LogRhythm Web Console Single Sign-On (SSO) uses industry-standard Security Assertion Markup Language (SAML) and supported third-party Identity Providers (IdP) to authenticate and authorize Web Console users. With SSO, customers can manage their users' logons via supported Identity Providers, including Okta, PingOne, and Azure AD.
SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a security principal (usually an end user) between a SAML authority, named an Identity Provider (IdP), and a SAML consumer, named a Service Provider (SP).
Existing Web Console users can implement SSO with their previously-created credentials. New Web Console users can be auto-provisioned, resulting in new Person records (with an associated Login record and User Profile) in the Client Console.
Requirements and Assumptions
- You must access the Web Console via a browser within a corporate network or with a correctly-configured VPN if your browser is outside the primary corporate network. This is important because you must be able to resolve and establish a connection to the internal FQDN, hostname, or IP address of the Web Console Server. Publicly-accessible configurations are possible but require additional setup of firewalls, routers, and publicly-trusted certificates.
- If you want multiple Web Consoles to support SSO, they must be in a load-balanced configuration. This is required because the configuration is part of the Authentication Service that is common to all Web Consoles. If you have multiple Web Consoles in a non-load-balanced configuration, you must choose one to use with SSO. You must specify which Web Console to use in the SSO configuration parameter Web Console Callback URL.
- In the LogRhythm Configuration Manager, ensure the following values are selected:
- Open the LogRhythm Configuration Manager.
- In the bottom-left next to Advanced View, click Show.
- Scroll down to the Authentication API section.
Ensure the parameters are set as follows:
Parameter Setting Web Console Multi-factor Authentication Type
Off: If you are not currently using Web Console MFA.
On: If you have local logins and/or AD logins that do not use SSO.
This setting applies only to local (SQL) or Active Directory logins. Web Console MFA will not be used for SSO logins.
Web Console SQL Authentication Enabled Web Console Active Directory Authentication
This setting may be turned off later to allow only SQL and SSO logins.
Web Console Multi-factor Authentication Type
If you want to use multi-factor authentication in conjunction with Web Console SSO, you must enable it in the same Identity Provider that you use for Web Console SSO so that all of your SSO authentication functions are housed in your preferred IdP.