Long Term Repository (FLTR) customers are provisioned through the CrowdStrike Falcon IDP after they have been provisioned. Additional users can be added through the Falcon company account management.

LogScale organization owners can add LogScale users by creating the user and sharing the sign-up URL. Alternative authentication methods are supported but must be configured by LogScale Support; users will need to login via their configured IDP.

Please Contact Support for assistance.

To configure your organization to use SAML 2.0 for authentication:

  1. Click tab Identity Providers from the menu on the left.

  2. Click the Add IDP Configuration pull-down menu and select SAML 2.0.

    Note

    If you still only have a free or trial account, you won't be able to add an identity provider or see this pull-down menu.

  3. Click + Add domain to add a domain, this will be the one that your users will be able to use to log into LogScale.

    Add Domain

    Figure 29. Add Domain


  4. Enter the domain name, just the domain name without any leading or trailing text or slashes. For example, you'd enter example.com and not https://example.com/login.

  5. Hit Confirm to save it.

  6. Provide details related to the identity provider and your domain, to fill in the configuration form:

    Identity Provider Details

    Figure 30. Identity Provider Details


  7. If you want LogScale to synchronize groups from the single sign on provider, enable Let identity provider handle group membership in LogScale, and give it a value that matches the value in the single sign on provider.

  8. If you want to debug the configuration, check off Enable debugging. This means that the configuration debug logs will be stored in the humio-organization-activity view.

  9. When you're finished, click Save.

If the configuration was saved successfully, Integration URL will be displayed at the top of the page. You will need this to set the Default Relay State in the identity provider. Read the section Setting Relay State in the relevant documentation page — see links in bullet-list at the top of this document.

Access Token Lifecycle

When the SAML-specific authentication flow is finished and successful, a LogScale access token is issued by LogScale itself. Until the token expires, the IDP will not be involved in authentication of the user's requests. The lifetime of the access token is 24 hours.

New User Accounts

If LogScale encounters a new user that has been granted access through the IDP it will create the user in the context of LogScale. For this purpose the NameId in the SAML authentication response will be used as the username property of the LogScale user. The recommended username is the email.

url
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Username</saml:NameID>

By default, the user has no rights. So unless a user is otherwise granted access rights, he or she will not be able to do anything besides see an empty list of repos. You can use SAML roles to control access. Otherwise, the user needs to be added explicitly as a member or admin to a repo/view to be able to access it.