All users accessing your Graylog environment must be properly authenticated. Graylog provides both manual user management, performed by an administrator within the Graylog interface, and integration with your organization’s authoritative identity source to allow you to establish single sign-on (SSO).
Your Graylog environment and organizational factors determine which method of user authentication you use. The biggest distinguishing factor is whether you set up an on-premises installation of Graylog or if you use Graylog Cloud. This article explains some of the key differentiators between the two as well as important considerations for each method.
Prerequisites
Before proceeding, ensure that the following prerequisites are met:
-
You must be a Graylog administrator to enable user authentication.
-
It is generally required that you are an administrator of the application that requires set up and/or that you have access credentials to third-party components in your environment, as necessary.
Highlights
The following highlights provide a summary of the key takeaways from this article:
-
Every user must be properly authenticated to access Graylog.
-
Choose between manual administrator-managed accounts or SSO integration.
-
Graylog Open supports Active Directory/LDAP and Graylog Enterprise adds Okta and OIDC support for SSO.
-
Trusted header authentication allows for proxy-based external authentication.
On-Premises Authentication
When you install Graylog for the first time, you create your administrator account and password. Later, you can create additional users with the Admin role as necessary. Be sure to keep these credentials secure and accessible. Even if you set up SSO, you will require a local administrator account and password to sign on to Graylog if you have any issues with your identity provider.
For information about creating users and assigning permissions manually, see the following topics:
SSO
Graylog’s ability to integrate with your organizational identity source allows you to use single sign-on (SSO) to authenticate users with the Graylog web interface. Graylog Open supports Active Directory and LDAP integration. Graylog Enterprise adds support for Okta as well as generic OpenID Connect (OIDC) authentication so you can manage your Graylog login with a variety of OIDC-compliant identity providers.
You can find complete information about each identity provider type in the following topics:
Make sure you have appropriate access credentials to your third-party provider that allow you to make changes to users and groups, and be sure to keep these credentials secure!
Trusted Header Authentication
Graylog may also be configured to support trusted header authentication via a configured HTTP header. This allows you to use a proxy server in front of Graylog to perform the authentication using an external system—like a keycard system, Kerberos, or another method that Graylog may not natively support.
Graylog Cloud Authentication
If you use Graylog Cloud, the Graylog Cloud team works with you during set up to provision your cloud instance and provide you with secure login credentials. It is possible to establish SSO for Graylog Cloud, as well, but this setup requires support from the Graylog Cloud team to complete using SAML.
