Single Sign-On
LogRhythm Web Console Single Sign-On (SSO) uses industry-standard Security Assertion Markup Language (SAML) and supported third-party Identity Providers (IdP) to authenticate and authorize Web Console users. With SSO, customers can manage their users' logons via supported Identity Providers, including Okta, PingOne, and Azure AD.
SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a security principal (usually an end user) between a SAML authority, named an Identity Provider (IdP), and a SAML consumer, named a Service Provider (SP).
Existing Web Console users can implement SSO with their previously-created credentials. New Web Console users can be auto-provisioned, resulting in new Person records (with an associated Login record and User Profile) in the Client Console.
For an SSO user to successfully log in to the Web Console, the Login field from their Person record in the Client Console must match the nameID field from the IdP SAML assertion. For more information, see SSO User Auto-Provisioning and SSO Known Issues and Recommendations.
Requirements and Assumptions
- You must access the Web Console via a browser within a corporate network or with a correctly-configured VPN if your browser is outside the primary corporate network. This is important because you must be able to resolve and establish a connection to the internal FQDN, hostname, or IP address of the Web Console Server. Publicly-accessible configurations are possible but require additional setup of firewalls, routers, and publicly-trusted certificates.
- If you want multiple Web Consoles to support SSO, they must be in a load-balanced configuration. This is required because the configuration is part of the Authentication Service that is common to all Web Consoles. If you have multiple Web Consoles in a non-load-balanced configuration, you must choose one to use with SSO. You must specify which Web Console to use in the SSO configuration parameter Web Console Callback URL.
- In the LogRhythm Configuration Manager, ensure the following values are selected:
- Open the LogRhythm Configuration Manager.
- In the bottom-left next to Advanced View, click Show.
- Scroll down to the Authentication API section.
Ensure the parameters are set as follows:
Parameter Setting Web Console Multi-factor Authentication Type Off: If you are not currently using Web Console MFA.
On: If you have local logins and/or AD logins that do not use SSO.
This setting applies only to local (SQL) or Active Directory logins. Web Console MFA will not be used for SSO logins.
Web Console SQL Authentication Enabled Web Console Active Directory Authentication Enabled
This setting may be turned off later to allow only SQL and SSO logins.
Web Console Multi-factor Authentication Type
If you want to use multi-factor authentication in conjunction with Web Console SSO, you must enable it in the same Identity Provider that you use for Web Console SSO so that all of your SSO authentication functions are housed in your preferred IdP.