Single Sign-On in Graylog

Single sign-on (SSO) is a common method of authentication, particularly in larger organizations, that allows you to use a third-party provider to manage access to multiple systems across your network with a single set of login credentials. Graylog supports SSO for users to access the web interface.

This article explains the benefits of SSO and describes what you need to implement SSO in Graylog.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must be a Graylog administrator to set up SSO.

  • Access credentials to your organizational identity source.

What Is SSO?

Single sign-on (SSO) is a method for authentication using the same credentials on multiple applications or websites across your network. Typically, SSO is managed by your IT department with a tool or application intended for the purpose. Users authenticate to the SSO provider, then the tool handles authentication to websites or application the user needs to access so the user doesn’t have to re-enter their credentials.

Using SSO allows the organization to provide better security and a better user experience. You can require strong, complex passwords and periodic password changes as a security best practice, which you would manage through your SSO provider. Having such measures in place can also be a regulatory compliance issue in some industries.

With SSO, users don’t experience password fatigue from constantly signing on to different systems, thinking up new passwords, and remembering multiple passwords for different applications. Both IT and users benefit from fewer support tickets for password resets—and security is improved if users avoid writing passwords down on sticky notes or elsewhere.

Hint: Graylog recommends the use of strong passwords and password best practices for improved security. However, note that Graylog itself cannot enforce these policies. If your organization has password policies in place that you need to enforce, you must do so through a third-party identity management solution.

SSO with Graylog

Graylog supports SSO to authenticate users with the Graylog web interface. You can also take advantage of this integration for user management, relying on your organization’s authoritative identity source to provide users and user information to Graylog. In addition, Graylog Enterprise users can sync groups from their provider into Graylog teams for easier permission management.

Both Active Directory and LDAP are available out of the box as identity sources for Graylog Open. Graylog Enterprise adds support for Okta as well as generic OpenID Connect (OIDC) authentication so you can manage your Graylog login with a variety of OIDC-compliant identity providers.

You can find complete information about each identity provider type in the following topics:

Only one external authentication provider can be active at a time. Make sure you have appropriate access credentials to your third-party provider that allow you to make changes to users and groups, and be sure to keep these credentials secure.