Authentication using Azure AD using SAML

Log in with Azure AD using SAML

The following example works with Azure AD.

These settings allow plain sign in using SAML, while leaving membership of repositories within Humio by default.

# You'll get this from the SAML screen in AAD
SAML_IDP_SIGN_ON_URL=https://login.microsoftonline.com/<YOUR_AAD_GUID>/saml2

# You'll get this from the SAML screen in AAD
SAML_IDP_ENTITY_ID=https://sts.windows.net/<YOUR_AAD_GUID>/

# Once you upload your cert to your Enterprise App in AAD, you'll download this response file
SAML_IDP_CERTIFICATE=/certs/humio-AAD-SSO.pem

Using SAML groups

See Authorization for details on mapping groups.

You’ll need to create this attribute in your AAD Enterprise App and map it to user.assignedroles

SAML_GROUP_MEMBERSHIP_ATTRIBUTE=http://schemas.microsoft.com/ws/2008/06/identity/claims/group

AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN=true

Creating the app in Azure Active Directory

  1. Sign in to the Azure portal
    • Open Enterprise Applications
    • Create a new app
    • Single Sign-on > Select SAML
    • Edit the basic SAML configuration
  2. Your Identifier/Entity ID will be <YOUR_SITE_URL>/api/v1/saml/metadata
  3. Your Reply URL will be <YOUR_SITE_URL>/api/v1/saml/acs
  4. Leave Sign-on URL and relay state blank
    • Edit User Attributes and Claims
  5. Add a new claim
    • Name = group
    • Source attribute = user.assignedroles
    • Leave Namespace blank
  6. Edit the SAML signing certificate
  7. Import certificate
  8. Upload your pfx certificate. It needs to be encrypted with a password to add.
  9. Click the three dots next to your new certificate and set it to active.
  10. Click the three dots next to your new certificate and download a PEM certificate. You can delete the old certificate here if you want.
  11. Download the PEM certificate to your Humio server, and place it where you place the rest of your certificates.
  12. Edit your humio.conf file to include the path to this certificate in SAML_IDP_CERTIFICATE
    • Set up Humio by copying values to humio.conf
  13. Copy the value from the Login URL box to SAML_IDP_SIGN_ON_URL
  14. Copy the value from the Azure AD Identifier to SAML_IDP_ENTITY_ID

Optionally create appRoles in manifest

  1. In AAD, go to App Registrations

    • Open the app you just created
    • Edit the manifest
    • Under "appRoles": [ add the following, at the bottom, just above the closing ]

      {
      "allowedMemberTypes": [
      "User"
      ],
      "displayName": "HumioAdministrator",
      "id": "30f71b1a-74db-4a0f-bae6-dcdd4bc8a57d",
      "isEnabled": true,
      "description": "Administrators can access all Repos",
      "value": "HumioAdministrator"
      },
      {
      "allowedMemberTypes": [
      "User"
      ],
      "displayName": "HumioUser",
      "id": "4722356f-1b76-4a8c-8c1e-91282e21affe",
      "isEnabled": true,
      "description": "Users can access all Repos",
      "value": "HumioUser"
      },
      

Ensure your indentations are good, then Save.

The roles you have created should have corresponding groups in Humio. E.g. if you have an appRole named ‘HumioAdministrator’ you should have a group in Humio named ‘HumioAdministrator’. Upon login Humio will make sure that the user logging in will be a member of the Humio groups given by the appRoles defined in the group claim.

Optionally Assign users

Open your app under Enterprise Applications

  • Select Users and Groups
  • Assign users (or groups) to your application
  • If using appRoles sign the user (or group) to one of the roles you just created

Rebuild your instance

If using Docker, make sure to recreate the Humio instance at this point in order to get the new configuration files included.

Test

Give it a test drive! Users should be automatically created and assigned the roles specified in AAD.

Contributors

Thanks to Paul for contributing to this page.