How to connect to SAML / Microsoft Entra

This guide explains how to configure TeskaLabs LogMan.io to use SAML-based Single Sign-On (SSO) with Microsoft Entra (formerly Azure AD).

Configure LogMan.io in Microsoft Entra

Create a new Enterprise Application

1. In Microsoft Entra, go to Entra ID > Enterprise applications and Create a new application.

2. Select Create your own application.

3. Name the application TeskaLabs LogMan.io, select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

Configure SAML-based Single Sign-On

1. After the application is created, go to the Single sign-on section and select the SAML method.

2. Click on the Edit icon in the Basic SAML Configuration section to configure the following settings:

   Note: If you do not see the Edit icon, you may need to first select Set up [your application name].

   • Identifier (Entity ID): https://your-logman-domain.com/auth/saml/metadata (replace with your public LogMan.io domain)
   • Reply URL (Assertion Consumer Service URL): https://your-logman-domain.com/auth/api/seacat-auth/public/ext-login/callback (replace with your public LogMan.io domain)

   Click Save to apply the changes.

Configure User Attributes & Claims

1. In the User Attributes & Claims section, click on the Edit icon.

2. Configure the Unique User Identifier (Name ID) claim as follows:

   • Name identifier format: emailAddress
   • Source attribute: user.mail

3. Ensure that the following claim is present:

   • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
   • Source attribute: user.mail

   If the claim is not present, click on Add new claim to create it.

   Click Save to apply the changes.

Save the Federation Metadata URL

1. In the SAML Signing Certificate section, find the Federation Metadata XML link.

2. Copy the URL of the Federation Metadata XML. You will need this URL for configuring LogMan.io.

SeaCat Auth Configuration

To enable SAML authentication with Microsoft Entra in TeskaLabs LogMan.io, you need to configure the LogMan.io authorization service TeskaLabs SeaCat Auth in the model.

/Site/model.yaml

services:
  seacat-auth:
    ...

    # Add the following configuration
    asab:
      config:
        seacatauth:saml:msentra:  # (1)
          idp_metadata_url: https://login.microsoftonline.com/..../federationmetadata.xml?appid=....  # (2)
          entity_id: https://your-logman-domain.com/auth/saml/metadata  # (3)
          label: MS Entra  # (4)

1. SAML login provider identifier.
2. Paste the Federation Metadata URL copied from Microsoft Entra into the idp_metadata_url field.
3. Entity ID URL pointing to the SeaCat Auth SAML metadata (replace with your public LogMan.io domain).
4. Label of your SAML provider shown on the login page. You may want to include your organization name here.

Save the changes and apply them using the Apply button in the /Site folder of the Library or via command line on the host server:

./gov.sh up

Enabling SAML Login for your user account

To be able to log in using SAML, you need to link your LogMan.io user account with your Microsoft Entra account.

1. Log in to LogMan.io using your existing credentials.
2. Click your username in the top-right corner and select Account Settings.
3. In the Social & enterprise logins section, click Add a new account.
4. Select MS Entra (or your configured label) from the list of available providers.
5. You will be redirected to the Microsoft Entra login page. If prompted, enter your credentials to authenticate.
6. After successful authentication, your LogMan.io account will be linked to your Microsoft Entra account.