Setting up the FlowLogViewer with OneLogin SSO
Several PiaSoft customers have asked us to add SSO support, and in v 1.11 , we have added it. We also have instructions to set up with Okta.
The Single Sign On workflow to view Flow Logs looks like:
User logs into your SSO Identity Provider.
User follows a link to a FlowLogsViewer instance.
After authentication with the IDP completes successfully, user is redirected to the base login page. Credentials are no longer required here.
If access to the app denied through the SSO IDP, users get redirected to an access denied page on the SSO provider page.
Setup
Once your instance is set up (don't forget our free 30-day trial), you will need to:
- SSH to the instance
- Add some configuration to /home/ubuntu/flowlogviewer/current/config/application.rb
For OneLogin to work, you will need a connector set up. You can use the SAML Test Connector (IdP w/ attr) that OneLogin helps you set up here: https://developers.onelogin.com/saml/python#Task2
1. Modify application.rb
SSH to the instance and open this file with your favorite editor:
/home/ubuntu/flowlogviewer/current/config/application.rb
Modify this section:
# SSO Configuration. Please see www.piasoftware.net/setup for help setting up SSO
config.sso_enabled = false
config.idp_sso_target_url = "URL_TO_YOUR_SSO_PROVIDER_GOES_HERE"
config.idp_cert_fingerprint = "SHA256 fingerprint of your SSO Provider's key goes here"
# Change this line if you're creating a fingerprint with an algorithm besides sha256
config.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha256"
1a. Set "config.sso_enabled = true"
1b. Visit the OneLogin Console -> Apps. You should have an app that uses SAML 2.0 like this after having created the SAML Test Connector:
Click it.
1b. For the parameter for config.idp_sso_target_url, go to the SSO page and copy the value from: "SAML 2.0 Endpoint (HTTP)"
1c. For the parameter config.idp_cert_fingerprint, under "X.509 Certificate", click "View Details". Change the SHA Fingerprint algorithm from SHA1 -> SHA256 and copy the fingerprint to application.rb.
The file should look like:
# SSO Configuration. Please see www.piasoftware.net/setup for help setting up SSO
config.sso_enabled = true
config.idp_sso_target_url = "https://pia-software-dev.onelogin.com/trust/saml2/http-post/sso/1111111111"
config.idp_cert_fingerprint = "00:7A:E8:61:18:AB:43:3F:10:7E:78:02:FA:6F:07:7C:91:20:A7:D5:33:74:DB:74:A8:75:B7:E2:B1:DE:40:DF"
config.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha256"
Save and exit.
2. Restart the flowlogviewer:
$ sudo systemctl restart flowlogviewer.target
Now, when you hit the IP for your Flow Logs Viewer instance, you should be redirected to the SSO provider.