SAML Authentication with Duo Security

Duo security provides a great way of authenticating your users for your self-hosted Humio installation.

Prerequisites

Before configuring SAML authentication, a few things needs to be in place:

  • Duo Access Gateway (DAG) installed and configured with at least one Authentication Source.
  • Familiarize yourself with Humio’s configuration.
  • Make sure you have one root account added, typically by adding your email address in the administration section of Humio’s Web UI.

Steps:

  1. Open your DAG and take note of the following parameters from the Applications page

    • SSO URL
    • Entity ID

    Save the certificate to a known location on your Humio host.

  2. Change the following configuration properties in Humio

    • AUTHENTICATION_METHOD=saml
    • PUBLIC_URL (See explanation in configuration properties))
    • SAML_IDP_SIGN_ON_URL to the value of “SSO URL” from the DAG
    • SAML_IDP_ENTITY_ID to the value of “Entity ID” from the DAG
    • SAML_IDP_CERTIFICATE with the location of your DAG certificate. If running the Docker image, please make sure you have mounted a certs volume by adding the following volume -v /certs:/certs:ro
  3. Restart Humio

  4. Read the output of http://$YOUR_HUMIO_URL:$PORT/api/v1/saml/metadata and take notes of the following values

    • md:EntityDescriptor#entityID, which should be a url starting with your PUBLIC_URL followed by /api/v1/saml/metadata
    • md:AssertionConsumerService#Location, which should be a url starting with your PUBLIC_URL followed by /api/v1/saml/acs
  5. Log into your Duo account and add a new “Generic SAML Service Provider”, where

    • “Entity ID” is the value of md:EntityDescriptor#entityID
    • “Assertion Consumer Service” is the value of md:AssertionConsumerService#Location
    • “NameID attribute” should be set to email
  6. Save the configuration file and upload it to your DAG.