Alert Logic® uses Auth0 as the service provider for SAML single sign-on (SSO) federations. The following values are required by Auth0 to configure a new SAML SSO federation via an identity provider:
- Requestor and Identity Provider: The company or party that is requesting the new SAML SSO federation, as well as the identity provider. Ex: Acme Company, Okta or Acme Company, custom identity provider.
- Metadata XML File: This file holds all of the URLs and certificates; this is preferable as it is less prone to user error because it is usually generated by the provider itself (such as Okta).
- X509 Signing Certificate: This certificate is usually provided in the Metadata XML file above by default. If your identity provider has an advanced configuration and is configured to sign requests using a different certificate than the one shown in the Metadata XML file, please provide the configured certificate. This is used by our service provider to validate requests from your identity provider.
- Requestor and Identity Provider
- SSO URL: Also referred to SAML Customer URL, SAML Callback URL, or Identity Provider Login URL. This is the identity provider URL that SAML requests will be sent to.
- Single Log Out URL: Auth0 enforces Single Log Out, but there is not always a dedicated Single Log Out URL for an identity provider. If none are provided, Auth0 defaults to use the SSO URL.
- X509 Signing Certificate
For more information on obtaining these values, please see our Configure Okta for Single Sign-On and Configure Microsoft Azure Active Directory for Single Sign-On articles.
Note: As of now, there is no way to set up SAML through the Alert Logic user interface. To use a SAML provider, create a ticket with Alert Logic Support and include the information above. The completion of this process can take up to 28 days.
- The NameID in the SAML exchange should be a user's email address.
- There is no automatic provisioning of user accounts at this time. A user identified by the email address must already exist in the product in order to log in successfully.
- In order to log in to an Alert Logic product using a SAML SSO federation, the log in must be initiated by the customer identity provider.
- Any user that is authenticated by the identity provider must exist in the top-level customer account of the requester or in a descendant customer account of the top-level customer account.