newSamlIdentityProvider()

The newSamlIdentityProvider() GraphQL mutation may be used to add a new SAML identity provider in LogScale.

Related to this mutation there is the updateSamlIdentityProvider() for making changes to a SAML identity provider. There is also the query, samlIdentityProvider() to get information on a provider.

For more information on SAML, see the Authenticate with SAML documentation page. You may also want to look at Requirements for identity provider configuration for related information.

API Stability Long-Term

Syntax

graphql

newSamlIdentityProvider(
     name: string!,
     id: string,
     idpEntityId: string!,
     domains: [string]!,
     signOnUrl: string!,
     adminAttribute: string,
     adminAttributeMatch: string,
     alternativeIdpCertificateInBase64: string,
     defaultIdp: boolean,
     enableDebug: boolean,
     groupMembershipAttribute: string,
     humioOwned: boolean,
     idpCertificateInBase64: string,
     lazyCreateUsers: boolean,
     metadataEndpointUrl: string,
     userAttribute: string
   ): SamlIdentityProvider!

You'll have to give the name of the identity provider, the unique identifier for the identity provider entity, the domains, and the sign-on URL. See the Given Datatype section for details.

For the results, you can get many of the same values you will have entered. However, you'll probably want just the generated identifier of the configuration to use with other mutations. See the Returned Datatype section for the parameters available.

Example

Raw

graphql

mutation {
  newSamlIdentityProvider(
     name: "Samuel-IDP",
     signOnUrl: "https://my.samlidp.com",
     idpCertificateInBase64: "12345678",
     idpEntityId: "abc123",
     domains: ["humio"]
  )
  { id }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newSamlIdentityProvider(
     name: \"Samuel-IDP\",
     signOnUrl: \"https://my.samlidp.com\",
     idpCertificateInBase64: \"12345678\",
     idpEntityId: \"abc123\",
     domains: [\"humio\"]
  )
  { id }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newSamlIdentityProvider(
     name: \"Samuel-IDP\",
     signOnUrl: \"https://my.samlidp.com\",
     idpCertificateInBase64: \"12345678\",
     idpEntityId: \"abc123\",
     domains: [\"humio\"]
  )
  { id }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  newSamlIdentityProvider( ^
     name: \"Samuel-IDP\", ^
     signOnUrl: \"https://my.samlidp.com\", ^
     idpCertificateInBase64: \"12345678\", ^
     idpEntityId: \"abc123\", ^
     domains: [\"humio\"] ^
  ) ^
  { id } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  newSamlIdentityProvider(
     name: \"Samuel-IDP\",
     signOnUrl: \"https://my.samlidp.com\",
     idpCertificateInBase64: \"12345678\",
     idpEntityId: \"abc123\",
     domains: [\"humio\"]
  )
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  newSamlIdentityProvider(
     name: \"Samuel-IDP\",
     signOnUrl: \"https://my.samlidp.com\",
     idpCertificateInBase64: \"12345678\",
     idpEntityId: \"abc123\",
     domains: [\"humio\"]
  )
  { id }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  newSamlIdentityProvider(
     name: \"Samuel-IDP\",
     signOnUrl: \"https://my.samlidp.com\",
     idpCertificateInBase64: \"12345678\",
     idpEntityId: \"abc123\",
     domains: [\"humio\"]
  )
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  newSamlIdentityProvider(
     name: \"Samuel-IDP\",
     signOnUrl: \"https://my.samlidp.com\",
     idpCertificateInBase64: \"12345678\",
     idpEntityId: \"abc123\",
     domains: [\"humio\"]
  )
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "data": {
    id: "def456"
    }
  }
}

Given Datatype

For the input, you'll have to give the name of the identity provider, the unique identifier for the identity provider entity, the domains, and the sign-on URL. There are several other parameters you may include. They're listed in the table below:

Table: Input Using Standard Datatypes

Parameter	Type	Required	Default	Description
adminAttribute	string			An administration attribute. This is used only internally.
adminAttributeMatch	string			An administration attribute match. This is used only internally.
alternativeIdpCertificateInBase64	string			An alternative certificate to be used for identity provider signature validation. This is useful for handling certificate rollover.
defaultIdp	boolean	yes		If multiple identity providers are defined, the default provider is used whenever redirecting to login.
domains	[string]	yes		A list of related domains.
enableDebug	boolean		false	Whether to enable debugging.
groupMembershipAttribute	string			A group membership attribute.
humioOwned	boolean			Whether Humio owned. This is used only internally.
id	string			An optional external identifier (root only).
idpCertificateInBase64	string			The identity provider's certificate in base 64.
idpEntityId	string	yes		The identity provider's unique identifier for the entity.
lazyCreateUsers	boolean			Whether to lazy create users during login.
metadataEndpointUrl	string			The SAML metadata endpoint from where to fetch IdP signing certificate.
name	string	yes		The name of the SAML provider.
signOnUrl	string	yes		The URL where the user signs on.
userAttribute	string			A user attribute.

Returned Datatype

You may specify many parameters related to data that's returned, such as the sign-on URL, authentication method used, user information, etc. Below is a list of choices, along with descriptions of them:

Table: SamlIdentityProvider

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Mar 17, 2025
adminAttribute	string		`Long-Term`	This field is for internal use only by LogScale.
adminAttributeMatch	string		`Long-Term`	This field is for internal use only by LogScale.
alternativeIdpCertificateInBase64	string		`Long-Term`	An alternative IdP certificate using Base64 encoding.
authenticationMethod	AuthenticationMethodAuth	yes	`Long-Term`	The authentication method used. See AuthenticationMethodAuth.
debug	boolean	yes	`Long-Term`	Whether debugging is enabled.
defaultIdp	boolean	yes	`Long-Term`	Whether the identity service provider is the default.
domains	[string]	yes	`Long-Term`	The domains of the SAML identity provider.
groupMembershipAttribute	string		`Long-Term`	The saml attribute used to extract groups from when receiving the SamlResponse from the IDP. The groups from the response will be used to synchronize the membership of groups in LogScale. The group name and external provider name of the group are matched in LogScale.
humioManaged	boolean	yes	`Long-Term`	Where SAML authentication is managed by LogScale.
id	string	yes	`Long-Term`	The unique identifier for the SAML installation.
idpCertificateInBase64	string	yes	`Long-Term`	The identity provider's certificated converted to Base64.
idpEntityId	string	yes	`Long-Term`	The unique identifier of the IDP entity.
lazyCreateUsers	boolean	yes	`Long-Term`	Whether to wait to create users until necessary.
name	string	yes	`Long-Term`	The name of the SAML identity provider.
signOnUrl	string	yes	`Long-Term`	The URL of where the sign on page is located.
userAttribute	string		`Long-Term`	This is the saml attribute from which to extract username when receiving the `SamlResponse` from the IDP. If not specified, the default `saml:NameID` will be used.

Versions of this Page

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes