Single Sign On
LogicMonitor's Single Sign On (SSO) solution enables administrators to authenticate and manage LogicMonitor users directly from their Identity Provider (IdP). This simplifies the login process and password management while providing the ability to take advantage of all of your IdP's security features and efficiencies. To get started, read through the following sections:
How it Works
LogicMonitor's SSO can be made to work with any SAML 2.0 compatible IdP. In short, this enables LogicMonitor and your IdP to verify one another via a handshake, and to share user authentication information via SAML assertions. The exchange looks something like this (with LogicMonitor as the Service Provider):
The exchange can also be initiated from LogicMonitor. In terms of the user experience, in IdP initiated the user will login to your IdP and launch LogicMonitor directly from there. In the Service Provider flow, users can go directly to company.logicmonitor.com and we will either verify they are logged in with the IdP or redirect them to do so.
Enabling SSO in your LogicMonitor account will not impact existing users, but will allow you to test the integration.
- Select the Enable Single Sign On option from Settings | User Access | Single Sign On
- Download the Service Provider Metadata. You'll need to upload this to your IdP.
- Configure your IdP. All required information should be present in the Service Provider Metadata, see the IdP configuration help section below for more details.
- Download your IdP metadata. You'll need to upload this to your LogicMonitor portal.
Once the IdP metadata has been uploaded to your LogicMonitor account, you can test the integration.
IdP Configuration Help
Need help configuring your IdP? Here are a few common fields you may come across:
- EntityID: https://companyname.logicmonitor.com
- LoginURL, Recipient, or Assertion Consumer Service: https://companyname.logicmonitor.com/santaba/saml/SSO/
- PostBack URL: https://companyname.logicmonitor.com/santaba/rpc/ssoSignIn?func=idpSso&c=testcompany
- Force Authentication: Yes
- Name ID Format: Email Address
- Group Name: https://www.logicmonitor.com/saml/roles
- Response: Signed
- Assertion: Signed
- Request: Compressed
- MaxAuthenticationAge: Some IDPs allow users to stay authenticated for a specified amount of time by setting a value (in seconds) for this field
From the users' IDP we auto-populate the following attribute names:
• Email Address: https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
• Given Name: https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
• Surname: https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
• For Roles, we look for any of the following format:
Are you using ADFS? While the general overview of the SSO configuration is the same for all Identity Providers (IdP), here are some tips for configuring ADFS:
- Confirm ADFS 2.0 is installed, the default ADFS version is 1.0 ADFS 2.0 can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=10909. For more information on installing and deploying ADFS, see https://technet.microsoft.com/en-us/library/dn486820.aspx
- Download the SP metadata from your LogicMonitor account (Settings | Single Sign On | Service Provider Metadata | Download).
In the Microsoft Management Console, select "Add Relying Party Trust".
- Select "Import data about the relying party from a file" and select the SP metadata file, select Next.
- Continue with the wizard, on the "Ready to Add Trust"
- Leave "Open the Edit Claim Rules dialog" checkbox checked and finish the wizard
- Select "Add Rule", choose "Send LDAP Attributes as Claims" and press Next
- Set any name as "Claim rule name", choose "Active Directory" as Attribute store –choose "SAMAccount-Name" as LDAP Attribute and "Name ID" as "Outgoing claim type"
- Choose “Token-Groups – Unqualified Names" as LDAP Attribute and “Role” as "Outgoing claim type"
- Choose “E-Mail-Address" as LDAP Attribute and “E-Mail-Address” as "Outgoing claim type" (note: with the configuration of steps 7-9 ADFS will look for LogicMonitor usernames that match the SAMAccount-Name, so your LM usernames should be set consistent with your SAMAccount-Names. You can alternatively omit the SAMAccount-Name LDAP attribute mapping, but still configure the other two LDAP attribute mappings, and instead set up a second transform rule that maps Incoming claim type 'E-Mail Address' to Outgoing claim type 'Name ID' and Outgoing name ID format 'Email'. This will result in ADFS looking for LogicMonitor usernames that match email, instead.)
- (Important) Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1
Upload your IdP metadata (downloaded from https://[NameOfYourADFSServer]/FederationMetadata/2007-06/FederationMetadata.xml) to your LogicMonitor account
- Metadata files must be under 64KB. ADFS will occasionally include unnecessary information, if your file is over 64KB please remove any SPSRoleDescriptor and Role Descriptor information. The Entity information and IDPSSODescriptor section are required.
**Note: There is a known issue with Chrome and ADFS authentication. To use Chrome for authentication, disable “Extended Protection” for the ADFS web portal. Typically, turning Extended Protections off on your ADFS server involves the following:
- Select Sites -> Default Web Site -> ADFS -> ls
- Double-click the Authentication icon, right-click Windows Authentication and select Advanced Settings...
- On the AdvancedSettings dialog, choose Off for Extended Protection.
There are three ways a user session can be initiated in LogicMonitor:
- The user account already exists in LogicMonitor. This is the case when your IdP user identifier (which, if you set NameID format to email, will be an email address) matches a LogicMonitor username. The user's existing roles will be respected for the session. If a LM administrator manually changes the user's role, then both this new role and the one from the SAML assertion will be present.
- The user account does not exist and a role attribute (memberof, role, group, or groups) is included in the SAML assertion. The user will be created with the corresponding role(s) as long as they are an exact match in LogicMonitor roles.
The user account does not exist and no role attribute is included in the SAML assertion. The user will be created and the Default Role (configured in the SSO Settings) will be assigned.
Note: New user accounts will be placed in the default “Ungrouped” user group.
To force users to authenticate with your Identity Provider, select "Restrict Single Sign On." If users visit https://companyname.logicmonitor.com, we will check to see if they have an active IdP session. If not, they will be redirected to login. There is an alternative way for administrators to access the account in the case there is an issue with your IdP. Contact support for details.
Note: When using LogicMonitor's REST API, users will still be able to authenticate API requests via username/password or API tokens when SSO is enforced.