Using Single Sign-On (SSO) for Authentication Only

Download this manual as a PDF file

If you have already created accounts for users in SL1, you can use SSO to authenticate one or more of those users. Each time an SSO user tries to access SL1, SL1 will use SSO to authenticate that user.

  1. Each user logs in to SL1 by entering the URL for the All-In-One Appliance, Administration Portal, or Database Server.
  2. SL1 examines the URL from which the request originates and applies the appropriate Authentication Profile (and the appropriate Authentication Resource).
  3. If the user is not yet logged in to the SAML IdP:
  • The user will be directed to the login page for the SAML IdP.
  • After successfully logging in to the SAML IdP, the SAML IdP will send a message to SL1 via the user's browser (a SAML assertion), informing SL1 that the user is authenticated.
  1. If the user is already logged in to the SAML IdP:
  • The SAML IdP will send a message to SL1 via the user's browser (a SAML assertion), informing SL1 that the user is authenticated.
  1. SL1 displays the user's default page.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Required Tasks

To configure SL1 to automatically create accounts for SSO users, you must perform the following steps:

  1. Create a user account in SL1. You can either create the account manually or you can use a user policy to create the account.
  1. Define the SSO Authentication Resource.
  • Specify how SL1 should communicate with the SSO IdP and exchange information with the SSO IdP.
  • In the Type field, specify the following:
  1. Do not import new users or sync user policies.SL1 will use SSO only to authenticate users and will not create a new user each time an SSO user attempts to connect to SL1.
  1. Define one or more Authentication Profiles that tell SL1 how to recognize SSO users and which Authentication Resource to use with those users.
  2. After completing these steps:
  • SSO users can attempt to connect to SL1 by entering the URL for an page.
  • SL1 will examine the hostname or IP address in the incoming URL request to align the user with an Authentication Profile.
  • The Authentication Profile tells SL1 which SSO Authentication Resource(s) to use to authenticate the user.
  • The SSO Authentication Resource tells SL1 the settings to use to communicate with the SSO IdP. The SSO IdP will then attempt to authenticate each user.

Creating a User Account that Will Be Authenticated with SSO

User accounts allow users to log in to SL1 and access pages and features in SL1. If you have already created a user account for a user in SSO, you can create a separate user account for that user in SL1 and then ask SSO to authenticate the user account.

There are two ways to create a user account in SL1:

  • Manually create a user account and define all account settings.
  • Manually create a user account and then apply a user policy to define additional account settings. User policies allow you to define a custom set of account properties and privileges and then save them as a policy.

Both options are described in this section.

Manually Creating a User Account and Manually Defining Account Settings

You can manually create a user account in SL1.

If you want to use SSO to authenticate the user when he/she logs in to SL1, you must:

  • Manually create a user account in SL1.

NOTE: The value in the Account Login Name must match the value of the SAML attribute uid.

To manually create a user account and apply a user policy to that account:

  1. Go to the User Accounts page (Registry > Accounts > User Accounts).
  2. In the User Accounts page, click the Create button.
  3. The page appears.
  4. In the page, enter values in each of the following fields:
  • First Name. User's first name. This value can be up to 24 characters in length.
  • Last Name. User's last name. This value can be up to 24 characters in length.
  • Generate a unique name based on first and last name. Do not select this option.
  • Account Login Name The same value as is stored in the SAML attribute uid.
  • Primary Email. User's email address. This field can be up to 64 characters in length.
  • Password. You can enter any password that meets the minimum security requirements. The password must be at least four characters in length and can be up to 64 characters in length.

NOTE: During authentication, SSO will ignore the value in the Password field and instead use the password stored in the IDP.

  • Confirm Password. The user's password again. This value must be at least four characters in length and can be up to 64 characters in length. This password will be overwritten with the SSO password on first login.
  • Password Strength. Required strength of the user's password. Must be set to Strong. The password will not be able to be changed through SL1.
  • Password Expiration. Set this field to Disabled. The password will not be able to be changed through SL1.
  • Password Shadowing. Set this field to Default. The password cannot be changed through SL1.
  • Require Password Reset. Do not select this option. The password cannot be changed through SL1.
  • Multi-Factor Auth (MFA) User. If this user requires a different user name for Multi-factor authentication, enter the MFA user name in this field.

NOTE: : Best practice for SSO includes multi-factor authentication when connecting to the Identity Provider, not when logging in to SL1. For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  • Organization. The organization of which the new user account will be a member. Users can select from among all organizations in SL1.
  • Account Type. Specifies whether the user is a member of a user policy. Choices are:
  • Individual. User account is not a member of a user policy.
  • Policy Membership. Select this option. User will be defined with a user policy. When selected, the Policy Membership field becomes active.
  • Login State. Default login state for the user account. The choices are:
  • Suspended. Account is not active. User cannot log in to SL1.
  • Active. Account is active. User can log in to SL1.
  • Authentication Method. Specifies how the user's username and password will be authenticated. Select one of the following:
  • EM7 Session. User’s user-name and password are authenticated by SL1.
  • LDAP/Active Directory. User's username and password are authenticated by an LDAP server or Active Directory server.

NOTE: For users who are authenticated with SSO, you must set the Authentication Method field to LDAP/Active Directory to support automatic user policy alignment updates in case attributes change.

  • Restrict to IP. The user will be allowed to access SL1 only from the specified IP. Specify the IP address in standard dotted-decimal notation.
  • Time Zone. Select the appropriate time zone to associate with the user account.
  1. Click the Save button to save the new user.

Manually Creating a User Account and Using a User Policy to Define Account Settings

You can manually create a user account and then apply a user template to that user account.

If you want to use SSO to authenticate the user when he/she logs in to SL1, you must:

  • Define a user policy before creating the user account. For SSO authentication, there are no requirements for the user policy. You can define the user policy as you wish. For details on creating a user policy, see the Organizations and Users section.
  • Define the user account in SL1.

NOTE: The value in the Account Login Name must match the value of the SAML attribute uid.

To manually create a user account and apply a user policy to that account:

  1. Go to the User Accounts page (Registry > Accounts > User Accounts).
  2. In the User Accounts page, click the Create button.
  3. The page appears.
  4. In the page, enter values in each of the following fields:
  • First Name. User's first name. This value can be up to 24 characters in length.
  • Last Name. User's last name. This value can be up to 24 characters in length.
  • Generate name based on first and last name. Do not select this option.
  • Account Login Name The same value as is stored in the SAML attribute uid.
  • Primary Email. User's email address. This field can be up to 64 characters in length.
  • Password. You can any password that meets the minimum security requirements. The password must be at least four characters in length and can be up to 64 characters in length.

    • NOTE: During authentication, SSO will ignore the value in the Password field and instead use the password stored in the IDP.

  • Confirm Password. The user's password again. This value must be at least four characters in length and can be up to 64 characters in length. This password will be overwritten with the SSO password on first login.
  • Password Strength. Required strength of the user's password. Must be set to Strong. The password will not be able to be changed through SL1.
  • Password Expiration. Set this field to Disabled. The password will not be able to be changed through SL1.
  • Password Shadowing. Set this field to Default. The password cannot be changed through SL1.
  • Require Password Reset. Do not select this option. The password cannot be changed through SL1.
  • Multi-Factor Auth (MFA) User. If this user requires a different user name for Multi-factor authentication, enter the MFA user name in this field.

NOTE: Best practice for SSO includes multi-factor authentication when connecting to the Identity Provider, not when logging in to SL1. For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  • Organization. The organization of which the new user account will be a member. Users can select from among all organizations in SL1.
  • Account Type. Specifies whether the user is a member of a user policy. Choices are:
  • Individual. User account is not a member of a user policy.
  • Policy Membership. Select this option. User will be defined with a user policy. When selected, the Policy Membership field becomes active.

After you select Policy Membership, all remaining fields except Account Templates are disabled. This is because those fields are defined in the user policy.

  • Policy Membership. If you selected Policy Membership in the Account Type field, the Policy Membership field is activated. In this field, you can select a user policy to apply to the new user account.
  • When a user policy is applied to a user's account, the user inherits the Access Keys specified in the user policy. Administrators cannot add additional Access Keys or delete Access Keys from the user's account unless they edit the user policy.
  • When a user policy is edited, each user account that is a member of that template will be dynamically updated.
  1. Click the Save button to save the new user.

Creating an SSO Authentication Resource for Authenticating Users

An Authentication Resource is a configuration policy that describes how SL1 should communicate with a user store. In this section, the user store is an SSO IdP.

The SSO Auth Resource Editor page allows you to define an Authentication Resource for use with an SSO user store. An SSO Authentication Resource specifies the connector (communication software) to use to communicate with the SAML IdP and the URLs to use to send and retrieve information from the SAML IdP. An SSO Authentication Resource can also map attributes from the user's SSO account to fields in the user account on SL1.

SL1 supports SAML version 2.0.

In the SSO Auth Resource Editor page (System > Settings > Authentication > create/edit SSO Resource), you can:

  • Specify how SL1 should communicate with the SAML IdP and exchange information with the SAML IdP.

Additionally, Authentication Profiles are policies that align user accounts with one or more Authentication Resource. Authentication Profiles are described later in this section.

To create an SSO authentication resource that authenticates existing users in SL1:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Click the Actions menu and then select Create SSO Resource. The SSO Auth Resource Editor page appears.
  3. Enter values in the following fields:

Basic Settings

  • Name. Name of the SSO authentication resource.
  • IdP Entity ID. Globally unique name used as a SAML identifier configured on the IdP, usually in the format of an absolute URL.

  • IdP Cert Fingerprint. The SHA1 certificate fingerprint, provided by the identity provider or service provider. Note that this field is not the serial number of the certificate.

    If you supply the IdP certificate when you configure the SSO Authentication Resource, the IdP certificate fingerprint is not required and will not be used for IdP response validation. Instead, the full certificate that you provide in the IdP Certificate field will be used.

  • IdP Certificate. To ensure that communication between the IdP and EM7 is signed, type the full, PEM-encoded certificate from the IdP.
  • User Name Suffix. Optional field. If you don't supply a value in this field, SL1 retrieves the SAML NameID attribute and uses that value as the ScienceLogic username.
  • You can supply the variable %u in this field, and the SL1 retrieves the SAML NameID attribute and uses that value as the ScienceLogic user name.
  • You can supply the value %attribute_name%, where attribute name is a SAML attribute other than NameID. SL1 will use the value of the attribute as the ScienceLogic user name.
  • Because a user can authenticate against multiple SSO servers, there is a risk of collision among user names. In this field, you can enter a string to append to the ScienceLogic user name to minimize risk of collision. For example:
    • You can enter a string, with no SAML attribute specified. When you don't specify a SAML attribute in this field, SL1will retrieve the SAML NameID attribute and append the string you specify in this field.

    Suppose we entered @sciencelogic.local in this field.

    Suppose the next SSO user logs in to SL1 with the SAML NameID of bishopbrennan.

    SL1 will log in that user as bishopbrennan@sciencelogic.local.

    • You can enter one or more SAML attribute names, surrounded by percent signs (%), with text preceding it and/or text appended. SL1 will retrieve the value of the SAML attribute and use that value plus any preceding text or appended text as the the ScienceLogic user name.

    Suppose we entered %sn%-external in this field.

    Suppose the next SSO user logs in to SL1 with their SAML sn (last name) attribute of krilly

    SL1 will log in that user as krilly-external.

A best practice to avoid collisions is to use email addresses as user names.

  • IdP SSO URL. The URL to which SL1 will send login requests to the IdP. This field must contain an absolute URL.
  • IdP SLS URL. Optional field. If you want each user to be automatically logged out of the IdP when that user logs out of SL1, enter the URL to which SL1 will post the logout request to the IdP. If you leave this field blank, a user can log out of SL1 without automatically logging out of the IdP.
  • Sync directory values to EM7 on login. If an SSO administrator makes changes to an SSO account, SL1 will automatically retrieve those updates and apply them to the user's account in the Account Properties page the next time the user logs in to SL1. (For more information about user account properties, see the section on Creating and Editing User Accounts.)
  • Signing Options. Specifies whether digital signing is required for communication between the IdP and SL1. Choices are:
  • Disable. No digital signature is required.
  • IdP Response. Messages from the IDP to SL1 must be signed. SL1 will use the value in the IdP Certificate field to validate the signature.
  • SP Request and IdP Response. Messages from the IDP to SL1 must be signed. SL1 will use the value in the IdP Certificate field to validate the signature. Messages from SL1 to the IdP must also be signed.
  • Strict Mode. If you selected IdP Response or SP Request and IdP Response in the Signing Options field, this field is automatically set to enable. This field enforces validation of the SAML response and its attributes. As a best practice, disable this field while initially configuring SL1 and the IdP. As a best practice, enable this field for production use.
  • Integrated Windows Auth. If you are using Active Directory Federation Services (ADFS) as your IdP, select Enable in this field.

Attribute Mapping

These fields can be left blank or with their default values.

SL1 requires that the SAML attribute name that you specify in each field uses all lowercase characters.

User Policy Alignment

  • Type. Select Do not import new users or sync user profiles.

  1. Click the Save button to save your changes to the new authentication resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with one or more Authentication Resources.

  • Alignment by pattern matching. SL1 uses the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the criteria specified in an authentication profile, SL1 will automatically use the matching profile to perform user authentication.
  • Credential Source. Specifies from where SL1 should extract the username and password or certificate to be authenticated. These credentials are passed to SL1 via HTTP. SL1 then passes the credentials to each Authentication Resource specified in the Authentication Profile. The Authentication Resources authenticate the credentials with user stores.
  • Authentication Resource. Specifies the connector to use to communicate with the user store and the URLs to examine during authentication. Also maps attributes from the user's account in the user store to fields in the SL1 user account.

The Authentication Profiles page allows you to create a new authentication profile. To do so:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. In the Authentication Profiles page, click the Create button.
  3. The Authentication Profile Editor modal page appears. In this page, you can define the new authentication profile.
  • Name. Name of the Authentication Profile.
  • Priority Order. If SL1 includes multiple Authentication Profiles, SL1 evaluates the Authentication Profiles in priority order, ascending. SL1 will apply the first Authentication Profile that matches the Hostname or IP in the current URL AND has the lowest value in the Priority Order field.
  • Pattern Type. Specifies how SL1 will evaluate the value in the AP Hostname Pattern field. Choices are:
  • Wildcard. SL1 will perform a text match, with wildcard characters (asterisks).
  • Regex. SL1 will use regular expressions to compare the AP Hostname Pattern to the current session information.
  • AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, SL1 applies the Authentication Profile to the user for the current session.
  • For example, if you specify "*" (asterisk), any IP address or URL will match. SL1 will then apply this Authentication Profile to every session on an Administration Portal, Database Server, or All-In-One Appliance.
  • If you enter "192.168.38.235", SL1 will apply the Authentication Profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters "192.168.38.235" into the browser.

  • If you enter “*.sciencelogic.local”, SL1 will apply the Authentication Profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters a URL ending with ".sciencelogic.local" into the browser.

    Do not include underscores ( _ ) in the AP Hostname Pattern field. URLs with underscores are not considered valid in SL1 authentication profiles.

  • Available Credential Sources. This field tells SL1 how to retrieve the user's credentials from the HTTP request to SL1. To align a credential source with the Authentication Profile, highlight the credential source and click the right-arrow button. You can select zero, one, or multiple credential sources for the Authentication Profile. Initially, this pane displays a list of all the credential sources:
  • CAC/Client Cert. SL1 will retrieve a certificate from the HTTP request.
  • EM7 Login Page. SL1 will retrieve a username and password from the SL1 login page fields.
  • HTTP Auth. SL1 will retrieve a username and password from the HTTP request.
  • Aligned Credentials Sources. This field displays the list of credential sources that have been aligned with the Authentication Profile. The Authentication Profile will examine each credential source in the order in which it appears in this list. When the Authentication Profile finds the user's credential, the Authentication Profile stops examining any remaining credential sources in the list.
  • Available Authentication Resources.This field tells SL1 which Authentication Resources to use to authenticate the retrieved credentials. To align an Authentication Resource with the Authentication Profile, highlight the Authentication Resource and click the right-arrow button. You must select at least one Authentication Resource and can select more than one.
  • Aligned Authentication Resources. This field displays the list of Authentication Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Authentication Resource in the order in which it appears in this list. When an Authentication Resource successfully authenticates the user, the Authentication Profile stops executing any remaining Authentication Resources in the list.

  • Available Multi-factor Resources. This field tells EM7 which Multi-factor Resources to use to perform multi-factor authentication. To align an Multi-factor Resource with the Authentication Profile, highlight the Multi-factor Resource and select the right-arrow button. For details on creating a Multi-factor Resource, see the guide for the Multi-factor Resource Editor.

  • Aligned Multi-factor Resources. This field displays the list of Multi-factor Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Multi-factor Resources in the order in which it appears in this list. When a Multi-factor Resources successfully authenticates the user, the Authentication Profile stops executing any remaining Multi-factor Resources in the list.

NOTE: Best practice for SSO includes multi-factor authentication when connecting to the Identity Provider, not when logging in to SL1. For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  1. Click the Save button to save your changes to the new authentication profile.

Viewing Metadata

To view the metadata for OneLogin SAML (the EM7 imlementation of SSO), enter the following URL in a browser:

https://hostname_or_ip_of_EM7_appliance/samlsp.em7?action=metadata

Using Your Own SSL Certificate

By default, SL1 uses a self-signed certificate generated by SL1 during installation from ISO. SL1 uses the default SSL certificate from nginx as the certificate for communication with the Identity Provider.

If you want to use your own certificate for communication between SL1 and the Identity Provider, perform the following:

  1. Go to the console of the Administration Portal or start an SSH session to the Administration Portal.
  2. Either generate a self-signed SSL certificate of type .pem and an SSL key or acquire these files from a certificate authority. Save the certificate files with names that will not conflict with the default files silossl.pem and silossl.key.
  3. Copy the certificate files to the /etc/nginx directory.
  4. Using vi or another text editor, edit the file /etc/nginx/conf.d/em7ngx_web_ui.conf
  5. Edit the following lines:

ssl_certificate /etc/nginx/silossl.pem;

ssl_certificate_key /etc/nginx/silossl.key;

  • Replace silossl.pem with the .pem file for your new certificate.
  • Replace silossl.key with the .key file for your new certificate.
  1. Save and quit the file.