Alert Logic uses Auth0 as the service provider for SAML single sign-on (SSO) federations. The following values are required by Auth0 to configure a new SAML SSO federation via an identity provider:
- Requestor and Identity Provider: The company or party that is requesting the new SAML SSO federation, as well as the identity provider. Ex: Acme Company, Okta or Acme Company, custom identity provider.
- SSO URL: Also referred to SAML Customer URL, SAML Callback URL, or Identity Provider Login URL. This is the identity provider URL that SAML requests will be sent to.
- Single Log Out URL: Auth0 enforces Single Log Out, but there is not always a dedicated Single Log Out URL for an identity provider. If none are provided, Auth0 defaults to use the SSO URL.
- Auth0 Connection Name: This name will be used to create the Auth0 connection. The name must be agreed upon by Auth0 and the identity provider in order to route the SAML exchange. The chosen name should be URL-safe and immediately identify the requestor. Ex: al-acmeco. If there is any other useful information to identify the connection, it can be appended with a hyphen. Ex: al-acmeco-okta or al-acmeco-simplesaml.
Note: As of now, there is no way to set up SAML through the Alert Logic user interface. To use a SAML provider, create a ticket with Alert Logic Support and include the information above. The completion of this process can take up to 28 days.
Additional Requirements
- The NameID in the SAML exchange should be a user's email address.
- There is no automatic provisioning of user accounts at this time. A user identified by the email address must already exist in the product in order to log in successfully.
- In order to log in to an Alert Logic product using a SAML SSO federation, the log in must be initiated by the customer identity provider.
- Any user that is authenticated by the identity provider must exist in the top-level customer account of the requester or in a descendant customer account of the top-level customer account.
Comments
1 comment
Please add step: X509 Signing Certificate: Required to validate identity provider SAML requests and responses, a connection can't be created without the identity provider's signing certificate. We will need to have this from you in order to proceed.
Please sign in to leave a comment.