How to connect to SAML / Microsoft Entra¶
This guide explains how to configure TeskaLabs LogMan.io to use SAML-based Single Sign-On (SSO) with Microsoft Entra (formerly Azure AD).
Configure LogMan.io in Microsoft Entra¶
Create a new Enterprise Application¶
-
In Microsoft Entra, go to Entra ID > Enterprise applications and Create a new application.
-
Select Create your own application.
-
Name the application
TeskaLabs LogMan.io, select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.
Configure SAML-based Single Sign-On¶
-
After the application is created, go to the Single sign-on section and select the SAML method.
-
Click on the Edit icon in the Basic SAML Configuration section to configure the following settings:
Note: If you do not see the Edit icon, you may need to first select Set up [your application name].¶
- Identifier (Entity ID):
https://your-logman-domain.com/auth/saml/metadata(replace with your public LogMan.io domain) - Reply URL (Assertion Consumer Service URL):
https://your-logman-domain.com/auth/api/seacat-auth/public/ext-login/callback(replace with your public LogMan.io domain)
Click Save to apply the changes.
- Identifier (Entity ID):
Configure User Attributes & Claims¶
- In the User Attributes & Claims section, click on the Edit icon.
-
Configure the Unique User Identifier (Name ID) claim as follows:
- Name identifier format:
emailAddress - Source attribute:
user.mail
- Name identifier format:
-
Ensure that the following claim is present:
- Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - Source attribute:
user.mail
If the claim is not present, click on Add new claim to create it.
Click Save to apply the changes.
- Name:
Save the Federation Metadata URL¶
-
In the SAML Signing Certificate section, find the Federation Metadata XML link.
-
Copy the URL of the Federation Metadata XML. You will need this URL for configuring LogMan.io.
SeaCat Auth Configuration¶
To enable SAML authentication with Microsoft Entra in TeskaLabs LogMan.io, you need to configure the LogMan.io authorization service TeskaLabs SeaCat Auth in the model.
services:
seacat-auth:
...
# Add the following configuration
asab:
config:
seacatauth:saml:msentra: # (1)
idp_metadata_url: https://login.microsoftonline.com/..../federationmetadata.xml?appid=.... # (2)
entity_id: https://your-logman-domain.com/auth/saml/metadata # (3)
label: MS Entra # (4)
- SAML login provider identifier.
- Paste the Federation Metadata URL copied from Microsoft Entra into the
idp_metadata_urlfield. - Entity ID URL pointing to the SeaCat Auth SAML metadata (replace with your public LogMan.io domain).
- Label of your SAML provider shown on the login page. You may want to include your organization name here.
Save the changes and apply them using the Apply button in the /Site folder of the Library or via command line on the host server:
./gov.sh up
Enabling SAML Login¶
To allow users to sign in with their MS Entra account, each user must pair their MS Entra identity with their LogMan.io account. This can be done manually by the user in Account Settings.
Alternatively, you can enable automatic user provisioning and pairing in the SeaCat Auth configuration. This allows new users to be registered and paired automatically when they log in via SAML, based on their email address. To enable these options, update your configuration as follows:
services:
seacat-auth:
...
asab:
config:
seacatauth:saml:msentra:
...
register_unknown_at_login: true # (1)
pair_unknown_at_login: true # (2)
tenant: mycompany # (3)
register_unknown_at_login: Automatically register users who do not exist in LogMan.io when they first log in via SAML.pair_unknown_at_login: Automatically pair SAML users with existing LogMan.io accounts upon first login by matching their email address (case-sensitive).tenant: Assign new users to this tenant (organization) upon registration or pairing.
After making these changes, apply them using the Apply button in the /Site folder of the Library, or by running the following command on the host server:
./gov.sh up