Entra ID (formerly Azure Active Directory)

LogScale can integrate Entra ID (formerly known as Azure Active Directory or Azure AD) for identity and access management. Find detailed steps for creating an Entra ID application, configuring SAML-based single sign-on, and setting up group synchronization between the two platforms. For cloud customers, the integration process requires working with Support to complete the configuration while following specific requirements for security controls and permissions.

Entra ID is Microsoft's enterprise cloud-based identity and access management (IAM) solution. It can be used to access your LogScale repositories. Microsoft365 also uses this interface, for more information see Tag Fields Created by Parser microsoft365.

Prerequisites to configure Entra ID

Prior to configuring Entra ID for authentication with LogScale make sure to have the following:

Integrate Entra ID with LogScale

To integrate Entra ID with LogScale, three main operations are required:

  1. Create Entra ID application

  2. Set up LogScale IDP configuration

  3. Set up group mapping (optional).

Step 1 — Create an application

  1. Sign in to the Azure portal and choose the Entra ID ID card:

    Screenshot of the Azure portal home page showing various service cards, with the Azure Active Directory card highlighted. The Azure Active Directory card appears as a rectangular tile with its logo (a stylized user silhouette inside a key-shaped border) and is the first service that needs to be selected when beginning the LogScale SAML configuration process with Azure AD. This is the initial navigation step where administrators click to access identity and access management settings.

    Figure 46. Azure Active Directory


  2. Open Groups and click New group: here you create the groups that will be added later in LogScale for synchronization. For example, you can create a logscale_admin group.

    Screenshot of the Azure Active Directory Groups management interface showing the process of creating a new group for LogScale integration. The image displays the Azure portal's Groups page with the 'New group' button highlighted, which administrators need to click to create groups such as 'logscale_admin'.

    Figure 47. Groups in Azure AD


  3. Open Enterprise Applications and click New application:

    Screenshot of the Azure Active Directory Enterprise Applications interface showing the page where administrators need to click the 'New application' button to begin creating a custom application for LogScale integration. The image displays the Azure portal's Enterprise Applications management screen, which is a crucial step in the integration process as it initiates the creation of an application that will establish the SAML connection between Azure AD and LogScale for user authentication and single sign-on capabilities.

    Figure 48. Enterprise Applications in Azure AD


  4. From the Browse Entra ID App Gallery page:

    • Click + Create your own application

    • Enter a name for the app, e.g., logscale_idp

    • Choose Integrate any other application you don't find in the gallery option

    Screenshot of the Azure AD application creation interface showing the 'Create your own application' dialog. The form displays a text field for entering an application name (example shown: 'logscale_idp') and radio button options for integration types, with 'Integrate any other application you don't find in the gallery' selected. This interface appears during step 1 of the Azure AD integration with LogScale, where administrators must create a custom application to establish SAML authentication between Azure AD and LogScale.

    Figure 49. Create your application in Azure


  5. Click Create: your application is now added successfully.

Step 2 — Set up LogScale IDP configuration

  1. In the new application page, click Single sign on and then choose SAML as your single sign-on method:

    Screenshot of the Azure portal showing the single sign-on method selection page for the LogScale application. The interface displays a list of authentication options with SAML highlighted and selected from among choices like password-based, OIDC, and other protocols. This is a critical step in configuring Azure Active Directory as an identity provider for LogScale, where administrators must select SAML to proceed with the federation setup.

    Figure 50. Select SAML single sign-on


  2. In the Basic SAML Configuration window:

    • Click Add identifier. Set Identifier (Entity ID) to $YOUR_LOGSCALE_URL/api/v1/saml/metadata

    • Click Add reply URL. Set Reply URL to $YOUR_LOGSCALE_URL/api/v1/saml/acs

    • If needed, set Sign on URL if you want to perform identity provider-initiated single sign-on. Contact LogScale Support to get the Sign on URL.

    • If needed, populateRelay State with an integration URL to instruct the application where to redirect users after authentication, for example, the URL to a specific location within the application.

    Screenshot of the Azure AD SAML configuration interface showing the 'Basic SAML Configuration' form where administrators must enter critical connection parameters for LogScale integration. The form displays fields for 'Identifier (Entity ID)', and optional fields for 'Sign on URL' and 'Relay State'. These parameters establish the trust relationship between Azure AD as the identity provider and LogScale as the service provider, enabling proper SAML authentication flow between the two systems.

    Figure 51. Basic SAML Configuration settings


  3. In the SAML-based Sign-on page of your newly created application, copy the Login URL, Azure ID Identifier, and the text of the Certificate (Base 64) as you will need them later for LogScale.

    Screenshot of the Azure AD SAML-based Sign-on information page showing the essential federation parameters that administrators need to copy for LogScale configuration. The image displays the three critical values that must be collected: the 'Login URL' (SAML single sign-on service URL), the 'Azure AD Identifier' (issuer URL), and the 'Certificate (Base 64)' text that contains the authentication certificate.

    Figure 52. SAML-based Sign-on information


Step 3 — Set up group mapping (optional)

  1. Go to Attributes and Claims. Click + Add a group claim and select which groups you want to be associated with the users (except None) and the source attribute. Click Save.

    Screenshot of the Azure AD group claims configuration interface showing the '+ Add a group claim' button that administrators must click to configure group membership synchronization with LogScale. The image displays the UI where security groups and other user group associations are selected for inclusion in the SAML token. This critical step enables mapping Azure AD group memberships to LogScale permissions, allowing for automatic role assignment when users authenticate. The interface shows options for selecting the type of groups to include, with Security Groups typically being selected for role-based access control in LogScale.

    Figure 53. Add a group claim


  2. Still in the Attributes and Claims page, click the first claim Unique User Identifier to assign users to LogScale on the IDP side.

    Screenshot of the Azure AD 'Manage claim' interface showing the configuration page for editing the Unique User Identifier claim settings. The interface displays form fields where administrators can configure how user identities are passed from Azure AD to LogScale during SAML authentication. This critical configuration step ensures that user identification attributes are properly mapped between Azure AD and LogScale, enabling correct user matching and authentication flow. The page shows options for setting the name identifier format and source attribute that will be used to uniquely identify users during the single sign-on process.

    Figure 54. Edit the Unique User Identifier claim


  3. In the Manage claim window, ensure that Name identifier format and Source are set as in figure below:

    Screenshot of the Azure AD 'Manage claim' configuration window showing the settings for user identity claims that must be properly configured for LogScale integration. The image displays the crucial configuration form where 'Name identifier format' and 'Source' fields need to be set to specific values as shown in the figure.

    Figure 55. Manage claim


  4. Still in the Manage claim window, expand Claim conditions and click Scoped Groups to select the new group and assign user type (e.g. Members, Admin) and user.mail as the value:

    Screenshot of the Azure AD group configuration interface showing the process of assigning user types to Azure AD groups for LogScale integration. The image displays the section where administrators click under 'Scoped Groups' to select newly created groups and specify user types (Members or Admin) with 'user.mail' set as the attribute value.

    Figure 56. Add user types to group


Configure LogScale to use Entra ID

When Entra ID is configured to work with LogScale, you must configure LogScale to work with Entra ID.

To configure Entra ID to work with LogScale, navigate to the configuration files and add the environment variables shown below and configure the configuration variables as described in Configure SAML for LogScale Self-Hosted.

ini
AUTHENTICATION_METHOD=saml
PUBLIC_URL=http://localhost:8080
 
SAML_IDP_SIGN_ON_URL=
 
SAML_IDP_ENTITY_ID=
 
SAML_IDP_CERTIFICATE=
 
AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN=true
PERMISSION_MODEL_MODE=advanced
EMERGENCY_USERS=true

Group synchronization

After LogScale has been configured to use Entra ID, you need to align the Entra ID groups' Object ID in LogScale.

  1. Go back to Azure AD and from your group's page, copy the Object ID:

    Screenshot of the Azure AD group properties page showing where to locate and copy the Object ID that will be used for group synchronization with LogScale. The image displays the Azure AD interface where administrators can view group details, with the Object ID field highlighted or visible as a unique alphanumeric identifier. This Object ID is a critical value that must be copied exactly and pasted into LogScale's group configuration to establish the correct mapping between Azure AD groups and LogScale groups.

    Figure 57. Copy Object ID from Azure AD


  2. In LogScale, first create the group manually (provide a name that is similar to the group name set in Azure AD) and then paste the Object ID into the Mapping Name field, under the External provider tab:

    Screenshot of the LogScale group configuration interface showing the External provider tab where an Azure AD Object ID is being entered into the Mapping Name field. This interface demonstrates how to link Azure AD groups to LogScale groups by pasting the Object ID copied from Azure AD into the appropriate field in LogScale's group settings, which is a crucial step in the group synchronization process between Azure AD and LogScale.

    Figure 58. Mapping Name


Test the Entra ID integration setup

Once all of the necessary steps to set up the Entra ID authentication for LogScale are completed, you need to test the setup.

  1. Go to a Terminal and start LogScale with the following command:

    shell
    ./run.sh

    Allow two to three minutes for LogScale to start.

  2. Connect to localhost in a browser. It should redirect you to a Microsoft login.

  3. Sign into your Entra ID. You should be taken to LogScale.

Other references for Entra ID configuration

Other documentation about Entra ID configuration that may be helpful includes: