Alert Logic® uses Auth0 as the service provider for SAML SSO federations. The following values are required by Auth0 to configure a new SAML SSO federation:
- Requestor and Identity Provider: The company or party that is requesting the new SAML SSO federation, as well as the identity provider. Ex: Acme Company, Okta or Acme Company, custom identity provider.
- Single Sign On URL: Also referred to as SSO URL, SAML Consumer URL, SAML Callback URL, or Identity Provider Login URL. This is the identity provider URL that SAML requests will be sent to.
- Single Log Out URL: Auth0 enforces Single Log Out, but there is not always a dedicated Single Log Out URL for an identity provider. If none is provided, Auth0 defaults to using the Single Sign On URL.
- Default Console URL: This is the default console URL that users will be redirected to when login is initiated by the identity provider. Other consoles that the user can access will not require further authentication after logging in to the default console.
- Auth0 connection name: This name will be used to create the Auth0 connection. The name must be agreed upon by Auth0 and the identity provider in order to route the SAML exchange. The chosen name should be URL-safe and immediately identify the requestor. Ex: al-acmeco. If there is any other useful information to identify the connection, it can be appended with a hyphen.Ex: al-acmeco-okta or al-acmeco-simplesaml.
NOTE: As of now, there is no way to set up SAML through the Alert Logic user interface. In order to use a SAML provider, you will need to submit a support ticket with the information above to firstname.lastname@example.org.
- The NameID in the SAML exchange should be a user's email address.
- There is no automatic provisioning of user accounts at this time. A user identified by the email address must already exist in the product in order to log in successfully.
- In order to login to an Alert Logic product using a SAML SSO federation,the log in must be initiated by the customer identity provider.
- Any user that is authenticated by the identity provider must exist in the top-level customer account of the requestor or in a descendant customer account of the top-level customer account.