Alert Logic® uses Auth0 as the service provider for SAML single sign-on (SSO) federations. The following values are required by Auth0 to configure a new SAML SSO federation via an identity provider:
- Requestor and Identity Provider: The company or party that is requesting the new SAML SSO federation, as well as the identity provider. Ex: Acme Company, Okta or Acme Company, custom identity provider.
And - Metadata XML File: This file holds all of the URLs and certificates; this is preferable as it is less prone to user error because it is usually generated by the provider itself (such as Okta).
- X509 Signing Certificate: This certificate is usually provided in the Metadata XML file above by default. If your identity provider has an advanced configuration and is configured to sign requests using a different certificate than the one shown in the Metadata XML file, please provide the configured certificate. This is used by our service provider to validate requests from your identity provider.
Or - Requestor and Identity Provider
And - SSO URL: Also referred to SAML Customer URL, SAML Callback URL, or Identity Provider Login URL. This is the identity provider URL that SAML requests will be sent to.
- Single Log Out URL: Auth0 enforces Single Log Out, but there is not always a dedicated Single Log Out URL for an identity provider. If none are provided, Auth0 defaults to use the SSO URL.
- X509 Signing Certificate
For more information on obtaining these values, please see our Configure Okta for Single Sign-On and Configure Microsoft Azure Active Directory for Single Sign-On articles.
Note: As of now, there is no way to set up SAML through the Alert Logic user interface. To use a SAML provider, create a ticket with Alert Logic Support and include the information above. The completion of this process can take up to 28 days.
Additional Requirements
- The NameID in the SAML exchange should be a user's email address.
- There is no automatic provisioning of user accounts at this time. A user identified by the email address must already exist in the product in order to log in successfully.
- In order to log in to an Alert Logic product using a SAML SSO federation, the log in must be initiated by the customer identity provider.
- Any user that is authenticated by the identity provider must exist in the top-level customer account of the requester or in a descendant customer account of the top-level customer account.
Comments
1 comment
Please add step: X509 Signing Certificate: Required to validate identity provider SAML requests and responses, a connection can't be created without the identity provider's signing certificate. We will need to have this from you in order to proceed.
Please sign in to leave a comment.