Authentication and Authorization (SaaS)
You can use Sysdig Monitor and Sysdig Secure with the following user authentication and authorization methods:
| Type | Enabled by Default | Integration Requirements |
|---|---|---|
| User Credentials | Yes | No |
| Google OAuth | No | Yes |
| SAML | No | Yes |
| OpenID Connect | No | Yes |
Prerequisites and Guidelines
Sysdig
- See SaaS Regions and IP Ranges before proceeding to configure authentication.
- Sysdig has assigned a Customer Name, Customer ID, and External ID for your account. You can view it on the Settings > Authentication (SSO) page.
Identity Provider (IdP)
- Configure authentication separately for each Sysdig product: Sysdig Monitor and Sysdig Secure.
- Configure your Identify Provider (IdP) for the Sysdig application.
- Users must be assigned to the application in the IdP to be able to access Sysdig.
Configure Single Sign-On
- Determine the Single Sign-On (SSO) and the IdP that your enterprise uses.
- Log in to the Sysdig application as an administrator.
- Open Settings > Authentication (SSO).
- On the Authentication screen, select New Configuration or choose to edit an existing one
- When creating a new integration, select the type: OpenID or SAML
- Enter the required connection settings for the chosen SSO. If you are configuring only one integration the Integration Name can be omitted.
- Configure any associated IdP settings on the IdP side.
- If enabling both Sysdig Monitor and Sysdig Secure, repeat the process on the second application.
Main Authentication Settings
The main Authentication parameters are the same for all of the authentication protocols.
| Option | Description |
|---|---|
| Customer ID | Unique customer identifier. |
| Customer Name | Unique customer name. |
| External ID | Unique customer External ID used in some SSO integrations. |
Manage SSO Configurations
Sysdig allows you to manage up to 10 SSO integrations in addition to the Google OAuth. You can create new integrations by selecting option New Configuration and then selecting the type SAML or OpenID.
You can edit an existing SSO integration either by selecting the row or by selecting the pencil icon on the right side.
Deleting the configuration is possible by selecting the three dot menu on the right side and then option Delete Configuration. You can only delete inactive SSO configurations.
An integration is active when the slider on the left side is in the right position. Make sure at least one integration is enabled to be able to use it for logging users in.
Note the Integration Name is not required if only one integration is set, but if multiple integrations are defined the integration name must be appended to the Metadata URL, Relay State, and Bookmark URL (if used)
Disable Password Authentication
For On-Prem environments, see Disable Password Authentication.
To disable password authentication through the UI:
- Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the user menu at the bottom left of the screen.
- Click Authentication(SSO).
- Scroll down and locate the Username and Password Login settings.
- Use the Username and Password Login slider to turn off password authentication.
- Click Save.
For IdP Break-Glass scenario when Password Authentication is disabled, see Break-Glass scenario.
Configure Customized Session Expiration
To do so:
- Log in to Sysdig Monitor or Sysdig Secure as administrator and selectΒ Settings.
- SelectΒ Authentication(SSO).
- Scroll down and locate the Session Expiration settings.
- Specify the Session Expiration setting:
- Enable session expiration by using the Inactive Session Expiration slider.
- Specify the time-out period in minutes.
- Click Save.
Multi-Factor Authentication
Limitations
MFA only applies to local (username and password) user accounts.
- If you need to use MFA when using an Identity Provider (IdP), look into your Single Sign-On (SSO) configuration. See Enable Single Sign-On.
Administrators cannot enable MFA on user accounts. However, they can disable it.
Enable MFA
You can enable MFA for your account from the User Profile page. Once enabled, you will be prompted to use MFA when you login.
To enable Multi-Factor Authentication:
- Log in to Sysdig Secure or Sysdig Monitor.
- Navigate to Settings > User Profile.
- In the Multi-Factor Authentication section, toggle Authenticator App MFA on. A modal appears. The modal has a QR code and a key.
- In your authenticator app, add a new account. Consult the documentation of your chosen app for precise instructions.
- Scan the QR code with your authenticator app. Alternatively, enter the key below the QR code manually. A verification code appears in your authenticator app.
- Enter the code into the text box in the modal, and click Confirm.
Multi-factor authentication is now enabled.
Log in with MFA
Once you have enabled MFA on an account, you can log in with MFA:
- Go to the Sysdig Secure or Sysdig Monitor login page.
- Enter your username and password.
- Select Log in.
- Open your authenticator app. A code will appears.
- Enter the code generated in your authenticator app.
- Select Verify.
If the code is correct, your login will be successful.
Disable MFA on your Account
To disable MFA on your own account:
- Log in to Secure or Monitor. If you cannot log in, contact your administrator.
- Navigate to Settings > User Profile.
- In the Multi-Factor Authentication section, toggle Authenticator App MFA off.
- Select Confirm.
Multi-factor authentication is now disabled. When you attempt a login, you will no longer need to user your authenticator app.
(Admin) Disable MFA for a User
Administrators can disable MFA for other users. This is useful, for example, if a user loses access to the authenticator app. To disable MFA on a user’s account as an Admin:
- Log in to Sysdig Secure or Sysdig Monitor as an Admin.
- Navigate to Settings > Users.
- Select a user from the list. The Edit User page appears.
- Toggle off Authenticator App MFA.
MFA is now disabled for that user. Remember that Admins cannot toggle MFA on.
