Breadcrumbs

Configure SSO with Azure AD

This section explains how to configure Web Console Single Sign-On using your Azure AD SAML app.

The Azure AD admin UI changes periodically, and the official Azure AD SAML 2.0 setup documentation is found here:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-saml-single-sign-on

Create the SAML App in Azure AD

  1. Log in to the Azure AD Admin Portal. 

    Make sure you are administering the correct tenant for integration with LogRhythm Web Console.


  2. In the left-side navigation bar, click Enterprise applications.
    The applications window appears.

  3. At the top of the applications window, click New application, then click the Non-gallery application tile.

  4. Enter your App Name (for example, LogRhythm Web Console - LRXM01 or LogRhythm WC - Boulder).

  5. Click Add.

  6. In the left-side navigation bar in the Manage section, click Single sign-on, then click the SAML tile.
    The Set up Single Sign-On with SAML page appears.

  7. In the Basic SAML Configuration section, click the Edit icon-edit-button.png  icon. 
    The Basic SAML Configuration page appears. Enter the following parameters:

    Name

    Example Format

    Required

    Identifier (Entity ID)

    https://<FQDN_or_Hostname_or_IP_of_WebConsole>

    Yes

    Reply URL (Assertion Consumer Service URL)

    https://<FQDN_or_Hostname_or_IP_of_WebConsole>:8443/saml

    If your Web Console uses a port other than the default of 8443, enter your customized port number instead of 8443. For more information, see LogRhythm Web UI.

    Yes

    Sign On URL

    Leave blank.

    No

    Relay State

    Leave blank.

    No

    Logout URL

    Leave blank.

    No


  8. Click Save, then click Close.

  9. When prompted to test single sign-on, click No, I'll do it later.

  10. In the User Attributes & Claims section, click the Edit icon-edit-button.png  icon. 
    The User Attributes & Claims page appears. 

  11. Click Save.

  12. Click Add new claim. Enter the following parameters:

    Name

    Namespace

    Source

    Source Attribute

    firstName

    Leave blank

    Attribute

    user.givenname


  13. Click Save.

  14. Click Add new claim. Enter the following parameters:

    Name

    Namespace

    Source

    Source Attribute

    lastName

    Leave blank

    Attribute

    user.surname


  15. Click Save, then click Close.

  16. In the left-side navigation bar in the Manage section, click Users and groups.
    The Users and Groups page appears.

  17. Click Add user.
    The Add Assignment page appears.

  18. Click Users and groups.

  19. Select the users you want to have access to the LogRhythm Web Console.

    When you click on a user, the name appears under Selected members.


  20. When you are finished selecting users, click Select at the bottom of the page.

  21. At the bottom of the Add Assignment page, click Assign.

  22. You are done creating the SAML app in Azure AD.


Gather IdP SSO Configuration Data

  1. Log in to the Azure AD Admin Portal.

  2. In the left-side navigation bar, click Enterprise applications.
    The applications window appears.

  3. Click the SAML app you created for LogRhythm SSO.

  4. In the left-side navigation bar in the Manage section, click Single sign-on.

  5. From this summary page, locate the values for the Certificate (Base64) and Login URL fields. Copy and paste the values to a temporary location:Certificate (Base64): Download and open the certificate with a text editor, then copy the text.Login URL

Enable Single-Sign On in the LogRhythm Web Console (Admins Only)

  1. Log in to the Web Console with an administrator account or with an account that has SSO Management permissions.

  2. In the upper-right corner, click the Administration drop-down icon, then click Single Sign-On.
    The Single Sign-On Configuration menu appears.

  3. Click the Single Sign-On Enabled button. The menu expands to reveal configuration fields.

  4. Enter the following parameters:

    If you want to choose a User Profile that is specific to newly-created SSO users, consider creating the desired User Profile in the SIEM before this step.


    Name

    Example Format

    Web Console Callback URL

    https://<FQDN_or_Hostname_or_IP_of_WebConsole>:8443/saml

    Web Console Identifier (Entity ID)

    https://<FQDN_or_Hostname_or_IP_of_WebConsole>

    IdP Entry Point

    Login URL copied from Azure AD.

    IdP Certificate

    Certificate (Base64) copied from Azure AD.

    Default User Profile

    The User Profile to be assigned via User Auto-Provisioning to new SSO users.


    If you do not see all of the expected User Profiles in the drop down menu, contact your SIEM administrator to make sure they have enabled your Manage User Profiles and Single Sign-On Management (Web Console) permissions.


  5. Click Save

    While saving, your Web Console will temporarily disconnect and you will see either Reconnecting or Disconnected status in the upper-right corner.

    Refresh your browser if prompted to do so.

  6. After your Web Console refreshes and the status shows Connected, your SSO for the Web Console is enabled.

  7. In the upper-right corner, click the User drop-down icon, and then click Logout