LogicMonitor’s Single Sign On (SSO) solution enables administrators to authenticate and manage LogicMonitor users directly from their Identity Provider (IdP). This simplifies the login process and password management while providing the ability to take advantage of all of your IdP’s security features and efficiencies.
LogicMonitor’s SSO can be made to work with any SAML 2.0 compatible IdP. In short, this enables LogicMonitor and your IdP to verify one another via a handshake, and to share user authentication information via SAML assertions. The exchange looks something like this (with LogicMonitor as the Service Provider):
The exchange can also be initiated from LogicMonitor. In terms of the user experience, in IdP initiated the user will login to your IdP and launch LogicMonitor directly from there. In the Service Provider flow, users can go directly to company.logicmonitor.com and we will either verify they are logged in with the IdP or redirect them to do so.
Enabling SSO in your LogicMonitor account will not impact existing users, but will allow you to test the integration.
- Select the Enable Single Sign On option from Settings | User Access | Single Sign On.
- Download the Service Provider Metadata. You’ll need to upload this to your IdP.
- Configure your IdP. All required information should be present in the Service Provider Metadata, see the IdP Configuration section below for more details.
- Download your IdP metadata. You’ll need to upload this to your LogicMonitor portal.
Once the IdP metadata has been uploaded to your LogicMonitor account, you can test the integration.
Need help configuring your IdP? Here are a few common fields you may come across:
- EntityID: https://companyname.logicmonitor.com
- LoginURL, Recipient, or Assertion Consumer Service: https://companyname.logicmonitor.com/santaba/saml/SSO/
- PostBack URL: https://companyname.logicmonitor.com/santaba/rpc/ssoSignIn?func=idpSso&c=testcompany
- Force Authentication: Yes
- Name ID Format: Email Address
- Group Name: https://www.logicmonitor.com/saml/roles
- Response: Signed
- Assertion: Signed
- Request: Compressed
- MaxAuthenticationAge: Some IdPs allow users to stay authenticated for a specified amount of time by setting a value (in seconds) for this field
From the user’s IdP we auto-populate the following attribute names:
- Email Address: The URI for a claim that specifies the email address of an entity, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
- Given Name: The URI for a claim that specifies the given name of an entity, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Surname: The URI for a claim that specifies the surname of an entity, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Phone: Phone
- For Roles, we look for any of the following formatting:
Note: If you are using the Microsoft Azure Active Directory (AD) IdP, you’ll need to rename the outgoing group claim attribute name from “http://schemas.microsoft.com/ws/2008/06/identity/claims/groups” to “groups” in order to ensure the attribute is recognized by LogicMonitor and roles are assigned appropriately. This is done from the LogicMonitor application on Azure AD.
Are you using ADFS?
While the general overview of the SSO configuration is the same for all Identity Providers (IdPs), here are some tips for configuring ADFS:
- Confirm ADFS 2.0 is installed, the default ADFS version is 1.0 . ADFS 2.0 can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=10909. For more information on installing and deploying ADFS, see https://technet.microsoft.com/en-us/library/dn486820.aspx
- Download the SP metadata from your LogicMonitor account (Settings | Single Sign On | Service Provider Metadata | Download).
- In the Microsoft Management Console, select “Add Relying Party Trust”. Select “Import data about the relying party from a file” and select the SP metadata file. Click Next.
- Leave “Open the Edit Claim Rules dialog” option checked and finish the wizard.
- Select “Add Rule”, choose “Send LDAP Attributes as Claims” and click Next.
- Set any name as “Claim rule name” and choose “Active Directory” as Attribute store.
- Map the LDAP attributes with the following LDAP Attribute and Outgoing Claim Type pairs:
Note: This configuration will have ADFS look for LogicMonitor usernames that match SamAccount-Name, so LM usernames need to be consistent with SAMAccount-Names. If you’d prefer to match email addresses instead, you can omit the SAMAccount-Name mapping and include a second E-Mail-Addresses rule with Name ID as the outgoing claim.
- (Important) Open the provider by double-clicking it, select tab Advanced and change “Secure hash algorithm” to SHA-1
- Upload your IdP metadata (downloaded from https://[NameOfYourADFSServer]/FederationMetadata/2007-06/FederationMetadata.xml) to your LogicMonitor account.
- Metadata files must be under 64KB. ADFS will occasionally include unnecessary information, if your file is over 64KB please remove any SPSRoleDescriptor and Role Descriptor information. The Entity information and IDPSSODescriptor section are required.
Note: There is a known issue with Chrome and ADFS authentication. To use Chrome for authentication, disable “Extended Protection” for the ADFS web portal. Typically, turning Extended Protections off on your ADFS server involves the following:
- Select Sites | Default Web Site | ADFS | ls
- Double-click the Authentication icon, right-click Windows Authentication and select Advanced Settings…
- On the AdvancedSettings dialog, choose Off for Extended Protection.
LogicMonitor’s SSO integration includes support for the SAML Single Logout (SLO) protocol. When SLO is enabled, a logout initiated from the LogicMonitor portal will not only trigger the IdP to sign out the user from LogicMonitor, but from all SSO application to which that user is currently signed on.
SLO functionality can be enabled from the same dialog in which SSO is configured by checking the Enable Single Logout option. This checkbox is only available for selection once accurate IdP metadata has been uploaded.
Note: SLO has been implemented in accordance with the SAML v2 specification. Although functionality has been validated with several standards-based IdPs, we cannot guarantee compatibility with all IdPs as some don’t support the SAML specification in its entirety.
Creating Users via SSO
There are three ways a user session can be initiated in LogicMonitor:
- The user account already exists in LogicMonitor. This is the case when your IdP user identifier (which, if you set NameID format to email, will be an email address) matches a LogicMonitor username. The user’s existing roles will be respected for the session. If a LM administrator manually changes the user’s role, then both this new role and the one from the SAML assertion will be present.
- The user account does not exist and a role attribute (memberof, role, group, or groups) is included in the SAML assertion. The user will be created with the corresponding role(s) as long as they are an exact match in LogicMonitor roles.
- The user account does not exist and no role attribute is included in the SAML assertion. The user will be created and the Default Role (configured in the SSO Settings) will be assigned.
Note: New user accounts will be placed in the default “Ungrouped” user group.
To force users to authenticate with your Identity Provider, select “Restrict Single Sign On.” If users visit https://companyname.logicmonitor.com, we will check to see if they have an active IdP session. If not, they will be redirected to login. There is an alternative way for administrators to access the account in the case there is an issue with your IdP. Contact support for details.
Note: Restricting Single Sign On will disable the ability to enforce 2FA. Additionally, when using LogicMonitor’s REST API, users will still be able to authenticate API requests via username/password or API tokens.
We have partnered with a variety of SaaS Identity Providers, including Microsoft, OneLogin, PingIdentity, Centrify, Bitium and Okta to bring you SSO in a few clicks. You will find the LogicMonitor application in each partner’s app catalog as well as easy-to-follow instructions.