Configuring SAML SSO with SumoLogic and PingFederate

Page created: 2 Nov 2021 |

Page updated: 14 Dec 2021

| 4 min read

Single Sign-on (SSO) Capability PingFederate Product SAML Standards, specifications, and protocols

Learn how to enable SumoLogic sign on from a PingFederate URL (IdP-initiated sign on) and direct SumoLogic sign on using PingFederate (SP-initiated sign on).

Configure PingFederate to authenticate against an identity provider (IdP) or datastore containing the users requiring application access.
PingFederate’s X.509 certificate should be exchanged to verify the signature in SAML assertions.
An email attribute is required in the assertion, either the SAML Subject or another SAML attribute per the SAML configuration. The value of the email attribute must be a valid email address. It is used to uniquely identify the user in the organization.
Populate SumoLogic with at least one user to test access.

Create a PingFederate service provider (SP) connection for SumoLogic:
1. Sign on to the PingFederate admin console.
2. Configure using Browser SSO profile SAML 2.0.
3. Set Partner’s Entity ID to https://service.eu.sumologic.com/.
4. Enable the following SAML Profiles:
  - IdP-Initiated SSO
  - SP-Initiated SSO
5. In Assertion Creation: Attribute Contract, select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
6. In Assertion Creation: Authentication Source Mapping: Authentication Source Mapping, map a new Adapter Instance > HTML Form.
7. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfilment, map SAML_SUBJECT.
8. In Protocol Settings: Assertion Consumer Service URL, set Binding to POST and set Endpoint URL to https://service.eu.sumologic.com/sumo/saml/consume/596910108. This value is received and updated from SumoLogic.
9. In Protocol Settings: Allowable SAML Bindings, enable POST.
10. In Credentials: Digital Signature Settings, select the PingFederate Signing Certificate.
11. Save the configuration.
12. Export the signing certificate.
13. Export and then open the metadata file and copy the value of:
  - The entityID
  - The Location entry (https://<your value>/idp/SSO.saml2)
Add the PingFederate IdP Connection to SumoLogic:
1. Sign on to the SumoLogic application.
  Note:
  In this example, we have registered and logged in using trial mode.
2. Go to Administration > Security > SAML.
3. Click Add Configuration.
4. Add the following values:
  - Configuration Name: ‘pingfed’
  - Select the Debug Mode check box.
  - Issuer: The PingFederate Issuer value.
  - X.509 Certificate: Copy PingFederate’s X.509 certificate here for verifying the signature.
  - Attribute Mapping: Select Use SAML Subject.
  - Optional Settings: Leave the default settings.
  - Click Add.
  - Enable Require SAML Sign In.
5. Select the pingfed configuration you have just created and copy the Assertion Consumer Service URL.
6. To enable SP-initiated SSO, select the pingfed configuration and click the Pencil icon above the ACS URL.
7. Select the SP Initiated Login Configuration check box and enter the following values:
  - Login Path: enter a unique identifier for your organization. You can specify any alphanumeric string (with no embedded spaces), provided that it is unique to your organization. (You can't configure a Login Path that another Sumo customer has already configured).
  - Authn Request URL: enter the URL that the IdP has assigned for SumoLogic to submit SAML authentication requests to the IdP. For example, https://<idp server hostname>:9031/sso/idp/SSO.saml2
  - Select Binding Type: Post.
8. Click Save.
9. Click the saved pingfed configuration again and make note of the Authentication Request and EntityID URLs.

Configuring SAML SSO with SumoLogic and PingFederate - PingFederate

Configuration Guides