Authentication Profiles and Resources

Download this manual as a PDF file

This section describes the following topics:

  • Authentication Profiles. Policies that align user accounts with one or more types of authentication.
  • Authentication Resources. Configuration policies that describe how SL1 should communicate with a user store.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Authentication Profiles

Authentication profiles are policies that align user accounts with one or more types of authentication:

  • Alignment by pattern matching. SL1 examines the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the criteria specified in an authentication profile, SL1 will automatically use the matching profile to perform user authentication.
  • Credential Source. Specifies from where SL1 should extract the username and password or certificate to be authenticated. These credentials are passed to SL1 through HTTP. SL1 then passes the credentials to each authentication resource specified in the authentication profile (for example, CAC/
    Client Cert). The authentication resources communicate with user stores that can authenticate the credentials entered by a user.
  • Authentication Resource. Specifies the connector to use to communicate with the user store, the credential to use to connect to the user store (if applicable), such as your Active Directory server, and the URLs to examine during authentication. Authentication Resource also maps attributes from the user's account in the user store to fields in the ScienceLogic user account. For details on creating an authentication resource, see the section on Authentication Resources.

If you will be using Single Sign-On (SSO) as your method of authentication, your SSO resource must be placed in its own Authentication Profile, since it will take priority over any other authentication method defined. If you have multiple SSO resources, each must be in its own profile.

Viewing the List of Authentication Profiles

To view a list of all authentication profiles in SL1:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. The following information is displayed about each authentication profile:
  • Profile Name. Name of the authentication profile.
  • ID. Unique numeric ID, automatically assigned by SL1 to each authentication profile.
  • Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, SL1 applies the authentication profile to the user for the current session.
  • Priority Order. If your SL1 System includes multiple authentication profiles, SL1 evaluates the authentication profiles in priority order, ascending. This column displays the priority order value for the authentication profiles, where 0 (zero) is the highest priority.
  • Edited By. The user who created or last edited the authentication profile.
  • Last Edited. Date and time the authentication profile was created or last edited.

To sort the list of authentication profiles, click on a column heading. The list will be sorted by the column value, in ascending order. To sort by descending order, click the column heading again. The Last Edited column sorts by descending order on the first click; to sort by ascending order, click the column heading again.

Filtering the List of Authentication Profiles

You can filter the list of authentication profiles on the Authentication Profiles page by one or more of the following parameters: Profile Name, ID, Hostname Pattern, Priority Order, Edited By, and Last Edited. The list of authentication profiles is dynamically updated as you select each filter.

For each filter, except Last Edited, you must enter text to match against. SL1 will search for authentication profiles that match the text, including partial matches, and will filter while you type. Text matches are not case-sensitive. You can use the following special characters in each filter except Last Edited:

  • , (comma). Specifies an "or" operation. For example:

"dell, micro" would match all values that contain the string "dell" OR the string "micro".

  • & (ampersand). Specifies an "and" operation. For example:

"dell & micro" would match all values that contain the string "dell" AND the string "micro".

  • ! (exclamation mark). Specifies a "not" operation. For example:

"!dell" would match all values that do not contain the string "dell".

  • ^ (caret mark). Specifies "starts with". For example:

"^micro" would match all strings that start with "micro", like "microsoft".

"^" will include all rows that have a value in the column.

"!^" will include all rows that have no value in the column.

  • $ (dollar sign). Specifies "ends with". For example:

"$ware" would match all strings that end with "ware", like "VMware".

"$" will include all rows that have a value in the column.

"!$" will include all rows that have no value in the column.

By default, the cursor is placed in the first Filter-While-You-Type field. You can use the <Tab> key or your mouse to move your cursor through the fields.

Only authentication profiles that meet all the following filter criteria will be displayed in the Authentication Profiles page:

  • Profile Name. Name of the authentication profile. You can enter text to match, including special characters, and the Authentication Profiles page will display only authentication profiles that have a matching name.
  • ID. Unique numeric ID, automatically assigned by SL1 to each authentication profile. You can enter text to match, including special characters, and the Authentication Profiles page will display only authentication profiles that have a matching ID.
  • Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, SL1 applies the authentication profile to the user for the current session. You can enter text to match, including special characters, and the Authentication Profiles page will display only authentication profiles that have a matching hostname pattern.
  • Priority Order. You can enter text to match, including special characters, and the Authentication Profiles page will display only authentication profiles that have a matching priority number.
  • Edited By. The user who created or last edited the authentication profile. You can enter text to match, including special characters, and the Authentication Profiles page will display only authentication profiles that have been created or edited by a matching username.
  • Last Edited. Date and time the authentication profiles was created or last edited. You can select from a list of time periods. The Authentication Profiles page will display only authentication profiles that have been created or edited within that time period.

The "default" Authentication Profile

SL1 includes a default authentication profile, for which the following rules apply:

  • You cannot delete the default profile.
  • If an AP Hostname Pattern fails to match all the other authentication profiles, SL1 applies the default authentication profile.
  • For users running version 7.7 or earlier of SL1 who apply one or more patches to upgrade to version 7.8, the default profile allows ScienceLogic authentication to perform as it did prior to version 7.8.
  • On patched systems, the default profile is included in the patch.
  • On patched systems, the default profile is pre-configured to allow ScienceLogic administrators to log in via the ScienceLogic login page and the authentication resource EM7 Internal.
  • On patched systems, the default profile is pre-configured to allow credentials via CAC/Client Certificate, HTTP Auth, or the EM7 Login Page.
  • On patched systems, the default profile is pre-configured to use all legacy authentication resources: SSO (legacy), LDAP/AD (legacy), and EM7 Internal.

Administrators can edit the default profile and use the new, non-legacy authentication resources but are not required to do so.

  • For users who installed version 7.8 or later of SL1 using an ISO, initially the default profile is pre-configured to allow ScienceLogic administrators to log in via CAC/Client Certificate, HTTP Auth, or the EM7 Login Page and the authentication resource EM7 Internal. This allows administrators to log in and perform initial configuration on the SL1 system.
  • On ISO systems, the default profile is included in the patch.
  • On ISO systems, the default profile is pre-configured to allow credentials via CAC/Client Certificate, HTTP Auth, or the EM7 Login Page.
  • On ISO systems, the default profile is pre-configured to use only the authentication resource EM7 Internal.

After initial configuration, administrators can edit the default profile as best fits their organization.

Creating an Authentication Profile

To create a new authentication profile:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Click the Create button. The Authentication Profile Editor modal appears.
  3. Enter values in the following fields:
  • Name. Name of the authentication profile.
  • Priority Order. If your SL1 System includes multiple authentication profiles, SL1 evaluates the authentication profiles in ascending priority order. SL1 will apply the authentication profile that matches the hostname or IP in the current URL AND has the lowest value in the Priority Order field.
  • Pattern Type. Specifies how SL1 will evaluate the value in the AP Hostname Pattern field. Choices are:
  • Wildcard. SL1 will perform a text match, with wildcard characters (asterisks).
  • Regex. SL1 will use regular expressions to compare the AP Hostname Pattern to the current session information.
  • AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, SL1 applies the authentication profile to the user for the current session.
  • For example, if you specify "*" (asterisk), any IP address or URL will match. SL1 will then apply this authentication profile to every session on an Administration Portal, Database Server, or All-In-One Appliance.
  • If you enter "192.168.38.235", SL1 will apply the authentication profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters "192.168.38.235" into the browser.

  • If you enter "*.sciencelogic.local", SL1 will apply the authentication profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters a URL ending with ".sciencelogic.local" into the browser.

    Do not include underscores ( _ ) in the AP Hostname Pattern field. URLs with underscores are not considered valid in SL1 authentication profiles.

  • Available Credential Sources. This field tells SL1 how to retrieve the user's credentials from the HTTP request to SL1. To align a credential source with the authentication profile, highlight the credential source and click the right-arrow button. You can select zero, one, or multiple credential sources for the authentication profile. Initially, this pane displays a list of all the credential sources:

    • If you will be using CAC authentication, align the CAC/Client Cert credential source. If this is your primary method of logging in to SL1, align CAC/Client Cert as the number one credential source. ScienceLogic recommends having EM7 Login Page aligned, as well, for administrator or maintenance access.

  • CAC/Client Cert. SL1 will retrieve a certificate from the HTTP request.
  • EM7 Login Page. SL1 will retrieve a user name and password from the ScienceLogic login page fields.
  • HTTP Auth. SL1 will retrieve a user name and password from the HTTP request.

If you are using Single Sign-On (SSO) authentication, the Available Credential Sources field is ignored. You do not have to align a credential source because credentials are submitted directly to an Identity Provider (IdP) instead of SL1.

  • Aligned Credentials Sources. This field displays the list of credential sources that have been aligned with the authentication profile. The authentication profile will examine each credential source in the order in which it appears in this list. When the authentication profile find the user's credential, the authentication profile stops examining any remaining credential sources in the list.
  • Available Authentication Resources. This field tells SL1 which authentication resources to use to authenticate the retrieved credentials. To align an authentication resource with the authentication profile, highlight the authentication resource and click the right-arrow button. You must select at least one authentication resource (but can select more than one). For details on creating an authentication resource, see the section on Authentication Resources.
  • Aligned Authentication Resources. This field displays the list of authentication resources that have been aligned with the authentication profile. The authentication profile will examine each authentication resource in the order in which it appears in this list. When an authentication resource successfully authenticates the user, the authentication profile stops executing any remaining authentication resources in the list.
  1. Click the Save button to save your changes to the new authentication profile.

Editing an Authentication Profile

The Authentication Profiles page allows you to edit an existing authentication profile. To do so:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Find the authentication profile that you want to edit. Click its wrench icon ().
  3. The Authentication Profile Editor modal page appears. In this page, you can edit the value of one or more fields.
  4. Click the Save button to save your changes to the authentication profile.

Deleting One or More Authentication Profiles

The Authentication Profiles page allows you to delete one or more authentication profiles from SL1. To do so:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Select the checkbox of each authentication profile that you want to delete.
  3. Click the Select Actions menu (in the lower right), select DELETE Authentication Profile, and then click the Go button. The selected authentication profiles will be deleted.

You cannot delete the default authentication profile.

Authentication Resources

An authentication resource is a configuration policy that describes how SL1 should communicate with a user store. An authentication resource specifies the connector to use to communicate with the user store, the credential to use to connect to the user store (if applicable), and the URLs to examine during authentication. An authentication resource also maps attributes from the user's account in the user store to fields in the ScienceLogic user account.

Viewing the List of Authentication Resources

The Authentication Resource Manager page displays a list of all authentication resources in the SL1 System.

To view the list of authentication resources :

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. The following information is displayed about each authentication resource:

To sort the list of authentication resources, click on a column heading. The list will be sorted by the column value, in ascending order. To sort by descending order, click the column heading again. The Last Edited column sorts by descending order on the first click; to sort by ascending order, click the column heading again

  • Resource Name. Name of the authentication resource.
  • ID. Unique numeric ID, automatically assigned by SL1 to each authentication resource.
  • Type. Specifies the user store that is associated with the resource. Possible types are:
  • EM7 Internal. The authentication resource communicates and passes information to and from the ScienceLogic Database.
  • LDAP/AD. The authentication resource communicates and passes information to and from an LDAP server or Active Directory server.
  • SSO. The authentication resource communicates and passes information to and from a SAML Identity Provider (IdP) or Service Provider (SP).
  • Connector. The software that allows communication between the authentication resource and the user store. Possible connectors are:
  • EM7 Internal. Software that communicates with the ScienceLogic Database.
  • LDAP/AD. Software that communicates with an LDAP server or Active Directory server.
  • LDAP/AD - Legacy. Software that communicates with an LDAP server or Active Directory server for ScienceLogic servers that were configured prior to version 7.8 of SL1. SL1 Systems that were upgraded to version 7.8 using patches can continue to use the same authentication methods without making changes to user accounts or the LDAP server or Active Directory server.
  • OneLogin. Software that communicates with a SAML Identity Provider (IdP).
  • SimpleSAML - Legacy. Software that communicates with a SAML Identity Provider (IdP) and Service Provider (SP) for ScienceLogic servers that were configured prior to version 7.8 of SL1. SL1 Systems that were upgraded to version 7.8 using patches can continue to use the same authentication methods without making changes to user accounts, the SAML configuration, or the SSO provider.
  • Edited By. The user who created or last edited the authentication resource.
  • Last Edited. Date the time the authentication resource was created or last edited.

Filtering the List of Authentication Resources

You can filter the list of authentication resources on the Authentication Resource Manager page by one or more of the following parameters: Resource Name, ID, Type, Connector, Edited By, and Last Edited. The list of authentication resources is dynamically updated as you select each filter. For each filter except Last Edited, you must enter text to match against. SL1 will search for authentication resources that match the text, including partial matches. Text matches are not case-sensitive. You can use the following special characters in each filter except Last Edited:

  • , (comma). Specifies an "or" operation. For example:

"dell, micro" would match all values that contain the string "dell" OR the string "micro".

  • & (ampersand). Specifies an "and" operation. For example:

"dell & micro" would match all values that contain the string "dell" AND the string "micro".

  • ! (exclamation mark). Specifies a "not" operation. For example:

"!dell" would match all values that do not contain the string "dell".

  • ^ (caret mark). Specifies "starts with". For example:

"^micro" would match all strings that start with "micro", like "microsoft".

"^" will include all rows that have a value in the column.

"!^" will include all rows that have no value in the column.

  • $ (dollar sign). Specifies "ends with". For example:

"$ware" would match all strings that end with "ware", like "VMware".

"$" will include all rows that have a value in the column.

"!$" will include all rows that have no value in the column.

By default, the cursor is placed in the first Filter-While-You-Type field. You can use the <Tab> key or your mouse to move your cursor through the fields.

Only authentication resources that meet all the following filter criteria will be displayed in the Authentication Resource Manager page:

  • Resource Name. Name of the authentication resource. You can enter text to match, including special characters, and the Authentication Resource Manager page will display only authentication resources that have a matching name.
  • ID. Unique numeric ID, automatically assigned by SL1 to each authentication resource. You can enter text to match, including special characters, and the Authentication Resource Manager page will display only authentication resources that have a matching ID.
  • Type. Specifies the user store that is associated with the resource. You can enter text to match, including special characters, and the Authentication Resource Manager page will display only authentication resources that have a matching type.
  • Connector. The specific software that allows communication between the authentication resource and the user store. You can enter text to match, including special characters, and the Authentication Resource Manager page will display only authentication resources that have a matching connector.
  • Last Edited. Date and time the authentication resources was created or last edited. You can select from a list of time periods. The Authentication Resource Manager page will display only authentication resources that have been created or edited within that time period.
  • Edited By. ScienceLogic user who created or last edited the authentication resource. You can enter text to match, including special characters, and the Authentication Resource Manager page will display only authentication resources that have been created or edited by a matching username.

The "EM7 Internal" Resource

The EM7 Internal resource allows you to access the user store in the ScienceLogic database.

  • By default, each SL1 System, whether upgraded to version 7.8 or built from a 7.8 ISO, includes the EM7 Internal authentication resource.
  • You cannot create an EM7 Internal authentication resource.
  • You cannot edit or delete the EM7 Internal authentication resource included with your SL1 System.
  • Each SL1 System can include only one the EM7 Internal authentication resource.

Creating an LDAP/AD Authentication Resource

The LDAP/AD Auth Resource Editor page allows you to define an authentication resource for use with an LDAP/AD user store. An LDAP/AD authentication resource specifies the connector (communication software) to use to communicate with the LDAP/AD user store and the credential to use to connect to the user store. An LDAP/AD authentication resource can also map attributes from the user's LDAP/AD account to fields in the ScienceLogic user account.

ScienceLogic administrators can use LDAP or Active Directory to authenticate ScienceLogic users. There are two ways to use LDAP or Active Directory authentication with SL1:

  • You can configure SL1 to automatically create user accounts for existing LDAP or Active Directory users and then always use LDAP or Active Directory to authenticate those users when they log in to SL1.
  • You can use LDAP or Active Directory to authenticate one or more ScienceLogic users when they log in to SL1.

To create an LDAP/AD authentication resource:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Click the Actions menu and then select Create LDAP/AD Resource. The LDAP/AD Auth Resource Editor modal page appears.
  3. Enter values in the following fields:

Basic Settings

  • Name. Name of the LDAP/AD authentication resource.
  • User Display Name. Select what name to display from the following options:
  • disable. Uses the current default behavior, which displays the user's username in the SL1 user interface and logs.
  • email address. Displays the user's email address in the SL1 user interface and logs.
  • user principal name. Displays the value from the UPN field on this page in the SL1 user interface and logs.
  • UPN. "User principal name." If you select user principal name in the User Display Name field, then the value from this field displays in the SL1 user interface and audit logs. This field is blank by default for all existing (pre-11.2.1) authentication resources, but can be manually updated. For new authentication resources, enter one of the following:
  • email address. Displays the user's email address in the SL1 user interface and audit logs.
  • user principal name. Displays the value from the UPN field on this page in the SL1 user interface and audit logs.
  • Read Credential. Credential that allows SL1 to read data from an LDAP or Active Directory server. Select from a list of all LDAP and Active Directory credentials to which you have access. If this field has been set to a credential to which you do not have access, this field will display the value Restricted Credential. If you set this field to a different credential, the entry for Restricted Credential will be removed from the field; you will not be able to re-align the field with the Restricted Credential.
  • Write Credential. Credential that allows SL1 to write data to an LDAP or Active Directory server. Select from a list of all LDAP and Active Directory credentials to which you have access. If this field has been set to a credential to which you do not have access, this field will display the value Restricted Credential. If you set this field to a different credential, the entry for Restricted Credential will be removed from the field; you will not be able to re-align the field with the Restricted Credential.

Your organization membership(s) might affect the list of credentials you can see in the Read Credential field and the Write Credential field. For details, see the section on Credentials.

  • User Name Suffix. Optional field. Because SL1 can authenticate against multiple LDAP or Active Directory servers, there is a risk of collision among user names. In this field, you can enter a string to append to the user name to minimize the risk of collision. For example:
  • Suppose we entered @ad.local in this field.
  • Suppose the next LDAP/AD user logs in to SL1 with the user name bishopbrennan.
  • SL1 will log that user in as bishopbrennan@ad.local.

A best practice to avoid collisions is to use email addresses as user names.

  • Search Filter. Specifies where to find the user's account information in LDAP or Active Directory. You must tell SL1 where to find the LDAP or AD attribute that maps to the user's account name in SL1.

For example, an LDAP user might use his/her uid value to log in to SL1. In the ScienceLogic account, that uid value will then become the user's Account Login Name.

You can use the following variables in the search filter:

  • %u. ScienceLogic login name.

  • %e. Email address.
  • An example search filter for LDAP might be:

(&(objectClass=person)(uid=%u))

This says to search in the object class called "person" for the uid that matches the ScienceLogic login name (entered when the user logs in to SL1 and then stored in the variable %u).

  • An example search filter for Active Directory might be:

(sAMAccountName=%u)

This says to search for the samaccountname attribute that matches the ScienceLogic login name (entered when the user logs in to SL1 and then stored in the variable %u).

  • For more information on the syntax of LDAP and AD search filters, see RFC 4515.
  • Sync directory values to EM7 on login. If an LDAP or AD administrator makes changes to an LDAP or AD account, SL1 will automatically retrieve those updates and apply them to the user's account in SL1 (in the Account Properties page) the next time the user logs in to SL1. (For more information about user account properties, see the section on Creating and Editing User Accounts.)
  • Sync EM7 values to directory on save. If a ScienceLogic administrator made changes to the ScienceLogic account, SL1 will automatically write those changes to the user's account in LDAP or Active Directory.

The Sync EM7 values to directory on save option requires a write credential.

Attribute Mapping

If you have configured SL1 to automatically create ScienceLogic accounts for LDAP or AD users, these fields specify the LDAP or AD attribute value that will be automatically inserted into each field in each user's Account Properties page. (For more information about user account properties, see the section on Creating and Editing User Accounts.)

SL1 automatically populates as many of these fields as possible. You can edit or delete the default values provided by SL1. For example, SL1 automatically inserts the value of the LDAP/AD attribute "sn" (surname) into the Last Name field in each user's Account Properties page.

SL1 requires that the LDAP or AD attribute name that you specify in each field uses all lower-case characters.

  • First Name. Specifies the LDAP or AD attribute value that will be automatically inserted into the First Name field in each user's Account Properties page. By default, SL1 inserts the value of the LDAP/AD attribute "givenname" into this field.
  • Last Name. Specifies the LDAP or AD attribute value that will be automatically inserted into the Last Name field in each user's Account Properties page. By default, SL1 inserts the value of the LDAP/AD attribute "sn" into this field.
  • Title. Specifies the LDAP or AD attribute value that will be automatically inserted into the Title field in each user's Account Properties page.
  • Department. Specifies the LDAP or AD attribute value that will be automatically inserted into the Department field in each user's Account Properties page.
  • Phone. Specifies the LDAP or AD attribute value that will be automatically inserted into the Phone field in each user's Account Properties page. By default, SL1 inserts the value of the LDAP/AD attribute "telephonenumber" into this field.
  • Fax. Specifies the LDAP or AD attribute value that will be automatically inserted into the Fax field in each user's Account Properties page.
  • Mobile. Specifies the LDAP or AD attribute value that will be automatically inserted into the Mobile field in each user's Account Properties page. By default, SL1 inserts the value of the LDAP/AD attribute "mobile" into this field.
  • Pager. Specifies the LDAP or AD attribute value that will be automatically inserted into the Pager field in each user's Account Properties page.
  • Primary Email. Specifies the LDAP or AD attribute value that will be automatically inserted into the Primary Email field in each user's Account Properties page. By default, SL1 inserts the value of the LDAP/AD attribute "mail" into this field.
  • Secondary Email. Specifies the LDAP or AD attribute value that will be automatically inserted into the Secondary Email field in each user's Account Properties page.
  • Street Address. Specifies the LDAP or AD attribute value that will be automatically inserted into the Street Address field in each user's Account Properties page. By default, SL1 inserts the value of the LDAP/AD attribute "streetaddress" into this field.
  • Suite/Building. Specifies the LDAP or AD attribute value that will be automatically inserted into the Suite/Building field in each user's Account Properties page.
  • City. Specifies the LDAP or AD attribute value that will be automatically inserted into the City field in each user's Account Properties page. By default, SL1 inserts the value of the LDAP/AD attribute "l" into this field.
  • State. Specifies the LDAP or AD attribute value that will be automatically inserted into the State field in each user's Account Properties page. By default, SL1 inserts the value of the LDAP/AD attribute "st" into this field.
  • Postal Code. Specifies the LDAP or AD attribute value that will be automatically inserted into the Postal Code field in each user's Account Properties page. By default, SL1 inserts the value of the LDAP/AD attribute "postalcode" into this field.
  • Country. Specifies the LDAP or AD attribute value that will be automatically inserted into the Country field in each user's Account Properties page.
  • Organization. Specifies the LDAP or AD attribute value that will be used to automatically define the Primary Organization field in each user's Account Permissions page. You must also specify one of the following:
  • directory attribute specifies organization ID. If selected, the attribute in the Organization field specifies an organization ID.
  • directory attribute specifies organization name. If selected, the attribute in the Organization field specifies an organization name.
  • directory attribute specifies organization CRM ID. If selected, the attribute in the Organization field specifies the CRM ID of an organization.

To use Attribute Mapping for Organization, your LDAP/AD schema must include an attribute that maps to ScienceLogic Organization names, Organization IDs, or Organization CRM IDs.

When you create a new LDAP/AD user, you must align a user policy with that user. If the aligned user policy specifies an organization for the user, the value from the user policy will overwrite the value from Attribute Mapping.

User Policy Alignment

  • Type. Specifies whether SL1 should automatically create ScienceLogic accounts for each LDAP or Active Directory user in the search base (which is specified in the credential), whether SL1 should simply use LDAP or Active Directory to authenticate one or more users, or whether SL1 will refuse to authenticate specific users. Choices are:
  • Do not authenticate new users from directory. Only those users who have an account already created in SL1 can log in to SL1. However, if one or more users' Account Permissions page specifies LDAP /Active Directory in the Authentication Method field, SL1 will authenticate those users with either LDAP or Active Directory, using the settings and credentials specified in this page.
  • Static policy alignment. If an LDAP or AD user logs in to SL1 using the LDAP or AD attribute specified in the Search Filter field, SL1 will automatically create an account for that user. SL1 will use one user policy (specified in the Policy field) to create all imported LDAP or AD user accounts. SL1 will also use the settings and credentials specified in this page when creating the account.
  • Dynamic policy alignment. If an LDAP or AD user logs in to SL1 using the LDAP or AD attribute specified in the Search Filter field, SL1 will automatically create an account for that user. SL1 will choose from among multiple user policies to create imported LDAP or AD user accounts. For example, some imported user accounts might use "user policy A"; other imported user accounts might use "user policy B". SL1 will also use the settings and credentials specified in this page when creating the account.

If you selected Static policy alignment in the Type field, you must supply a value in the Policy field:

  • Policy. Specifies the user policy to use to automatically create a ScienceLogic account for each LDAP or AD user. Select from a list of all user policies that specify LDAP /Active Directory in the Authentication Method field.

If you selected Dynamic policy alignment in the Type field, you must supply values in the Attribute, Value, and Policy fields.

  • Attribute. Specifies the LDAP or AD attribute you want to use to differentiate imported user accounts. For example, you could select the attribute "department" and then assign different user policies to import user accounts from different departments. You can also use this field to exclude LDAP or AD accounts for which you do not want to create a ScienceLogic account.
  • Value. Specifies the LDAP or AD attribute value. That is, you specify one of the possible values for the attribute (specified in the Attribute field). SL1 will compare the value in this field to the retrieved value for the Attribute.
  • Policy. Choose one of the following:
  • Do Not Authenticate. If selected, if the retrieved value of the specified Attribute matches the value in the Value field, the user is not authenticated. This setting applies to new users for whom LDAP or Active Directory would have to create a new account in SL1 and for users who already have an account in SL1.

  • the policy you want to associate with that value. Select from a list of all user policies that specify LDAP /Active Directory in the Authentication Method field.
    • For example, suppose you specified "department" in the Attribute field. Suppose that the "department" attribute could have two possible values: "Sales" or "NOC".

    • Suppose you created two user policies. One user policy, called "Sales User Policy", includes the appropriate ticket queues and access keys for Sales personnel. Another user policy, called "NOC User Policy", include the appropriate ticket queues and access keys for NOC personnel.
    • In one of the Value fields, you could specify "Sales". In the corresponding Policy field, you could then specify "Sales User Policy".
    • In the next Value field, you could specify "NOC". In the corresponding Policy field, you could specify "NOC User Policy.
    • After defining these two Value fields and corresponding Policy fields, user accounts from the Sales department would be imported into SL1 using the Sales User Policy. User accounts from the NOC department would be imported into SL1 using the NOC User Policy.
  • To define additional Value and Policy fields, click on the green plus-sign () icon.
  1. Click the Save button to save your changes to the new authentication resource.

Creating an SSO Authentication Resource

The SSO Auth Resource Editor page allows you to define an authentication resource for use with a SAML IdP. An SSO authentication resource specifies the connector (communication software) to use to communicate with the SAML IdP and the URLs to use to send and retrieve information from the SAML IdP. An SSO authentication resource can also maps attributes from the user's SSO account to fields in the ScienceLogic user account.

ScienceLogic administrators can use SSO to authenticate ScienceLogic users. There are two ways to use SSO authentication with SL1:

  • You can configure SL1 to automatically create user accounts for existing SSO users and then always use SSO to authenticate those users when they log in to SL1.
  • You can use SSO to authenticate one or more ScienceLogic users when they log in to SL1.

To create an SSO authentication resource:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Click the Actions menu and then select Create SSO Resource. The SSO Auth Resource Editor page appears.
  3. Enter values in the following fields:

Basic Settings

  • Name. Name of the SSO authentication resource.
  • IdP Entity ID. Globally unique name for the identity provider or service provider, in the format of an absolute URL.
  • IdP Cert Fingerprint. The SHA1 certificate fingerprint, provided by the identity provider or service provider.
  • User Name Suffix. Optional field. Because a user can authenticate against multiple SSO servers, there is a risk of collision among user names. In this field, you can enter a string to append to the ScienceLogic user name to minimize risk of collision. For example:
  • Suppose we entered @ad.local in this field.
  • Suppose the next LDAP/AD user logs in to SL1 with the user name bishopbrennan.
  • SL1 will log in that user as bishopbrennan@ad.local.

A best practice to avoid collisions is to use email addresses as user names.

  • IdP SSO URL. The URL to which SL1 will send login requests to the IdP. This field must contain an absolute URL.
  • IdP SLS URL. Optional field. If you want each user to be automatically logged out of the IdP when that user logs out of SL1, enter the URL to which SL1 will post the logout request to the IdP. If you leave this field blank, a user can log out of SL1 without automatically logging out of the IdP.
  • Sync directory values to EM7 on login. If an SSO administrator makes changes to an SSO account, SL1 will automatically retrieve those updates and apply them to the user's account in SL1 (in the Account Properties page) the next time the user logs in to SL1. (For more information about user account properties, see the section on Creating and Editing User Accounts.)

Attribute Mapping

If you have configured SL1 to automatically create ScienceLogic accounts for SSO users, these fields specify the SAML attribute value that will be automatically inserted into each field in each user's Account Properties page. (For more information about user account properties, see the section on Creating and Editing User Accounts.)

SL1 automatically populates as many of these fields as possible. You can edit or delete the default values provided by SL1. For example, SL1 automatically inserts the value of the SAML attribute "sn" (surname) into the Last Name field in each user's Account Properties page.

SL1 requires that the SAML attribute name that you specify in each field uses all lowercase characters.

  • First Name. Specifies the SAML attribute value that will be automatically inserted into the First Name field in each user's Account Properties page. By default, SL1 inserts the value of the SAML attribute "givenname" into this field.
  • Last Name. Specifies the SAML attribute value that will be automatically inserted into the Last Name field in each user's Account Properties page. By default, SL1 inserts the value of the SAML attribute "sn" into this field.
  • Title. Specifies the SAML attribute value that will be automatically inserted into the Title field in each user's Account Properties page.
  • Department. Specifies the SAML attribute value that will be automatically inserted into the Department field in each user's Account Properties page.
  • Phone. Specifies the SAML attribute value that will be automatically inserted into the Phone field in each user's Account Properties page. By default, SL1 inserts the value of the SAML attribute "telephonenumber" into this field.
  • Fax. Specifies the SAML attribute value that will be automatically inserted into the Fax field in each user's Account Properties page.
  • Mobile. Specifies the SAML attribute value that will be automatically inserted into the Mobile field in each user's Account Properties page. By default, SL1inserts the value of the SAML attribute "mobile" into this field.
  • Pager. Specifies the SAML attribute value that will be automatically inserted into the Pager field in each user's Account Properties page.
  • Primary Email. Specifies the SAML attribute value that will be automatically inserted into the Primary Email field in each user's Account Properties page. By default, SL1 inserts the value of the SAML attribute "mail" into this field.
  • Secondary Email. Specifies the SAML attribute value that will be automatically inserted into the Secondary Email field in each user's Account Properties page.
  • Street Address. Specifies the SAML attribute value that will be automatically inserted into the Street Address field in each user's Account Properties page. By default, SL1 inserts the value of the SAML attribute "streetaddress" into this field.
  • Suite/Building. Specifies the SAML attribute value that will be automatically inserted into the Suite/Building field in each user's Account Properties page.
  • City. Specifies the SAML attribute value that will be automatically inserted into the City field in each user's Account Properties page. By default, SL1 inserts the value of the SAML attribute "l" into this field.
  • State. Specifies the SAML attribute value that will be automatically inserted into the State field in each user's Account Properties page. By default, SL1 inserts the value of the SAML attribute "st" into this field.
  • Postal Code. Specifies the SAML attribute value that will be automatically inserted into the Postal Code field in each user's Account Properties page. By default, SL1 inserts the value of the SAML attribute "postalcode" into this field.
  • Country. Specifies the SAML attribute value that will be automatically inserted into the Country field in each user's Account Properties page.
  • Organization. Specifies the SAML attribute value that will be used to automatically define the Primary Organization field in each user's Account Permissions page. You must also specify one of the following:
  • directory attribute specifies organization ID. The attribute in the Organization field specifies an organization ID.
  • directory attribute specifies organization name. The attribute in the Organization field specifies an organization name.
  • directory attribute specifies organization CRM ID. The attribute in the Organization field specifies the CRM ID of an organization.

To use Attribute Mapping for Organization, your SAML schema must include an attribute that maps to All-In-One Appliance Organization names, Organization IDs, or Organization CRM IDs.

When you create a new SSO user, you must align a user policy with that user. If the aligned user policy specifies an organization for the user, the value from the user policy will overwrite the value from Attribute Mapping.

User Policy Alignment

  • Type. Specifies whether SL1 should automatically create ScienceLogic accounts for each SSO user, whether SL1 should simply use SSO to authenticate one or more users, or whether SL1 will refuse to authenticate specific users. Choices are:
  • Do not authenticate new users. Only those users who have an account already created in SL1 can log in to SL1, which will authenticate those users with SSO using the settings specified in this page.
  • Static policy alignment. If an SSO user tries to access SL1, SL1 will automatically create an account for that user. SL1 will use one user policy (specified in the Policy field) to create the imported SSO user accounts for this authentication resource. SL1 will also use the settings specified in this page when creating the account.
  • Dynamic policy alignment. If an SSO users tries to access SL1, SL1 will automatically create an account for that user. SL1 will choose from among multiple user policies to create imported SSO user accounts for this authentication resource. For example, some imported user accounts might use "user policy A"; other imported user accounts might use "user policy B". SL1 will also use the settings specified in this page when creating the account.

If you selected Static policy alignment in the Type field, you must supply a value in the Policy field.

  • Policy. Specifies the user policy to use to automatically create a ScienceLogic account for each SSO user. Select from a list of all user policies.

If you selected Dynamic policy alignment in the Type field, you must supply values in the Attribute, Value, and Policy fields.

  • Attribute. Specifies the SAML attribute you want to use to differentiate imported user accounts. For example, you could select the attribute department and then assign different user policies to import user accounts from different departments. You can also use this field to exclude SSO accounts for which you do not want to allow authentication.
  • Value. Specifies the SAML attribute value. That is, you specify one of the possible values for the attribute (specified in the Attribute field). SL1 will compare the value in this field to the retrieved value for the Attribute.
  • Policy. Choose one of the following:
  • Do Not Authenticate. If the retrieved value of the specified Attribute matches the value in the Value field, the user is not authenticated. This setting applies to new users for whom SSO would have to create a new account in SL1 and for users who already have an account in SL1.

  • the policy you want to associate with that value. Select from a list of all user policies that specify SSO in the Authentication Method field.
    • For example, suppose you specified department in the Attribute field. Suppose that the department attribute could have two possible values: Sales or NOC.

    • Suppose you created two user policies. One user policy, called Sales User Policy, includes the appropriate ticket queues and access keys for Sales personnel. Another user policy, called NOC User Policy, includes the appropriate ticket queues and access keys for NOC personnel.
    • In one of the Value fields, you could specify Sales. In the corresponding Policy field, you could then specify Sales User Policy.
    • You could then click on the plus-sign icon () and add another Value field and another Policy field.
    • In the next Value field, you could specify NOC. In the corresponding Policy field, you could specify NOC User Policy.
    • After defining these two Value fields and the corresponding Policy fields, user accounts from the Sales department would be imported into SL1 using the Sales User Policy.
    • User accounts from the NOC department would be imported into SL1 using the NOC User Policy.
  • To define additional Value and Policy fields, click on the green plus-sign icon ().
  1. Click the Save button to save your changes to the new authentication resource.

Editing an Authentication Resource

The Authentication Resource Manager page allows you to edit an existing authentication resource. To do so:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Find the authentication resource that you want to edit. Click its wrench icon ().
  • For LDAP/AD Resources, the LDAP/AD Auth Resource Editor page appears. In this page, you can you can edit the values for one or more fields. For more information, see the Creating an LDAP/AD Authentication Resource section.
  • For SSO Resources, SSO Auth Resource Editor page appears. In this page, you can you can edit the values for one or more fields. For more information, see the Creating an SSO Authentication Resource section.
  1. Click the Save button to save your changes to the authentication resource.

Deleting an Authentication Resource

The Authentication Resource Manager page allows you to delete one or more authentication resources from SL1. To do so:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Select the checkbox () of each authentication resource that you want to delete.
  3. Click the Select Actions menu (in the lower right), select DELETE Authentication Resource, and then click the Go button. The selected authentication resources will be deleted.

You cannot delete the EM7 Internal authentication resource.