Configuration for Loggly Single Sign On (SSO) using ADFS
Provide key ADFS information to Loggly
- ADFS entity ID : Typically looks like “http://<customer_domain>/adfs/services/trust”. Can be verified in the metadata at https://<customer_domain>/FederationMetadata/2007-06/FederationMetadata.xml
- ADFS SSO endpoint : Typically looks like “https://example.com/adfs/ls”,
- Obtain the ADFS certificate (public key) in .pem (Base64 encoded) format. The necessary certificate is the “Token Signing” certificate (in ADFS admin UI)
At this point Loggly will create an SSO configuration for your subdomain, and notify you when it’s possible to move on to “Add RP trust”.
Provide group mapping information to Loggly
Loggly controls user access through ADFS via mappings from Active Directory group memberships. In order to access the product, each user must be a member of at least one mapped group. Groups may map to one of two privilege levels, “user” or “administrator”. A user belonging to multiple groups will receive the highest privileges among any of their groups.
If you don’t wish to provide this information, we will use the following default mapping:
Add RP trust
- In the ADFS management snap-in, go to “Relying Party Trusts” > “Add relying party trust…”. Click through to “Select Data Source”
- Select the first radio button (“Import data […] published online or on a local network”) and input <customer subdomain>.<loggly environment>/sso/saml/metadata. Alternatively, open that URL in a browser, download the XML, and import it using the second radio button (“[…] from a file”). Click next.
- Choose a display name. Click next.
- Select “Permit all users[…]”. Click next.
- Click next.
- Make sure “Open the Edit Claim Rules dialog[…]” is checked. Click finish.
Add claim rule
- Click Add Rule
- Select “Send LDAP Attributes as Claims”
- Select a name for the rule (like “Loggly required data”)
- Under “Attribute Store” choose “Active Directory”
- Create the following mappings using the dropdowns below (See figure below):
- User-Principle-Name -> Name ID
- Surname -> lastname
- Given-Name -> firstname
- E-Mail-Addresses -> emails
- Token-Groups – Unqualified Names -> groups
- Click Finish.