Authentication using Azure AD using SAML

Login with Azure AD using SAML and prefixes based on roles

The following example works with Azure AD.

This set of settings allow plain login using SAML, without managing membership of repositories from SAML, but leaving those within Humio, as is the default.

# You'll get this from the SAML screen in AAD
SAML_IDP_SIGN_ON_URL=https://login.microsoftonline.com/<YOUR_AAD_GUID>/saml2

# You'll get this from the SAML screen in AAD
SAML_IDP_ENTITY_ID=https://sts.windows.net/<YOUR_AAD_GUID>/

# Once you upload your cert to your Enterprise App in AAD, you'll download this response file
SAML_IDP_CERTIFICATE=/certs/humio-AAD-SSO.pem

Mapping SAML roles to prefix queries (If using role-based authorization)

To also apply prefixes and repo memberships based on roles in AAD, these additional settings are required. See role-based authoriation for details on how mapping roles to prefixes work and the format of the configration files.

# You'll need to create this attribute in your AAD Enterprise App and map it to user.assignedroles
SAML_GROUP_MEMBERSHIP_ATTRIBUTE=http://schemas.microsoft.com/ws/2008/06/identity/claims/role

AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN=true
PREFIX_AUTHORIZATION_ENABLED=true

Creating the app in Azure Active Directory

  1. Login to https://portal.azure.com
  2. Open Enterprise Applications
  3. Create a new app
  4. Single Sign-on > select SAML
  5. Edit Basic SAML Configuration
  6. Your Identifier / Entity ID will be <YOUR_SITE_URL>/api/v1/saml/metadata
  7. Your Reply URL will be <YOUR_SITE_URL>/api/v1/saml/acs
  8. Leave Sign-on url and Relay state blank
  9. Edit User Attributes and Claims
  10. Add a new claim
  11. Name = role
  12. Source attribute = user.assignedroles
  13. Leave Namespace blank
  14. Edit SAML signing certificate
  15. Import certificate
  16. Upload your pfx certificate > it needs to be encrypted with a password to add
  17. CLick the 3 dots next to your new cert and set it to active
  18. Click the three dots next to your new cert and download a PEM cert
  19. You can delete the old cert here if you want
  20. Download the pem cert to your humio server and place it where you place the rest of your certs
  21. Edit your humio.conf file to include the path to this cert in SAML_IDP_CERTIFICATE
  22. Set up Humio by copying values to humio.conf
  23. Copy the value from the Login URL box to SAML_IDP_SIGN_ON_URL
  24. Copy the value from the Azure AD Identiier to SAML_IDP_ENTITY_ID

Create Roles (If using role-based authorization)

  1. In AAD, go to App Registrations
  2. Open the app you just created
  3. Edit the manifest
  4. Under "appRoles": [ add the following, at the bottom, just above the closing ]

    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "HumioAdministrator",
      "id": "30f71b1a-74db-4a0f-bae6-dcdd4bc8a57d",
      "isEnabled": true,
      "description": "Administrators can access all Repos",
      "value": "HumioAdministrator"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "HumioUser",
      "id": "4722356f-1b76-4a8c-8c1e-91282e21affe",
      "isEnabled": true,
      "description": "Users can access all Repos",
      "value": "HumioUser"
    },
    

Ensure your indentations are good, then save.

Assign Users

  1. Open your app under Enterprise Applications
  2. Select Users and Groups
  3. Assign users (or groups) to your app
  4. If using roles, assign the user (or group) to one of the roles you just created

Create authorizations for your roles (If using role-based authorization)

Save the sample ‘view-role-prefix-auth.json’ file from the top of this page to your humio data directory (Usually /data/humio-data)

Rebuild your instance

If using docker, make sure to recreate the Humio instance at this point in order to get the new configuration files included.

Test

Give it a test drive! Users should be automatically created and assigned the roles specified in AAD.

Contributors

Thanks to Paul for contributing to this page.