Single Sign-on Authentication
Single Sign-on Settings can be configured through Settings > Organization Settings > Authenticated Domains (section)
. You can use SSO settings to let your team log in through an Identity Providers (like Google Workspace, Okta, etc) instead of using passwords.
Google Workspaceβ
Google Workspace single sign-on (SSO) provides password-free access to the invited members of your workspace to SigNoz.
Who can use this feature?β
- Google Workspace Owners and Org Owners
- Available in
Enterprise
andTeams
plan.
Steps to configure Google OAuth 2.0β
Google Workspace single sign-on (SSO) lets all members of your workspace sign in to SigNoz using their Google accounts. If they donβt have a account in SigNoz yet, they will have to be invited by Admin from Settings > Organization Settings > Invite Members
.
Register your signoz instance with your Google org by visiting the cloud console. You must create a developers project if you have not already. Then follow the Create Credentials flow.
Set the Authorized Redirect URL(s) to http(s)://${SIGNOZ_BASEURL}/api/v1/complete/google
During the setup you will obtain a client id and a client secret. Note it down as you will need them while setting up google auth in SigNoz.
Go to
Settings > Organization Settings > Authenticated Domains
. ClickAdd a Domain
. Enter your domain name (e.g. [email protected]).After domain is created, click on
Configure SSO
. ChooseGoogle Authentication
from the list.Now, enter the client id and secret you obtained in step 3. Click
Save Settings
.Click on
Enforce SSO
(next to your domain in Authenticated Domains) to enable google SSO login. When you enforce SSO, all users with user name format<username>@your-email-domain.com
will be forced to log in through Google.To test your setup, we recommend you to log in from a new browser window in Incognito mode.
If you face issue signining in, review the query service logs. To log into SigNoz for correcting SSO settings, admins may use this special URL to use password based login: http(s)://${SIGNOZ_BASEURL}/login?password=Y
SAML based Authenticationβ
Integrating SAML with SigNoz lets your users access SigNoz without re-authenticating. Configuring SAML is a two step process. First, you would have to configure your IdP (Identity Provider like Okta, Azure AD) with details of your SigNoz app. When the first step is complete, you would need to enter the information (like Entity ID, etc) available in your IdP into SigNoz settings (Settings >> Organization Settings >> Authentication Domains
)
Who can use this feature?β
- Available in
Enterprise
andTeams
plan.
SAML authentication with Azure AD (Active Directory)β
Steps to be performed in Azure ADβ
- Go to the
Azure Active Directory (AD)
and click onEnterprise Applications
. - Click on
+ New Application
in the top bar of the All Applications page. - In the next page, click on
+Create your own application
. Enter your application name as SigNoz, Select Integrate with other Applications (Non-Gallery) option and create. - Once the application is created, go to
Single Sign-On
from left side bar and click onSAML
card option - When the next page appears, you will see an card for
Basic SAML Configuration
. Click on edit icon button in this card - Fill out the following details and click
Save
:- Entity Identifier (Entity ID): Set Base URL (host and port - if any) of your SigNoz app. e.g. http(s)://${SIGNOZ_BASEURL}
- Reply URL(Assertion Consumer Service URL): Set the reply URL using this format - http(s)://${SIGNOZ_BASEURL}/api/v1/complete/saml
- Now we need to capture SSO information required to configure SAML in SigNoz. In the page, locate App Federation Metadata URL. Preferably, open this metadata page in a new tab. Once there, locate and copy these two field values from XML into a separate notepad:
- At the top of page, locate XML tag
EntityDescriptor
and copy theentityID
value
<EntityDescriptor ID="_2d8d...a006" entityID="https://sts.windows.net/00d562...816c79/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
- Locate
X509Data
tag and copy the entity content (value). This is certificate that SigNoz needs to validate response from IdP. - Locate
Location
at the bottom of the page and copy its value.
- At the top of page, locate XML tag
For more details on the metadata page, click here
Steps to be performed in SigNozβ
- Go to
Settings
. Click onOrganization Settings
tab and locateAuthenticated Domains
in the page - Click
Add Domain
- Enter the domain that your users would login with. For example, if your user names or emails are in format such as [email protected] then you would have to enter example.com here.
- After domain is added, Click on
Configure SSO
and chooseSAML Authentication
option - Enter values of tags
entity ID
,Certificate Data
andLocation(ACS URL)
that you acquired from the metadata page (step 7 above) - Save the settings and log in from an incognito tab to test the setup. If you face difficulties signing in, review the query service logs. Also if you are admin and are unable to login because of faulty setup, then you may login with password using this URL: http(s)://${SIGNOZ_BASEURL}/login?password=Y