Identity Providers

One of the preferred methods for handling authentication is using Security Assertion Markup Language, the SAML 2.0 protocol. To do this with Humio, you’ll first have to set up an authentication provider. However, user authentication for an organization is only available for enterprise customers. To upgrade, contact the Humio Sales Dept..

Assuming your organization is already an enterprise customer of Humio, you may use one of the following identity providers:

For more information on any of these providers or all of them, see the Authenticating with SAML documentation page.

Identity Provider Configuration

Figure 1, Account Menu

You have to be an Organization Owner to set up authentication. If you’re not, ask who ever is to promote you. As a pre-requisite, you’ll have to have an authentication provider set up already — these are listed above, with links for information on them.

Once you’re ready, from any screen of the Humio User Interface, click on the menu below your avatar in the top right corner to open the Account Menu menu (see Figure 1 here). Select the Organization Settings — it’s highlighted in the screenshot. Then click on the tab on the left labeled, Identity Providers. When you do so, you’ll see a screen similar to the one shown in Figure 2 below. At this point you’re ready to choose and configure a specific identity provider. Below is an explanation for using SAML, but the steps in Humio Cloud are fairly similar regardless of which provider you use.

SAML Cloud Configuration

Figure 2, Adding an Identity Provider

To configure your organization to use SAML 2.0 for authentication, from the Identity Providers tab, click on Add IDP Configuration pull-down menu and select SAML 2.0. You can see how this will look in the screenshot in Figure 2 here (click on the image to enlarge it). If you still only have a free or trial account, you won’t be able to add an identity provider or see this pull-down menu.

Figure 3, Adding an Identity Provider

Once you choose SAML as your identity provider, the screen will change. It’ll look like the one in Figure 3 here. You’ll need to add a domain. This will be the one that your users will be able to use to log into Humio. So click the purple button labeled, Add a Domain to do this. A small dialog box will appear for you to enter the domain. Enter the domain name, just the domain name without any leading or trailing text or slashes. For example, you’d enter example.com and not https://example.com/login. You’ll enter more details in a bit. When you’re finished, hit Confirm to save it.

Figure 4, Identity Provider Details

Now you’ll need to provide details related to the identity provider and your domain. You should see a form similar to the one in the screenshot shown in Figure 4 here. Fill in the form with the required values. If you Humio to synchronize groups from the single sign-on provider, enable Let identity provider handle group membership in Humio, and give it a value that matches the value in the single sign-on provider. When you’re finished, click Save

If the configuration was saved successfully, Integration URL will be displayed at the top of the page. You will need this to set the Default Relay State in the identity provider. Read the section Setting Relay State in the relevant documentation page — see links in bullet-list at the top of this document.

OIDC Cloud Configuration

Figure 5, Adding an OIDC Identity Provider

To configure your organization to use OpenID for authentication, from the Identity Providers tab, click on Add IDP Configuration pull-down menu and select OIDC. You can see how this will look in the screenshot in Figure 5 here (click on the image to enlarge it). If you still only have a free or trial account, you won’t be able to add an identity provider or see this pull-down menu.

Figure 6, Adding an OIDC Identity Provider

Once you choose OIDC as your identity provider, the screen will change. It’ll look like the one in Figure 6 here. You’ll need to add a domain. This will be the one that your users will be able to use to log into Humio. So click the blue button labeled, Add domain to do this. A small dialog box will appear for you to enter the domain. Enter the domain name, just the domain name without any leading or trailing text or slashes. For example, you’d enter example.com and not https://example.com/login. You’ll enter more details in a bit. When you’re finished, hit Confirm to save it.

Now you’ll need to provide details related to the identity provider and your domain. You should see a form similar to the one in the screenshot shown in Figure 7 here. Fill in the form with the required values. This information can be found with your identity provider. The information needed for configuration of an OIDC provider is the following:

Figure 7, Identity Provider Details
  • Name — Name of the OpenID provider.
  • Client ID — Client ID of your OpenID application.
  • Client Secret — Client secret of your OpenID application.
  • OIDC Well Known Endpoint — Returns the OpenID Connect configuration values from the providers Well-Known Configuration Endpoint.
  • Issuer — URL to the OpenID provider. The provider URL must match the issuer reported by yhte OPenID provider exactly.
  • User Claim — The name of the claim to interpret as username in Humio. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
  • Authorization Endpoint — A URL to the endpoint a user should be redirected to when authorizing.
  • Token Endpoint Authorization Method — The authentication method used to authenticate Humio against the token endpoint. Can either be client_secret_basic or client_secret_post for placing the client id and secret in either basic auth or post data, respectively. Defaults to client_secret_basic, or client_secret_post if client_secret_basic is not supported as per the discovery endpoint.
  • Scopes — List of scopes to add in addition to the default requested scopes (openid, email, and profile).
  • User Info Endpoint — A URL to the user info endpoint used to retrieve user information from an access token.
  • Registration Endpoint — Protected Resource through which you can be registered at an Authorization Server.
  • Token Endpoint — A URL to the token endpoint used to exchange a authentication code to an access token.
  • JWKs Endpoint — A URL to the JWKS endpoint for retrieving keys for validating tokens.

If you use Humio to synchronize groups from the single sign-on provider, enable Let identity provider handle group membership in Humio, and give it a value that matches the value in the single sign-on provider. When you’re finished, click Save.