Group Synchronization

LogScale handles group synchronization during user login, allowing for one-way synchronization of group memberships between identity providers and LogScale groups. The system supports both 1:1 group mapping and, with the OneToManyGroupSynchronization feature enabled, the ability to map a single IdP group to multiple LogScale groups, while providing specific rules around lookupName and displayName matching, along with validation requirements to prevent unintended group assignments.

One-way synchronization of group memberships can be enabled upon user login. Group synchronization is a 1:1 mapping; multiple groups mapping to the same external mapping name is not supported.

When group membership is enabled for the IdP used with LogScale, if the group name in LogScale is the same as the group name in that IDP, then users will be mapped to that group automatically. LogScale maps a group name to the first LogScale group in the organization which has a matching lookupName or displayName.

If a group has a lookupName, then lookupName is used for matching when doing group synchronization. If it does not have a lookupName, displayName is used instead. This means that if you try to synchronize with some external group named "A", and you have a group in LogScale with displayName="A" and lookupName="B", this will not match. Both names are not considered when matching; displayName is used as an alternate in case there is no lookupName.

In order to map a group name from an external system such as LDAP to a LogScale group specify a Mapping name in the External provider tab:

Screenshot of the LogScale Group Synchronization configuration interface showing the External provider tab where administrators can map external directory groups to LogScale groups. The interface displays a form field labeled 'Mapping name' where the external group identifier (such as an LDAP group name) can be entered. This configuration enables automatic group membership synchronization, allowing users who belong to the specified external group to be automatically assigned to the corresponding LogScale group when they log in. This is a critical component of implementing single sign-on with synchronized permissions across systems.

Figure 67. Group Synchronization

When a user who is a member of the above LDAP group logs in to LogScale, they will be a member of the LogScale group that defines the mapping. In the current version of LogScale a user will remain a member of the LogScale groups from the last login until they log in again with a new set of groups.

Note

Once a user's group membership has been synchronized in LogScale, deleting it in the LDAP external provider will not take effect in LogScale.

For specific instructions on how to setup group synchronization for the different authentication mechanisms go to the Configuring Security overview page and select a relevant entry.

Self-Hosted Overview

Instance Administration

Organization Essentials

Configuring Security

Authentication & Identity Providers

Users & permissions

Cluster Management

Health Checks

Ingesting Data

Configuration Settings

Configuration Variables

LogScale URLs & Endpoints

Limits & Standards

Deployment Overview

Planning Your Deployment

Provisioning

Installing Using Containers

Installing On Bare Metal or Cloud Instance

Reference Architectures

LogScale Kubernetes Reference Architecture

Installing Load Balancers

Deploying Auxiliary Services

Humio Operator

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Joins and Lookups

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts

Group Synchronization

Note

Enter search term