Authentication Profiles and Resources

Download this manual as a PDF file

This section describes the following topics:

  • Authentication Profiles. Policies that align user accounts with one or more types of authentication.
  • Authentication Resources. Configuration policies that describe how Skylar One (formerly SL1) should communicate with a user store.

Use the following menu options to navigate the Skylar One user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Authentication Profiles

Authentication profiles are policies that align user accounts with one or more types of authentication:

  • Alignment by pattern matching. Skylar One examines the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the criteria specified in an authentication profile, Skylar One will automatically use the matching profile to perform user authentication.
  • Credential Source. Specifies from where Skylar One should extract the username and password or certificate to be authenticated. These credentials are passed to Skylar One through HTTP. Skylar One then passes the credentials to each authentication resource specified in the authentication profile (for example, CAC/
    Client Cert). The authentication resources communicate with user stores that can authenticate the credentials entered by a user.
  • Authentication Resource. Specifies the connector to use to communicate with the user store, the credential to use to connect to the user store (if applicable), such as your Active Directory server, and the URLs to examine during authentication. Authentication Resource also maps attributes from the user's account in the user store to fields in the ScienceLogic user account. For details on creating an authentication resource, see the section on Authentication Resources.

If you will be using Single Sign-On (SSO) as your method of authentication, your SSO resource must be placed in its own Authentication Profile, since it will take priority over any other authentication method defined. If you have multiple SSO resources, each must be in its own profile.

Viewing the List of Authentication Profiles

To view a list of all authentication profiles in Skylar One:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).

  2. The following information is displayed about each authentication profile:

    • Profile Name. Name of the authentication profile.

    • Access. Indicates whether the authentication profile is shared with all organizations or is private.

      The Access column displays only for Administrator user accounts and user accounts assigned to the System organization.

    • ID. Unique numeric ID, automatically assigned by Skylar One to each authentication profile.

    • Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, Skylar One applies the authentication profile to the user for the current session.

    • Priority Order. If your Skylar One System includes multiple authentication profiles, Skylar One evaluates the authentication profiles in priority order, ascending. This column displays the priority order value for the authentication profiles, where 0 (zero) is the highest priority.

    • Edited By. The user who created or last edited the authentication profile.

    • Last Edited. Date and time the authentication profile was created or last edited.

To sort the list of authentication profiles, click on a column heading. The list will be sorted by the column value, in ascending order. To sort by descending order, click the column heading again. The Last Edited column sorts by descending order on the first click; to sort by ascending order, click the column heading again.

The "default" Authentication Profile

Skylar One includes a default authentication profile, for which the following rules apply:

  • You cannot delete the default profile.
  • If an AP Hostname Pattern fails to match all the other authentication profiles, Skylar One applies the default authentication profile.
  • In ISO systems, initially the default profile is pre-configured to allow ScienceLogic administrators to log in via CAC/Client Certificate, HTTP Auth, or the Skylar One Login Page and the authentication resource Internal. This allows administrators to log in and perform initial configuration on the Skylar One system. After initial configuration, administrators can edit the default profile as best fits their organization.
  • In patched systems, the default profile is included in the patch and is pre-configured to allow ScienceLogic administrators to log in via the ScienceLogic login page and the authentication resource Internal. It allows credentials via CAC/Client Certificate, HTTP Auth, or the Skylar One Login Page. It can also use the legacy authentication resources SSO (legacy), LDAP/AD (legacy), and Internal.

Creating an Authentication Profile

To create a new authentication profile:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Click the Create button. The Authentication Profile Editor modal appears.
  3. Enter values in the following fields:

  • Name. Name of the authentication profile.

  • Sharing Permission. Indicates if the authentication profile is shared or private. Choices are:

    • Shared with all organizations. The authentication profile is shared with users across all organizations.

    • Private (visible to System organization only). The authentication profile is private to only user accounts assigned to the System organization.

    The Sharing Permission field displays only for Administrator user accounts and user accounts assigned to the System organization.

  • Priority Order. If your Skylar One System includes multiple authentication profiles, Skylar One evaluates the authentication profiles in ascending priority order. Skylar One will apply the authentication profile that matches the hostname or IP in the current URL AND has the lowest value in the Priority Order field.

  • Pattern Type. Specifies how Skylar One will evaluate the value in the AP Hostname Pattern field. Choices are:

  • Wildcard. Skylar One will perform a text match, with wildcard characters (asterisks).
  • Regex. Skylar One will use regular expressions to compare the AP Hostname Pattern to the current session information.
  • AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, Skylar One applies the authentication profile to the user for the current session.
  • For example, if you specify "*" (asterisk), any IP address or URL will match. Skylar One will then apply this authentication profile to every session on an Administration Portal, Database Server, or All-In-One Appliance.
  • If you enter "192.168.38.235", Skylar One will apply the authentication profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters "192.168.38.235" into the browser.

  • If you enter "*.sciencelogic.local", Skylar One will apply the authentication profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters a URL ending with ".sciencelogic.local" into the browser.

    Do not include underscores ( _ ) in the AP Hostname Pattern field. URLs with underscores are not considered valid in Skylar One authentication profiles.

  • Available Credential Sources. This field tells Skylar One how to retrieve the user's credentials from the HTTP request to Skylar One. To align a credential source with the authentication profile, highlight the credential source and click the right-arrow button. You can select zero, one, or multiple credential sources for the authentication profile. Initially, this pane displays a list of all the credential sources:

    • If you will be using CAC authentication, align the CAC/Client Cert credential source. If this is your primary method of logging in to Skylar One, align CAC/Client Cert as the number one credential source. ScienceLogic recommends having EM7 Login Page aligned, as well, for administrator or maintenance access.

  • CAC/Client Cert. Skylar One will retrieve a certificate from the HTTP request.
  • HTTP Auth. Skylar One will retrieve a user name and password from the HTTP request.
  • Login Page. Skylar One will retrieve a user name and password from the ScienceLogic login page fields.

If you are using Single Sign-On (SSO) authentication, the Available Credential Sources field is ignored. You do not have to align a credential source because credentials are submitted directly to an Identity Provider (IdP) instead of Skylar One.

  • Aligned Credentials Sources. This field displays the list of credential sources that have been aligned with the authentication profile. The authentication profile will examine each credential source in the order in which it appears in this list. When the authentication profile find the user's credential, the authentication profile stops examining any remaining credential sources in the list.
  • Available Authentication Resources. This field tells Skylar One which authentication resources to use to authenticate the retrieved credentials. To align an authentication resource with the authentication profile, highlight the authentication resource and click the right-arrow button. You must select at least one authentication resource (but can select more than one). For details on creating an authentication resource, see the section on Authentication Resources.
  • Aligned Authentication Resources. This field displays the list of authentication resources that have been aligned with the authentication profile. The authentication profile will examine each authentication resource in the order in which it appears in this list. When an authentication resource successfully authenticates the user, the authentication profile stops executing any remaining authentication resources in the list.
  1. Click the Save button to save your changes to the new authentication profile.

Editing an Authentication Profile

The Authentication Profiles page allows you to edit an existing authentication profile. To do so:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Find the authentication profile that you want to edit. Click its wrench icon ().
  3. The Authentication Profile Editor modal page appears. In this page, you can edit the value of one or more fields.
  4. Click the Save button to save your changes to the authentication profile.

Deleting One or More Authentication Profiles

The Authentication Profiles page allows you to delete one or more authentication profiles from Skylar One. To do so:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Select the checkbox of each authentication profile that you want to delete.
  3. Click the Select Actions menu (in the lower right), select DELETE Authentication Profile, and then click the Go button. The selected authentication profiles will be deleted.

You cannot delete the default authentication profile.

Authentication Resources

An authentication resource is a configuration policy that describes how Skylar One should communicate with a user store. An authentication resource specifies the connector to use to communicate with the user store, the credential to use to connect to the user store (if applicable), and the URLs to examine during authentication. An authentication resource also maps attributes from the user's account in the user store to fields in the ScienceLogic user account.

Viewing the List of Authentication Resources

The Authentication Resource Manager page displays a list of all authentication resources in the Skylar One System.

To view the list of authentication resources :

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. The following information is displayed about each authentication resource:

To sort the list of authentication resources, click on a column heading. The list will be sorted by the column value, in ascending order. To sort by descending order, click the column heading again. The Last Edited column sorts by descending order on the first click; to sort by ascending order, click the column heading again

  • Resource Name. Name of the authentication resource.
  • Access. Indicates whether the authentication resource is shared with all organizations or is private.

    The Access column displays only for Administrator user accounts and user accounts assigned to the System organization.

  • ID. Unique numeric ID, automatically assigned by Skylar One to each authentication resource.
  • Type. Specifies the user store that is associated with the resource. Possible types are:
  • Internal. The authentication resource communicates and passes information to and from the ScienceLogic Database.
  • LDAP/AD. The authentication resource communicates and passes information to and from an LDAP server or Active Directory server.
  • SSO. The authentication resource communicates and passes information to and from a SAML Identity Provider (IdP) or Service Provider (SP).
  • Connector. The software that allows communication between the authentication resource and the user store. Possible connectors are:
  • Internal. Software that communicates with the ScienceLogic Database.
  • LDAP/AD. Software that communicates with an LDAP server or Active Directory server.
  • LDAP/AD - Legacy. Software that communicates with an LDAP server or Active Directory server for ScienceLogic servers that were configured prior to version 7.8 of Skylar One. Skylar One systems that were upgraded to version 7.8 using patches can continue to use the same authentication methods without making changes to user accounts or the LDAP server or Active Directory server.
  • OneLogin. Software that communicates with a SAML Identity Provider (IdP).
  • SimpleSAML - Legacy. Software that communicates with a SAML Identity Provider (IdP) and Service Provider (SP) for ScienceLogic servers that were configured prior to version 7.8 of Skylar One. Skylar One systems that were upgraded to version 7.8 using patches can continue to use the same authentication methods without making changes to user accounts, the SAML configuration, or the SSO provider.
  • Edited By. The user who created or last edited the authentication resource.
  • Last Edited. Date the time the authentication resource was created or last edited.

The "Internal" Resource

The Internal resource allows you to access the user store in the ScienceLogic database.

  • By default, each Skylar One System includes the Internal authentication resource.
  • You cannot create an Internal authentication resource.
  • You cannot edit or delete the Internal authentication resource included with your Skylar One System.
  • Each Skylar One System can include only one the Internal authentication resource.

Creating an LDAP/AD Authentication Resource

The LDAP/AD Auth Resource Editor page allows you to define an authentication resource for use with an LDAP/AD user store. An LDAP/AD authentication resource specifies the connector (communication software) to use to communicate with the LDAP/AD user store and the credential to use to connect to the user store. An LDAP/AD authentication resource can also map attributes from the user's LDAP/AD account to fields in the ScienceLogic user account.

ScienceLogic administrators can use LDAP or Active Directory to authenticate ScienceLogic users. There are two ways to use LDAP or Active Directory authentication with Skylar One:

  • You can configure Skylar One to automatically create user accounts for existing LDAP or Active Directory users and then always use LDAP or Active Directory to authenticate those users when they log in to Skylar One.
  • You can use LDAP or Active Directory to authenticate one or more ScienceLogic users when they log in to Skylar One.

To create an LDAP/AD authentication resource:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Click the Actions menu and then select Create LDAP/AD Resource. The LDAP/AD Auth Resource Editor modal page appears.
  3. Enter values in the following fields:

Basic Settings

  • Name. Name of the LDAP/AD authentication resource.
  • Sharing Permission. Indicates if the authentication resource is shared or private. Choices are:
    • Shared with all organizations. The authentication resource is shared with users across all organizations.
    • Private (visible to System organization only). The authentication resource is private to only user accounts assigned to the System organization.

    The Sharing Permission field displays only for Administrator user accounts and user accounts assigned to the System organization.

  • Read Credential. Credential that allows Skylar One to read data from an LDAP or Active Directory server. Select from a list of all LDAP and Active Directory credentials to which you have access. If this field has been set to a credential to which you do not have access, this field will display the value Restricted Credential. If you set this field to a different credential, the entry for Restricted Credential will be removed from the field; you will not be able to re-align the field with the Restricted Credential.
  • Write Credential. Credential that allows Skylar One to write data to an LDAP or Active Directory server. Select from a list of all LDAP and Active Directory credentials to which you have access. If this field has been set to a credential to which you do not have access, this field will display the value Restricted Credential. If you set this field to a different credential, the entry for Restricted Credential will be removed from the field; you will not be able to re-align the field with the Restricted Credential.
  • User Name Suffix. Optional field. Because Skylar One can authenticate against multiple LDAP or Active Directory servers, there is a risk of collision among user names. In this field, you can enter a string to append to the user name to minimize the risk of collision. For example:
    • Suppose we entered @ad.local in this field.
    • Suppose the next LDAP/AD user logs in to Skylar One with the user name bishopbrennan.
    • Skylar One will log that user in as bishopbrennan@ad.local.

    • A best practice to avoid collisions is to use email addresses as user names.

  • User Display Name. Select what name to display from the following options:
  • disable. Uses the current default behavior, which displays the user's username in the Skylar One user interface and logs.
  • email address. Displays the user's email address in the Skylar One user interface and logs.
  • user principal name. Displays the value from the UPN field on this page in the Skylar One user interface and logs.
  • UPN. "User principal name." If you select user principal name in the User Display Name field, then the value from this field displays in the Skylar One user interface and audit logs. Enter one of the following:
  • email address. Displays the user's email address in the Skylar One user interface and audit logs.
  • user principal name. Displays the value from the UPN field on this page in the Skylar One user interface and audit logs.

Your organization membership(s) might affect the list of credentials you can see in the Read Credential field and the Write Credential field. For details, see the section on Credentials.

  • Search Filter. Specifies where to find the user's account information in LDAP or Active Directory. You must tell Skylar One where to find the LDAP or AD attribute that maps to the user's account name in Skylar One.

For example, an LDAP user might use his/her uid value to log in to Skylar One. In the ScienceLogic account, that uid value will then become the user's Account Login Name.

You can use the following variables in the search filter:

  • %u. ScienceLogic login name.

  • %e. Email address.
  • An example search filter for LDAP might be:

(&(objectClass=person)(uid=%u))

This says to search in the object class called "person" for the uid that matches the ScienceLogic login name (entered when the user logs in to Skylar One and then stored in the variable %u).

  • An example search filter for Active Directory might be:

(sAMAccountName=%u)

This says to search for the samaccountname attribute that matches the ScienceLogic login name (entered when the user logs in to Skylar One and then stored in the variable %u).

  • For more information on the syntax of LDAP and AD search filters, see RFC 4515.
  • Sync directory values on login. If an LDAP or AD administrator makes changes to an LDAP or AD account, Skylar One will automatically retrieve those updates and apply them to the user's account in Skylar One (in the Account Properties page) the next time the user logs in to Skylar One. (For more information about user account properties, see the section on Creating and Editing User Accounts.)
  • Sync account values to directory on save. If a ScienceLogic administrator made changes to the ScienceLogic account, Skylar One will automatically write those changes to the user's account in LDAP or Active Directory.

The Sync account values to directory on save option requires a write credential.

Attribute Mapping

If you have configured Skylar One to automatically create ScienceLogic accounts for LDAP or AD users, these fields specify the LDAP or AD attribute value that will be automatically inserted into each field in each user's Account Properties page. (For more information about user account properties, see the section on Creating and Editing User Accounts.)

Skylar One automatically populates as many of these fields as possible. You can edit or delete the default values provided by Skylar One. For example, Skylar One automatically inserts the value of the LDAP/AD attribute "sn" (surname) into the Last Name field in each user's Account Properties page.

Skylar One requires that the LDAP or AD attribute name that you specify in each field uses all lower-case characters.

  • First Name. Specifies the LDAP or AD attribute value that will be automatically inserted into the First Name field in each user's Account Properties page. By default, Skylar One inserts the value of the LDAP/AD attribute "givenname" into this field.
  • Last Name. Specifies the LDAP or AD attribute value that will be automatically inserted into the Last Name field in each user's Account Properties page. By default, Skylar One inserts the value of the LDAP/AD attribute "sn" into this field.
  • Title. Specifies the LDAP or AD attribute value that will be automatically inserted into the Title field in each user's Account Properties page.
  • Department. Specifies the LDAP or AD attribute value that will be automatically inserted into the Department field in each user's Account Properties page.
  • Phone. Specifies the LDAP or AD attribute value that will be automatically inserted into the Phone field in each user's Account Properties page. By default, Skylar One inserts the value of the LDAP/AD attribute "telephonenumber" into this field.
  • Fax. Specifies the LDAP or AD attribute value that will be automatically inserted into the Fax field in each user's Account Properties page.
  • Mobile. Specifies the LDAP or AD attribute value that will be automatically inserted into the Mobile field in each user's Account Properties page. By default, Skylar One inserts the value of the LDAP/AD attribute "mobile" into this field.
  • Pager. Specifies the LDAP or AD attribute value that will be automatically inserted into the Pager field in each user's Account Properties page.
  • Primary Email. Specifies the LDAP or AD attribute value that will be automatically inserted into the Primary Email field in each user's Account Properties page. By default, Skylar One inserts the value of the LDAP/AD attribute "mail" into this field.
  • Secondary Email. Specifies the LDAP or AD attribute value that will be automatically inserted into the Secondary Email field in each user's Account Properties page.
  • Street Address. Specifies the LDAP or AD attribute value that will be automatically inserted into the Street Address field in each user's Account Properties page. By default, Skylar One inserts the value of the LDAP/AD attribute "streetaddress" into this field.
  • Suite/Building. Specifies the LDAP or AD attribute value that will be automatically inserted into the Suite/Building field in each user's Account Properties page.
  • City. Specifies the LDAP or AD attribute value that will be automatically inserted into the City field in each user's Account Properties page. By default, Skylar One inserts the value of the LDAP/AD attribute "l" into this field.
  • State. Specifies the LDAP or AD attribute value that will be automatically inserted into the State field in each user's Account Properties page. By default, Skylar One inserts the value of the LDAP/AD attribute "st" into this field.
  • Postal Code. Specifies the LDAP or AD attribute value that will be automatically inserted into the Postal Code field in each user's Account Properties page. By default, Skylar One inserts the value of the LDAP/AD attribute "postalcode" into this field.
  • Country. Specifies the LDAP or AD attribute value that will be automatically inserted into the Country field in each user's Account Properties page.
  • Organization. Specifies the LDAP or AD attribute value that will be used to automatically define the Primary Organization field in each user's Account Permissions page. You must also specify one of the following:
  • directory attribute specifies organization ID. If selected, the attribute in the Organization field specifies an organization ID.
  • directory attribute specifies organization name. If selected, the attribute in the Organization field specifies an organization name.
  • directory attribute specifies organization CRM ID. If selected, the attribute in the Organization field specifies the CRM ID of an organization.

To use Attribute Mapping for Organization, your LDAP/AD schema must include an attribute that maps to ScienceLogic Organization names, Organization IDs, or Organization CRM IDs.

When you create a new LDAP/AD user, you must align a user policy with that user. If the aligned user policy specifies an organization for the user, the value from the user policy will overwrite the value from Attribute Mapping.

User Policy Alignment

  • Type. Specifies whether Skylar One should automatically create ScienceLogic accounts for each LDAP or Active Directory user in the search base (which is specified in the credential), whether Skylar One should simply use LDAP or Active Directory to authenticate one or more users, or whether Skylar One will refuse to authenticate specific users. Choices are:
  • Do not authenticate new users from directory. Only those users who have an account already created in Skylar One can log in to Skylar One. However, if one or more users' Account Permissions page specifies LDAP /Active Directory in the Authentication Method field, Skylar One will authenticate those users with either LDAP or Active Directory, using the settings and credentials specified in this page.
  • Static policy alignment. If an LDAP or AD user logs in to Skylar One using the LDAP or AD attribute specified in the Search Filter field, Skylar One will automatically create an account for that user. Skylar One will use one user policy (specified in the Policy field) to create all imported LDAP or AD user accounts. Skylar One will also use the settings and credentials specified in this page when creating the account.
  • Dynamic policy alignment. If an LDAP or AD user logs in to Skylar One using the LDAP or AD attribute specified in the Search Filter field, Skylar One will automatically create an account for that user. Skylar One will choose from among multiple user policies to create imported LDAP or AD user accounts. For example, some imported user accounts might use "user policy A"; other imported user accounts might use "user policy B". Skylar One will also use the settings and credentials specified in this page when creating the account.

If you selected Static policy alignment in the Type field, you must supply a value in the Policy field:

  • Policy. Specifies the user policy to use to automatically create a ScienceLogic account for each LDAP or AD user. Select from a list of all user policies that specify LDAP /Active Directory in the Authentication Method field.

If you selected Dynamic policy alignment in the Type field, you must supply values in the Attribute, Value, and Policy fields.

  • Attribute. Specifies the LDAP or AD attribute you want to use to differentiate imported user accounts. For example, you could select the attribute "department" and then assign different user policies to import user accounts from different departments. You can also use this field to exclude LDAP or AD accounts for which you do not want to create a ScienceLogic account.
  • Value. Specifies the LDAP or AD attribute value. That is, you specify one of the possible values for the attribute (specified in the Attribute field). Skylar One will compare the value in this field to the retrieved value for the Attribute.
  • Policy. Choose one of the following:
  • Do Not Authenticate. If selected, if the retrieved value of the specified Attribute matches the value in the Value field, the user is not authenticated. This setting applies to new users for whom LDAP or Active Directory would have to create a new account in Skylar One and for users who already have an account in Skylar One.

  • the policy you want to associate with that value. Select from a list of all user policies that specify LDAP /Active Directory in the Authentication Method field.
    • For example, suppose you specified "department" in the Attribute field. Suppose that the "department" attribute could have two possible values: "Sales" or "NOC".

    • Suppose you created two user policies. One user policy, called "Sales User Policy", includes the appropriate ticket queues and access keys for Sales personnel. Another user policy, called "NOC User Policy", include the appropriate ticket queues and access keys for NOC personnel.
    • In one of the Value fields, you could specify "Sales". In the corresponding Policy field, you could then specify "Sales User Policy".
    • In the next Value field, you could specify "NOC". In the corresponding Policy field, you could specify "NOC User Policy.
    • After defining these two Value fields and corresponding Policy fields, user accounts from the Sales department would be imported into Skylar One using the Sales User Policy. User accounts from the NOC department would be imported into Skylar One using the NOC User Policy.
  • To define additional Value and Policy fields, click on the plus-sign icon ().
  1. Click the Save button to save your changes to the new authentication resource.

Creating an SSO Authentication Resource

The SSO Auth Resource Editor page allows you to define an authentication resource for use with a SAML IdP. An SSO authentication resource specifies the connector (communication software) to use to communicate with the SAML IdP and the URLs to use to send and retrieve information from the SAML IdP. An SSO authentication resource can also maps attributes from the user's SSO account to fields in the ScienceLogic user account.

ScienceLogic administrators can use SSO to authenticate ScienceLogic users. There are two ways to use SSO authentication with Skylar One:

  • You can configure Skylar One to automatically create user accounts for existing SSO users and then always use SSO to authenticate those users when they log in to Skylar One.
  • You can use SSO to authenticate one or more ScienceLogic users when they log in to Skylar One.

To create an SSO authentication resource:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Click the Actions menu and then select Create SSO Resource. The SSO Auth Resource Editor page appears.
  3. Enter values in the following fields:

Basic Settings

  • Name. Name of the SSO authentication resource.
  • IdP Entity ID. Globally unique name used as a SAML identifier configured on the IdP, usually in the format of an absolute URL.
  • IdP Cert Fingerprint. The SHA1 certificate fingerprint, provided by the identity provider or service provider. Note that this field is not the serial number of the certificate.

    • If you supply the IdP certificate when you configure the SSO Authentication Resource, the IdP certificate fingerprint is not required and will not be used for IdP response validation. Instead, the full certificate that you provide in the IdP Certificate field will be used.

  • IdP Certificate. To ensure that communication between the IdP and Skylar One is signed, type the full, PEM-encoded certificate from the IdP.
  • Sharing Permission. Indicates if the authentication resource is shared or private. Choices are:
    • Shared with all organizations. The authentication resource is shared with users across all organizations.
    • Private (visible to System organization only). The authentication resource is private to only user accounts assigned to the System organization.

    The Sharing Permission field displays only for Administrator user accounts and user accounts assigned to the System organization.

  • User Name Suffix. Optional field. If you don't supply a value in this field, Skylar One retrieves the SAML NameID attribute and uses that value as the ScienceLogic username.
  • You can supply the variable %u in this field, and the Skylar One retrieves the SAML NameID attribute and uses that value as the ScienceLogic user name.
  • You can supply the value %attribute_name%, where attribute name is a SAML attribute other than NameID. Skylar One will use the value of the attribute as the ScienceLogic user name.
  • Because a user can authenticate against multiple SSO servers, there is a risk of collision among user names. In this field, you can enter a string to append to the ScienceLogic user name to minimize risk of collision. For example:
    • You can enter a string, with no SAML attribute specified. When you don't specify a SAML attribute in this field, Skylar Onewill retrieve the SAML NameID attribute and append the string you specify in this field.

    Suppose we entered @sciencelogic.local in this field.

    Suppose the next SSO user logs in to Skylar One with the SAML NameID of bishopbrennan.

    Skylar One will log in that user as bishopbrennan@sciencelogic.local.

    • You can enter one or more SAML attribute names, surrounded by percent signs (%), with text preceding it and/or text appended. Skylar One will retrieve the value of the SAML attribute and use that value plus any preceding text or appended text as the the ScienceLogic user name.

    Suppose we entered %sn%-external in this field.

    Suppose the next SSO user logs in to Skylar One with their SAML sn (last name) attribute of krilly

    Skylar One will log in that user as krilly-external.

    A best practice to avoid collisions is to use email addresses as user names.

  • IdP SSO URL. The URL to which Skylar One will send login requests to the IdP. This field must contain an absolute URL.
  • IdP SLS URL. Optional field. If you want each user to be automatically logged out of the IdP when that user logs out of Skylar One, enter the URL to which Skylar One will post the logout request to the IdP. If you leave this field blank, a user can log out of Skylar One without automatically logging out of the IdP.
  • Sync directory values on login. If an SSO administrator makes changes to an SSO account, Skylar One will automatically retrieve those updates and apply them to the user's account in the Account Properties page the next time the user logs in to Skylar One. (For more information about user account properties, see the section on Creating and Editing User Accounts.)
  • Signing Options. Specifies whether digital signing is required for communication between the IdP and Skylar One. Choices are:
  • Disable. No digital signature is required.
  • IdP Response. Messages from the IDP to Skylar One must be signed. Skylar One will use the value in the IdP Certificate field to validate the signature.
  • SP Request and IdP Response. Messages from the IDP to Skylar One must be signed. Skylar One will use the value in the IdP Certificate field to validate the signature. Messages from Skylar One to the IdP must also be signed.
  • Strict Mode. If you selected IdP Response or SP Request and IdP Response in the Signing Options field, this field is automatically set to enable. This field enforces validation of the SAML response and its attributes. As a best practice, disable this field while initially configuring Skylar One and the IdP. As a best practice, enable this field for production use.
  • Integrated Windows Auth. If you are using Active Directory Federation Services (ADFS) as your IdP, select Enable in this field.

Attribute Mapping

If you have configured Skylar One to automatically create ScienceLogic accounts for SSO users, these fields specify the SAML attribute value that will be automatically inserted into each field in each user's Account Properties page. (For more information about user account properties, see the section on Creating and Editing User Accounts.)

Skylar One automatically populates as many of these fields as possible. You can edit or delete the default values provided by Skylar One. For example, Skylar One automatically inserts the value of the SAML attribute "sn" (surname) into the Last Name field in each user's Account Properties page.

Skylar One requires that the SAML attribute name that you specify in each field uses all lowercase characters.

  • First Name. Specifies the SAML attribute value that will be automatically inserted into the First Name field in each user's Account Properties page. By default, Skylar One inserts the value of the SAML attribute "givenname" into this field.
  • Last Name. Specifies the SAML attribute value that will be automatically inserted into the Last Name field in each user's Account Properties page. By default, Skylar One inserts the value of the SAML attribute "sn" into this field.
  • Title. Specifies the SAML attribute value that will be automatically inserted into the Title field in each user's Account Properties page.
  • Department. Specifies the SAML attribute value that will be automatically inserted into the Department field in each user's Account Properties page.
  • Phone. Specifies the SAML attribute value that will be automatically inserted into the Phone field in each user's Account Properties page. By default, Skylar One inserts the value of the SAML attribute "telephonenumber" into this field.
  • Fax. Specifies the SAML attribute value that will be automatically inserted into the Fax field in each user's Account Properties page.
  • Mobile. Specifies the SAML attribute value that will be automatically inserted into the Mobile field in each user's Account Properties page. By default, Skylar Oneinserts the value of the SAML attribute "mobile" into this field.
  • Pager. Specifies the SAML attribute value that will be automatically inserted into the Pager field in each user's Account Properties page.
  • Primary Email. Specifies the SAML attribute value that will be automatically inserted into the Primary Email field in each user's Account Properties page. By default, Skylar One inserts the value of the SAML attribute "mail" into this field.
  • Secondary Email. Specifies the SAML attribute value that will be automatically inserted into the Secondary Email field in each user's Account Properties page.
  • Street Address. Specifies the SAML attribute value that will be automatically inserted into the Street Address field in each user's Account Properties page. By default, Skylar One inserts the value of the SAML attribute "streetaddress" into this field.
  • Suite/Building. Specifies the SAML attribute value that will be automatically inserted into the Suite/Building field in each user's Account Properties page.
  • City. Specifies the SAML attribute value that will be automatically inserted into the City field in each user's Account Properties page. By default, Skylar One inserts the value of the SAML attribute "l" into this field.
  • State. Specifies the SAML attribute value that will be automatically inserted into the State field in each user's Account Properties page. By default, Skylar One inserts the value of the SAML attribute "st" into this field.
  • Postal Code. Specifies the SAML attribute value that will be automatically inserted into the Postal Code field in each user's Account Properties page. By default, Skylar One inserts the value of the SAML attribute "postalcode" into this field.
  • Country. Specifies the SAML attribute value that will be automatically inserted into the Country field in each user's Account Properties page.
  • Organization. Specifies the SAML attribute value that will be used to automatically define the Primary Organization field in each user's Account Permissions page. You must also specify one of the following:
  • directory attribute specifies organization ID. The attribute in the Organization field specifies an organization ID.
  • directory attribute specifies organization name. The attribute in the Organization field specifies an organization name.
  • directory attribute specifies organization CRM ID. The attribute in the Organization field specifies the CRM ID of an organization.

To use Attribute Mapping for Organization, your SAML schema must include an attribute that maps to All-In-One Appliance Organization names, Organization IDs, or Organization CRM IDs.

When you create a new SSO user, you must align a user policy with that user. If the aligned user policy specifies an organization for the user, the value from the user policy will overwrite the value from Attribute Mapping.

User Policy Alignment

  • Type. Specifies whether Skylar One should automatically create ScienceLogic accounts for each SSO user, whether Skylar One should simply use SSO to authenticate one or more users, or whether Skylar One will refuse to authenticate specific users. Choices are:
  • Do not authenticate new users. Only those users who have an account already created in Skylar One can log in to Skylar One, which will authenticate those users with SSO using the settings specified in this page.
  • Static policy alignment. If an SSO user tries to access Skylar One, Skylar One will automatically create an account for that user. Skylar One will use one user policy (specified in the Policy field) to create the imported SSO user accounts for this authentication resource. Skylar One will also use the settings specified in this page when creating the account.
  • Dynamic policy alignment. If an SSO users tries to access Skylar One, Skylar One will automatically create an account for that user. Skylar One will choose from among multiple user policies to create imported SSO user accounts for this authentication resource. For example, some imported user accounts might use "user policy A"; other imported user accounts might use "user policy B". Skylar One will also use the settings specified in this page when creating the account.

If you selected Static policy alignment in the Type field, you must supply a value in the Policy field.

  • Policy. Specifies the user policy to use to automatically create a ScienceLogic account for each SSO user. Select from a list of all user policies.

If you selected Dynamic policy alignment in the Type field, you must supply values in the Attribute, Value, and Policy fields.

  • Attribute. Specifies the SAML attribute you want to use to differentiate imported user accounts. For example, you could select the attribute department and then assign different user policies to import user accounts from different departments. You can also use this field to exclude SSO accounts for which you do not want to allow authentication.
  • Value. Specifies the SAML attribute value. That is, you specify one of the possible values for the attribute (specified in the Attribute field). Skylar One will compare the value in this field to the retrieved value for the Attribute.
  • Policy. Choose one of the following:
  • Do Not Authenticate. If the retrieved value of the specified Attribute matches the value in the Value field, the user is not authenticated. This setting applies to new users for whom SSO would have to create a new account in Skylar One and for users who already have an account in Skylar One.

  • the policy you want to associate with that value. Select from a list of all user policies that specify SSO in the Authentication Method field.
    • For example, suppose you specified department in the Attribute field. Suppose that the department attribute could have two possible values: Sales or NOC.

    • Suppose you created two user policies. One user policy, called Sales User Policy, includes the appropriate ticket queues and access keys for Sales personnel. Another user policy, called NOC User Policy, includes the appropriate ticket queues and access keys for NOC personnel.
    • In one of the Value fields, you could specify Sales. In the corresponding Policy field, you could then specify Sales User Policy.
    • You could then click on the plus-sign icon () and add another Value field and another Policy field.
    • In the next Value field, you could specify NOC. In the corresponding Policy field, you could specify NOC User Policy.
    • After defining these two Value fields and the corresponding Policy fields, user accounts from the Sales department would be imported into Skylar One using the Sales User Policy.
    • User accounts from the NOC department would be imported into Skylar One using the NOC User Policy.
  • To define additional Value and Policy fields, click on the plus-sign icon ().
  1. Click the Save button to save your changes to the new authentication resource.

Editing an Authentication Resource

The Authentication Resource Manager page allows you to edit an existing authentication resource. To do so:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Find the authentication resource that you want to edit. Click its wrench icon ().
  • For LDAP/AD Resources, the LDAP/AD Auth Resource Editor page appears. In this page, you can you can edit the values for one or more fields. For more information, see the Creating an LDAP/AD Authentication Resource section.
  • For SSO Resources, SSO Auth Resource Editor page appears. In this page, you can you can edit the values for one or more fields. For more information, see the Creating an SSO Authentication Resource section.
  1. Click the Save button to save your changes to the authentication resource.

Deleting an Authentication Resource

The Authentication Resource Manager page allows you to delete one or more authentication resources from Skylar One. To do so:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Select the checkbox of each authentication resource that you want to delete.
  3. Click the Select Actions menu (in the lower right), select DELETE Authentication Resource, and then click the Go button. The selected authentication resources will be deleted.

You cannot delete the Internal authentication resource.