Docs » Administration » Configuring Single Sign-On (SSO)

Configuring Single Sign-On (SSO)

SignalFx provides the capability for your users to log in using various SSO providers. Both Identity Provider Initiated SSO and SignalFx Initiated SSO are supported. The latter makes it easy for your users to login to SignalFx from your organization’s custom URL.

SignalFx supports the following SSO integrations.

Setting up a custom URL for accessing SignalFx

Your users can access SignalFx with a custom URL (e.g. yourorgname.signalfx.com) that you can set up for your organization by emailing support@signalfx.com. When you configure any of the above integrations and select “Show on login page”, that integration will be available on your organization’s login page, as seen in the example below. Multiple SSO options can be available.

../_images/sp-sso.png

Naming an SSO integration

If you will be displaying an SSO integration on your organization’s custom SignalFx login page as shown above, we suggest naming it so that it will be meaningful to your users; the name you give an integration appears as the text on the button a user clicks to sign in. For example, you might want to use “Log in with Okta” as the name for an Okta integration, instead of simply “Okta”.

Configure SSO using ADFS

To use this integration, you must be using Active Directory with Active Directory Federation Services (ADFS). SignalFx requires the following fields to be present for each user in Active Directory:

  • First Name
  • Last Name
  • Email

Connecting ADFS to SignalFx requires five tasks:

  1. Start a new ADFS integration in SignalFx
  2. Add SignalFx to ADFS
  3. Obtain ADFS certificate to upload to SignalFx
  4. Obtain Federation Metadata file to upload to SignalFx
  5. Upload files to SignalFx

Please review this suggestion about naming your integrations before you proceed.

Start a new ADFS integration in SignalFx

  1. In SignalFx, click Integrations to open the Integrations page, then click the ADFS tile. A details page appears.
  2. Click New Integration.
  3. Locate the field called Integration ID, and copy the value to your clipboard.

Leave this browser tab open. You will return to it at the end of this procedure.

Add SignalFx to ADFS

  1. Log into the ADFS server and open the management console.
  2. Right click ‘Relying Party Trusts’. Select Add Relying Party Trust and click Start to proceed.
../_images/adfs-02.png
  1. Select Enter data about the relying party manually and click Next.
../_images/adfs-03.png
  1. Enter ‘SignalFx’ in the field labeled Display name and click Next.
../_images/adfs-04.png
  1. Select ‘AD FS Profile’ and click Next.
../_images/adfs-05.png
  1. On the next screen, leave the certificate settings as default.
../_images/adfs-06.png
  1. On ‘Configure URL’ page, leave both checkboxes unchecked.
../_images/adfs-07.png
  1. Add ‘https://api.signalfx.com/v1/saml/metadata‘ to ‘Relying party trust identifiers’.
../_images/adfs-08.png
  1. The next step in the wizard regards multi-factor authentication, which is not necessary for SignalFx and is beyond the scope of this guide. Click Next.
  2. Select Permit all users. You may optionally choose Deny all users access and later add authorization rules, but this is beyond the scope of this guide. Click Next.
../_images/adfs-10.png
  1. Click Next, then Finish.
  2. Right click on the newly created relying party trust called SignalFx and select Properties.
../_images/adfs-12.png
  1. In the Advanced tab, select SHA-1 as the value for Secure Hash Algorithm.
../_images/adfs-13.png
  1. In the Endpoints tab, click Add SAML...
../_images/adfs-14.png
  1. In the modal, select:
  • Endpoint type: SAML Assertion Consumer
  • Binding: POST
  • Set the trusted URL as default: check
  • Trusted URL (replace <INTEGRATION ID> with the ID you copied from SignalFx’s Integrations page): https://api.signalfx.com/v1/saml/acs/<INTEGRATION ID>
../_images/adfs-15.png
  1. Click OK and OK to close the properties modal.
  2. Right click on ‘SignalFx’ relying party trusts and select Edit Claim Rules...
  3. Click Add Rule..
  4. Select Send LDAP Attributes as Claims and click Next.
../_images/adfs-19.png
  1. Give the claim rule a name, like “LDAP”, and select Attribute store as ‘Active Directory’. Enter the mapping of LDAP attributes as follows:
  • E-Mail-Addresses (or email address LDAP attribute) → User.email
  • Given-Name (or First Name LDAP attribute) → User.FirstName
  • Surname (or Last Name LDAP attribute) → User.LastName
  • SAM-Account-Name (or unique user identifier LDAP attribute) → PersonImmutableID
../_images/adfs-20.png
  1. Click Add rule again and choose Transform an incoming claim.
  2. Give the rule a name like ‘Email to name ID’.
  3. We need to pass through Name ID (if not already provided already via your ADFS or SAML implementation). In this example, we are using Email as Name ID. SignalFx needs Name ID as format Persistent Identifier. In this example, we are using email address. Click OK.
../_images/adfs-23.png
  1. Click Finish.

ADFS now knows how to communicate with SignalFx.

Obtain ADFS certificate to upload to SignalFx

  1. In ADFS, go to ‘AD FS Management’.
  2. Browse to ‘certificates’, right click on Token-signing certificate, and select View Certificate.
../_images/adfs-02c.png
  1. Select detail tab.
  2. Click Copy to file. The certificate export wizard opens.
  3. Select Next and choose DER encoded binary X.509.
  4. Select file name and click Finish.
  5. Convert the certificate from .cer format to .pem format. Options for converting include using the openssl tool, as follows, or using some other tool such as https://www.sslshopper.com/ssl-converter.html:
openssl x509 -inform der -in certificate.cer -out certificate.pem

Obtain Federation Metadata file to upload to SignalFx

In AD FS Management, go to Endpoints and look up the endpoint called Federation Metadata. endpoint. Open that URL in a browser, and save the file FederationMetadata.xml locally. We will use this to upload to SignalFx.

Upload files to SignalFx

  1. Return to the SignalFx integrations page, on the ADFS integration configuration that you initiated at the beginning of this procedure.
  2. Click Upload certificate and upload the certificate.pem file.
  3. Click Upload metadata and upload the FederationMetadata.xml file
  4. Click Save.

Your users are now able to log into SignalFx through your ADFS portal. ADFS users must access SignalFx through their ADFS portal, instead of logging in directly on app.signalfx.com.

Configure SSO using Azure Active Directory

Please review this suggestion about naming your integrations before you proceed.

For instructions on connecting Azure Active Directory to SignalFx, see the tutorial developed by Microsoft. You must be an administrator of your SignalFx organization to use this procedure.

Configure SSO using Bitium

Follow these instructions to connect Bitium to SignalFx using SAML. You must be an administrator of both your Bitium organization and your SignalFx organization to use this procedure.

Please review this suggestion about naming your integrations before you proceed.

  1. Open two tabs. In the first, log into Bitium. In the second, log into SignalFx.
  2. In the Bitium tab, from the Apps menu, click manage next to your organization name. (In the illustration below, the organization name is SignalFx.)
../_images/bitium-01.png
  1. Click Apps, then Add App. In the search box that appears, search for “SignalFx”. Click on the SignalFx entry to add it to your Bitium organization.
  2. In the Bitium tab, from the dropdown menu under Single Sign-On, choose SAML Authentication. Click Install App, then click Configure Single Sign-On.
  3. Switch to the SignalFx tab. Click Integrations to open the Integrations page, then click the Bitium tile. A set of fields appears.
  4. In the SignalFx tab, copy the value next to Integration ID. Switch to the Bitium tab, and paste the value into the field called Integration ID.
  5. In the Bitium tab, copy the value Entity ID. Switch to the SignalFx tab, and paste the value into the field called Issuer URL.
  6. In the Bitium tab, copy the value Metadata URL. Switch to the SignalFx tab, and paste the value into the field called Metadata URL.
  7. In the Bitium tab, copy the value X.509 Certificate. Switch to the SignalFx tab, and paste the value into the field called Public Key.
  8. In the Bitium tab, click Save Changes, then assign users from your organization and make any other configuration changes you wish.
  9. In the SignalFx tab, click Save. A message appears that says “Validated!”. If an error appears instead, double-check the values that you copied and pasted. Please contact support@signalfx.com for help resolving errors.

Your SignalFx integration is now available to users in your Bitium organization. When a user signs in to SignalFx from Bitium for the first time, SignalFx will send them an email containing a link that they must click through to authenticate. This will only happen the first time the user signs in; subsequent login attempts will not require email validation.

Note that SAML authentication and SignalFx’s native user/password mechanisms are independent. Any existing SignalFx user created before enabling the integration will still be able to use their credentials to login directly, in addition to using SAML SSO. Any user created solely through SAML will have a password generated for them. If Bitium is unavailable, users can use the reset password link on the SignalFx login page to get native SignalFx credentials.

Configure SSO using Google

Follow these instructions to enable users in your Google domain to log into SignalFx using their Google credentials. You must be a SignalFx administrator to use this procedure.

Note

When a domain is added, anyone within that domain will have access to this SignalFx organization, even if they have not yet been added as a SignalFx user within SignalFx.

  1. In SignalFx, click Integrations to open the Integrations page, then click the Google tile in the Login Services section of the page.

  2. To enable Google Sign-In for a new domain, click Add Domain.

    ../_images/google-sso-02.png
  3. A Google pop-up opens. In the pop-up, select the email address associated with the Google domain for which you want to enable sign-in to SignalFx. For example, if you select the Google account myAddress@myGoogleDomain.com, you will be adding myGoogleDomain.com as the authenticated domain for logging in to SignalFx.

  4. That’s it! You will return to the Google Sign-In page at SignalFx and see that the domain has been added. Now all of the users in that Google domain will be able to use their Google credentials to log into SignalFx.

    ../_images/google-sso-04.png

If at least one Google domain has access to SignalFx, the option to sign in with Google will be shown on the login screen at app.signalfx.com and on your custom login page (if your organization has a custom URL).

To remove a Google domain’s access to SignalFx, click on the Google tile on the Integrations page, then click the x to the right of the domain’s name.

Configure SSO using Google Cloud Identity (IDP)

For instructions on connecting Google Cloud Identity to SignalFx, see the G Suite Administrator Help document developed by Google. You must be a super-administrator of your Google domain and an administrator of your SignalFx organization to use this procedure.

Configure SSO using Okta

Follow these instructions to allow your users to log into SignalFx through Okta via SAML authentication. You must be an administrator of both your Okta organization and your SignalFx organization to use this procedure.

Please review this suggestion about naming your integrations before you proceed.

  1. Open two browser tabs. In the first, log into Okta. In the second, log into your SignalFx organization.
  2. In the Okta tab, add the SignalFx app by clicking Admin, then Applications, then Add Application. In the directory that appears, search for “SignalFx”, then add it by clicking Add.
  3. Switch to the SignalFx tab. Click Integrations to open the Integrations page, then click the Okta tile, then click New Integration. Give the new integration a name like “My Okta Integration”.
  4. In the SignalFx tab, copy the value Integration ID. Switch to Okta and paste it into the field called “Integration ID”. Click Next.
  5. In the Okta tab, assign the SignalFx application to users in your Okta organization, then click Next.
  6. In the Okta tab, click Sign on, then click View Setup instructions.
  7. In the Okta tab, copy the Public Key from the instructions document. Switch to SignalFx and paste it into the field called “Public key”.
  8. In the Okta tab, copy the Issuer URL from the instructions document. Switch to SignalFx and paste it into the field called “Issuer URL”.
  9. In the Okta tab, copy the Metadata URL from the instructions document. Switch to SignalFx and paste it into the field called “Metadata URL”. Click Save.
  10. In the SignalFx tab, click Save. A message appears that says “Validated!”. If an error appears instead, double-check the values that you copied and pasted. Please contact support@signalfx.com for help resolving errors.

Your SignalFx integration is now available to users in your Okta organization. When a user signs in to SignalFx from Okta for the first time, SignalFx will send them an email containing a link that they must click through to authenticate. This will only happen the first time the user signs in; subsequent login attempts will not require email validation.

Note that SAML authentication and SignalFx’s native user/password mechanisms are independent. Any existing SignalFx user created before enabling the integration will still be able to use their credentials to login directly, in addition to using SAML SSO. Any user created solely through SAML will have a password generated for them. If the Okta application portal is unavailable, users can use the reset password link on the SignalFx login page to get native SignalFx credentials.

Configure SSO using OneLogin

Follow these instructions to connect OneLogin to SignalFx. You must be an administrator of both your OneLogin organization and your SignalFx organization to use this procedure.

Please review this suggestion about naming your integrations before you proceed.

  1. Open two browser tabs. In the first, log into OneLogin. In the second, log into your SignalFx organization.
  2. In the OneLogin tab, add the SignalFx app by selecting Apps ‣ Add Apps and searching for “SignalFx”. Make any changes you wish and click Save. Click the SSO heading to open the SSO configuration page.
  3. Switch to the SignalFx tab. Click Integrations to open the Integrations page, then click the OneLogin tile, then click New Integration. Give the new integration a name like “My OneLogin Integration”.
  4. In the SignalFx tab, copy the value Integration ID. Switch to OneLogin, go to the Configuration tab, then paste it into the field called SignalFx ID.
  5. Copy the contents of OneLogin’s X.509 certificate. Switch to SignalFx, and paste it into the field called Public key.
  6. In the OneLogin tab, copy the value Issuer URL. Switch to SignalFx, and paste it into the field called Issuer URL.
  7. In the SignalFx tab, click Save. A message appears that says “Validated!”. If an error appears instead, double-check the values that you copied and pasted. Please contact support@signalfx.com for help resolving errors.

Your SignalFx integration is now available in your OneLogin App portal. When a user clicks on it for the first time, SignalFx will send them an email containing a link that they must click through to authenticate. This will only happen the first time the user signs in; subsequent login attempts will not require email validation.

Note that SAML authentication and SignalFx’s native user/password mechanisms are independent. Any existing SignalFx user created before enabling the integration will still be able to use their credentials to login directly, in addition to using SAML SSO. Any user created solely through SAML will have a password generated for them. If the OneLogin application portal is unavailable, users can use the reset password link on the SignalFx login page to get native SignalFx credentials.

Configure SSO using PingOne

Please review this suggestion about naming your integrations before you proceed.

Follow these instructions to connect PingOne to SignalFx using SAML. You must be an administrator of both your PingOne organization and your SignalFx organization to use this procedure.

  1. In SignalFx, click Integrations to open the Integrations page, then click the PingOne tile. A details page appears.
  2. Click New Integration. A set of fields appears.
  3. In the field labeled Name give the new integration a name, like “PingOne SSO”.
  4. Copy to your clipboard the value next to the label Integration ID.
  5. In a new browser tab, open PingOne. Click on the Applications link in the top nav. Your installed applications list opens.
  6. Click Add Application and select Search Application Catalog.
  7. In the search field, search for “SignalFx”. Click on the application called SignalFx, and click Setup. A setup screen appears.
  8. The field labelled ACS URL contains a URL like https://api.signalfx.com/v1/saml/acs/${Integration ID}. In this field, replace the string ${Integration ID} with the value that you copied to your clipboard in step 4. Click Continue to Next Step.
  9. An attribute mapping appears. Fill in the attribute map as follows:
    • SAML_SUBJECT: Click Advanced. In the field labelled Name ID Format to send to SP, choose the value urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. Click Save.
    • Other attributes: Choose the appropriate attribute.
  10. Click Continue to Next Step. A customization screen appears.
  11. Customize the SignalFx application as you wish, then click Save and Publish. A review screen appears.
  12. Locate the field called Certificate and click the link that says Download. A file called pingone-signing.crt downloads to your computer.
  13. Locate the field called SAML Metadata and click the link that says Download. A file called saml2-metadata-idp.xml downloads to your computer.
  14. Click Finish. The PingOne Applications list appears and shows the application called SignalFx as Active.
  15. Switch browser tabs back to the SignalFx integration in progress.
  16. In the SignalFx tab, locate the field called Certificate and click the link that says Upload Certificate. A filesystem dialog opens.
  17. Locate the file pingone-signing.crt that you downloaded in step 12, and select it for upload. The text next to Certificate changes to the filename that you uploaded.
  18. Locate the field called Metadata, click the link that says Upload Metadata, and upload the file saml2-metadata-idp.xml that you downloaded in step 13. The text next to Metadata changes to the filename that you uploaded.
  19. Click Save. The page displays a message Validated!

Users can now log into SignalFx using the PingOne application.

When a user signs in to SignalFx from PingOne for the first time, SignalFx will send them an email containing a link that they must click through to authenticate. This will only happen the first time the user signs in; subsequent login attempts will not require email validation.

Note that SAML authentication and SignalFx’s native user/password mechanisms are independent. Any existing SignalFx user created before enabling the integration will still be able to use their credentials to login directly, in addition to using SAML SSO. Any user created solely through SAML will have a password generated for them. If PingOne is unavailable, users can use the reset password link on the SignalFx login page to get native SignalFx credentials.

Configure SSO using a generic SAML SSO integration

If you are using an SSO option other than the ones listed above, you can use the information below to create a SAML SSO integration for use by your organization. (If a SAML SSO integration has already been built for your organization, follow the steps in Installing your organization’s SAML integration to install it in SignalFx.)

Information for SAML SSO integration creators

SignalFx provides supported integrations to certain SAML SSO providers. If your SAML SSO provider is not on our list of supported integrations, SignalFx can make available (upon administrator request) a generic integration for testing and development of your new SAML SSO connection. Using this generic SAML SSO integration, administrators in your account can direct SignalFx to use any publicly-available SSO endpoint to authenticate users to your account.

To ask SignalFx to enable the generic SAML SSO integration for your account, an account administrator should contact the Support team at support@signalfx.com. Please include the domain of the user IDs that will sign in using this integration (in other words, the part of your user ID/email address after the “@”).

SignalFx provides this integration primarily for the testing and development of new SAML SSO connections that ultimately will become supported by SignalFx (see Contributing an SSO integration to SignalFx).

  • SAML field mapping

    SignalFx expects the following fields in each SSO request.

    • Either:

      • User.FirstName and User.LastName (user’s first and last name)

        OR

      • User.FullName (name of user who uses only one name)

    • User.email (user’s email address)

    • PersonImmutableID (a unique identifier for this user)

  • ACS URL

    SignalFx’s ACS URL is unique per integration, according to the following format:

    https://api.signalfx.com/v1/saml/acs/{{integration ID}}
    

    The Integration ID will be provided by the SignalFx Integrations setup page.

  • Entity Id

    SignalFx’s EntityId is:

    https://api.signalfx.com/v1/saml/metadata
    
  • Assertion Signature

    SignalFx expects a signature in the assertion message, not in the request itself.

  • RelayState

    SignalFx sends a dynamic RelayState, so the provider must be able to handle and pass back a dynamic RelayState.

Installing your organization’s SAML integration

Use these instructions to install a SAML integration that has been implemented for your organization.

  1. To install a SAML integration, you need the following information:
    • The name of the integration, as it will appear in SignalFx
    • The SAML’s public key
    • The issuer URL provided by the SAML
    • Either a publicly accessible metadata URL provided by the SAML or the metadata for the SAML (in XML format). The entity ID you send in as part of the metadata must match the issuer URL.
  2. In SignalFx, click Integrations to open the Integrations page, then click the tile that displays the name of the integration. A details page appears.
  3. Click New Integration. A set of fields on an Install tab appears.
  4. In the field labeled Name, give the new integration a name. If your organization has a custom URL, the name appears as the text on the button a user clicks to sign in (see Naming an SSO integration).
  5. In the remaining fields, enter the information you gathered in step 1.
  6. Click Save. The page displays a message Validated!

Users can now log into SignalFx using the SAML SSO.

When a user signs in to SignalFx from the SAML SSO for the first time, SignalFx will send them an email containing a link that they must click through to authenticate. This will only happen the first time the user signs in; subsequent login attempts will not require email validation.

Note that SAML authentication and SignalFx’s native user/password mechanisms are independent. Any existing SignalFx user created before enabling the integration will still be able to use their credentials to login directly, in addition to using SAML SSO. Any user created solely through SAML will have a password generated for them. If SAML SSO is unavailable, users can use the reset password link on the SignalFx login page to get native SignalFx credentials.

Important

Because this integration can send credential information to unverified destinations, SignalFx does not support using this integration as the primary means by which users authenticate to SignalFx. However, you are not prevented from using it in this way. Using the generic SAML SSO integration as your users’ primary means of authentication to SignalFx means that SignalFx will not be able to help you diagnose or repair any problems with your users’ authentication to our product, aside from ensuring the correct operation of the integration itself.

Contributing an SSO integration to SignalFx

If you want to contribute a completed SAML SSO integration to SignalFx for possible inclusion in a future product release, please provide the following items.

Item Notes
Logo for the integration This will appear on the Integrations page in the SignalFx web UI.
An account for SignalFx with the SSO provider SignalFx will use this account for regular automated regression testing. Please verify with the provider that the account will not expire.
Contact information for the SSO provider SignalFx will use this to communicate any changes on our side and to request support if necessary.
A domain that will be included in all URL endpoints for this provider SignalFx will validate user input against this domain.
Documentation for the end user on how to configure the integration in SignalFx See notes below.

When SignalFx has tested and verified your integration, it will be added to our list of supported SSO providers in SignalFx, and it will be documented here. Therefore, we need you to provide all the information that a user needs in order to integrate with the SSO provider, including:

  • How the user can enable SignalFx from the SSO provider’s management console.
  • Where to find required information from the SSO provider, including public key, issuer URL, and metadata URL.

You can review the instructions for our other supported integrations (on this page) to get a better idea of the level of documentation you need to provide.

If you are a SignalFx customer and have questions about this process, please contact Support. If you represent an SSO vendor, please get in touch with us at community@signalfx.com.