Identity Providers

One of the preferred methods for handling authentication is using Security Assertion Markup Language, the SAML 2.0 protocol. To do this with Humio, you'll first have to set up an authentication provider. However, user authentication for an organization is only available for enterprise customers. To upgrade, contact the Humio Sales Dept..

Assuming your organization is already an enterprise customer of Humio, you may use one of the following identity providers:

For more information on any of these providers or all of them, see the SAML Authentication documentation page.

Identity Provider Configuration

A few pre-requisites must be met before you can manage the identity providers for your Organization:

  • You have to be an Organization Owner to set up authentication. If you're not, ask who ever is to promote you.

  • You'll have to have an authentication provider set up already — they are listed above in this page.

To configure your Identity Provider:

  1. From any screen of the User Interface, click on the menu below your avatar in the top right corner to open the Account Menu:

    Account Menu

    Figure 153. Account Menu


  2. Select Organization Settings

  3. From the tree on the left click Identity Providers

  4. Decide whether you want to enable the social login accounts for each each built-in Identity Provider (Google, Github, Bitbucket) — click Settings under any of them and choose to enable/disable accounts, or to enable just some specified users in the allow-list.

  5. From the Add IDP configuration dropdown, choose a specific identity provider to configure — can be SAML 2.0 or OIDC, they are both described further down.

Configuring Identity Providers

Figure 154. Configuring Identity Providers


SAML Cloud Configuration

To configure your organization to use SAML 2.0 for authentication:

  1. Click tab Identity Providers from the menu on the left

  2. Click the Add IDP Configuration pull-down menu and select SAML 2.0.

    Note

    If you still only have a free or trial account, you won't be able to add an identity provider or see this pull-down menu.

  3. Click + Add domain to add a domain, this will be the one that your users will be able to use to log into Humio.

    Add Domain

    Figure 155. Add Domain


  4. Enter the domain name, just the domain name without any leading or trailing text or slashes. For example, you'd enter example.com and not https://example.com/login.

  5. Hit Confirm to save it.

  6. Provide details related to the identity provider and your domain, to fill in the configuration form:

    Identity Provider Details

    Figure 156. Identity Provider Details


  7. If you want Humio to synchronize groups from the single sign on provider, enable Let identity provider handle group membership in Humio, and give it a value that matches the value in the single sign on provider.

  8. If you want to debug the configuration, check off Enable debugging. This means that the configuration debug logs will be stored in the humio-organization-activity view.

  9. When you're finished, click Save.

If the configuration was saved successfully, Integration URL will be displayed at the top of the page. You will need this to set the Default Relay State in the identity provider. Read the section Setting Relay State in the relevant documentation page — see links in bullet-list at the top of this document.

OIDC Cloud Configuration

To configure your organization to use OpenID for authentication:

  1. Click tab Identity Providers from the menu on the left

  2. Click the Add IDP Configuration pull-down menu and select OIDC.

    Adding OIDC Identity Provider

    Figure 157. Adding OIDC Identity Provider


    Note

    If you still only have a free or trial account, you won't be able to add an identity provider or see this pull-down menu.

  3. Click + Add domain to add a domain, this will be the one that your users will be able to use to log into Humio.

    Add Domain

    Figure 158. Add Domain


  4. Enter the domain name, just the domain name without any leading or trailing text or slashes. For example, you'd enter example.com and not https://example.com/login.

  5. Hit Confirm to save it.

  6. Provide details related to the identity provider and your domain, to fill in the configuration form.

    The information needed in the form is the following:

    • Name — Name of the OpenID provider.

    • Client ID — Client ID of your OpenID application.

    • Client Secret — Client secret of your OpenID application.

    • OIDC Well Known Endpoint — Returns the OpenID Connect configuration values from the providers Well-Known Configuration Endpoint.

    • Issuer — URL to the OpenID provider. The provider URL must match the issuer reported by the OpenID provider exactly.

    • User Claim — The name of the claim to interpret as username in Humio. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.

    • Authorization Endpoint — A URL to the endpoint a user should be redirected to when authorizing.

    • Token Endpoint Authorization Method — The authentication method used to authenticate Humio against the token endpoint. Can either be client_secret_basic or client_secret_post for placing the client id and secret in either basic auth or post data, respectively. Defaults to client_secret_basic, or client_secret_post if client_secret_basic is not supported as per the discovery endpoint.

    • Scopes — List of scopes to add in addition to the default requested scopes (openid, email, and profile).

    • Store SSO debug logs in Humio — If this is checked off, the debugging logs for the configuration will be stored in the humio-organization-activity view.

    • User Info Endpoint — A URL to the user info endpoint used to retrieve user information from an access token.

    • Registration Endpoint — Protected Resource through which you can be registered at an Authorization Server.

    • Token Endpoint — A URL to the token endpoint used to exchange a authentication code to an access token.

    • JWKs Endpoint — A URL to the JWKS endpoint for retrieving keys for validating tokens.

  7. If you use Humio to synchronize groups from the single sign-on provider, enable Let identity provider handle group membership in Humio, and give it a value that matches the value in the single sign-on provider.

  8. When you're finished, click Save.