Single Sign On¶
LogSentinel SIEM supports integration with LDAP, ActiveDirectory and SAML 2.0 providers for authentication. Below is a set of steps to be executed in order to configure the integrations:
LDAP configuration¶
In order to authenticate with LDAP server (not Windows AD) the following steps must be done:
- in
/var/logsentinel/app.properties
setldap.auth.enabled=true
andad.auth.enabled=false
- set
ldap.url
to pint to your LDAP server - let's assume the following LDAP tree:
dn: dc=yourOrganization,dc=org
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: ourOrganization
dn: ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: groups
dn: ou=people,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: people
dn: uid=ben@yourOrganization.org,ou=people,dc=yourOrganization,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alexx
sn: Alex
organizationId: ba2cbc90-5424-11e8-b88d-6f2c1b6625e8
uid: ben@yourOrganization.org
userPassword: {SHA}nFCebWjxfaLbHHG1Qk5UU4trbvQ=
dn: cn=logsentinel_developer,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: logsentinel_developer
ou: logsentinel_developer
uniqueMember: uid=ben@yourOrganization.org,ou=people,dc=yourOrganization,dc=org
- if ldap server doesn't give read access to anonymous users
ldap.manager.DN
andldap.manager.password
should be set - user is searched with
ldap.userDN.pattern=uid={0},ou=people
-> ben@yourOrganization.org - groups are searched with
ldap.group.searchbase=ou=groups
- encrypted password pattern :
ldap.password.attribute=userPassword
- Names of the user are extracted by
ldap.names.param=cn
- Organization id of the user (in LogSentinel SIEM) can be assigned with the default value
ldap.default.organizationId
. It can also be retrieved from LDAP if it is set to the user as an additional propertyldap.organizationId.param=organizationId
- user role is retrieved from the groups that user is included. Only groups starting with
logsentinel_
are taken into account. For example, hereben@yourOrganization.org
is member of the grouplogsentinel_manager
, so the retrieved role will be MANAGER.
Active Directory configuration¶
In order to authenticate with Windows Active Directory:
- set
ad.auth.enabled=true
andldap.auth.enabled=false
in/var/logsentinel/app.properties
- set
ldap.url
to the URL of the Active Directory (without the dc parts), e.g.ldaps://dc1server
- set
ad.auth.domain
to the domain where users belong in AD - set
ad.trust.self.signed=true
if the AD is using a self-signed certificate (or a self-signed root) - roles are retrieved from the
memberOf
attributes of the user in AD. Same roles restrictions as in LDAP apply.
SAML 2.0¶
For SAML 2.0 to work the proper configuration settings should be set on the "User management" screen. See more in User management .
Then the "SSO Login" on the login page allows users to use the SAML 2.0 flow. Note that internal, passwordless accounts are still created after the first authentication in order to keep user preferences.
RADIUS authentication¶
RADIUS authentication should be enabled via radius.enabled=true
.
For RADIUS authantication, the radius server IP, port and secret should be specified as well as the NAS properties( LogSentinel SIEM acts as a NAS). Use the following in app.properties: application.properties
via radius.server.ip
, radius.server.port
, radius.server.secret
, radius.nas.port
and radius.nas.ip
(optional, if not specified, using the local IP).
The radius.default.organizationId
property should also be set to designate which organizationId is used for authenticating users via RADIUS.