Azure Active Directory
Security Requirements and Controls
Change identity providers
permission
Azure Active Directory is Microsoft's enterprise cloud-based identity and access management (IAM) solution. It can be used to access your LogScale repositories. Microsoft365 also uses this interface, for more information see Tag Fields Created by Parser microsoft365.
Integrating Azure AD with LogScale
To integrate Azure AD with LogScale, three main operations are required:
Create Azure application
Set up LogScale IDP configuration
Set up group mapping (optional).
Step 1 — Create Azure application
Sign in to the Azure portal and choose the Azure Active Directory card:
Figure 53. Azure Active Directory
Open Groups and click : here you create the groups that will be added later in LogScale for synchronization. For example, you can create a logscale_admin group.
Figure 54. Groups in Azure AD
Open Enterprise Applications and click :
Figure 55. Enterprise Applications in Azure AD
From the Browse Azure AD Gallery page:
Click
Enter a name for the app, e.g., logscale_idp
Choose Integrate any other application you don't find in the gallery option
Figure 56. Create your application in Azure
Click
: your application is now added successfully.
Step 2 — Set up LogScale IDP configuration
In the new application page, click Single sign on and then choose SAML as your single sign-on method:
Figure 57. Select SAML single sign-on
In the Basic SAML Configuration window:
Set Identifier (Entity ID) to
$YOUR_LOGSCALE_URL/api/v1/saml/metadata
Set Reply URL to
$YOUR_LOGSCALE_URL/api/v1/saml/acs
Set Sign on URL if you want to perform identity provider-initiated single sign-on.
PopulateRelay State with an integration URL to instruct the application where to redirect users after authentication e.g. the URL to a specific location within the application.
Figure 58. Basic SAML Configuration settings
In the SAML-based Sign-on page of your newly created application, copy Login URL, Azure ID Identifier and the text of the Certificate (Base 64) and note them down, as you will need to copy them later in LogScale.
Figure 59. SAML-based Sign-on information
Step 3 — Set up group mapping (optional)
Click
and select which groups you want to be associated with the users e.g., Security Groups:Figure 60. Add a group claim
From this same page:
Click the first claim Unique User Identifier to assign users to LogScale on the IDP side.
Copy and note down the
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
claim as you will need it later to synchronize your group in LogScale.
In the Manage claim window, ensure that Name identifier format and Source are set as in figure below:
Figure 61. Manage claim
Still in the Manage claim window, click under Scoped Groups to select the new group and assign user type (e.g. Members, Admin) and as the value:
Figure 62. Add user types to group
Configuring LogScale to use Azure AD
You finished configuring Azure AD to work with LogScale. Now, you need to configure LogScale to work with Azure AD.
Go to LogScale and from your avatar profile click Identity Providers → pull-down menu →
→Click
to choose which email domain your configuration applies to.In the
Configure SAML 2.0. integration
page, fill in the information as required (see an example in Figure 63, “Example Configuration in LogScale”) . In particular:Name of the configuration
SAML metedata endpoint. If available, paste here your SAML provider metadata endpoint link to autofill most of the fields listed below.
Identity provider single sign-on URL — enter the value of Login URL that you have previously copied from Azure AD (as seen in Figure 58, “Basic SAML Configuration settings”).
Identity provider entity ID — enter the value of Azure AD identifier that you have previously copied from Azure AD.
X.509 certificate — paste the text of Certificate (Base 64) found in Azure AD, which you should have previously downloaded and copied.
Enable debugging — recommended, allows to store debug logs in a LogScale repository to monitor the activity between the IDP and LogScale, see LogScale Debug Logs.
User attribute — populate with
emailaddress
that you have previously copied from Azure AD.Let identity provider handle group memberships in Falcon LogScale — check the box and populate the field with
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
(this is needed to pass AD Groups you've previously created to LogScale).Default IDP — check the box if you want to set the Azure AD as the primary external Identity Provider. In this case it is good practice to disable other external identity providers that you are not using; you can do so individually on each provider from
Identity Providers
.Automatically create users on login — check the box to allow users to appear in LogScale after their first sign-in.
Figure 63. Example Configuration in LogScale
Group Synchronization
After LogScale has been configured to use Azure AD (see previous section), you need to align the Azure AD groups' Object ID in LogScale.
Go back to Azure AD and from your group's page, copy the Object ID:
Figure 64. Copy Object ID from Azure AD
In LogScale, first create the group manually (provide a name that is similar to the group name set in Azure AD) and then paste the Object ID into the Mapping Name field, under the External provider tab:
Figure 65. Mapping Name
Refer to Azure portal for more information on SAML 2.0 integration.
Also refer to Configure SAML for LogScale Self-Hosted documentation section.
To configure LogScale on your own server, go to the top of this page on Configuring LogScale.
See the Azure Active Directory Documentation for more information on Azure AD.