OpenID Connect (SaaS)

Sysdig supports OpenID as an Identity Provider (IdP) for authenticated login. This page describes how to set up and enable OpenID authentication for Sysdig Monitor and Sysdig Secure.

Prerequisites

This topic is specific to cloud-based (SaaS) Sysdig environments. To configure an On-Premises Sysdig environment, see OpenID Connect (On-Prem).

If you want to set up OpenID for both Sysdig Monitor and Sysdig Secure, you need to complete the setup process twice. Setting up OpenID on one will not automatically set it up on the other.

To configure OpenID Single Sign-On (SSO), you need:

Overview

Using OpenID with Sysdig

The Sysdig platform ordinarily maintains its own user database to hold a username and password hash. OpenID instead allows for redirection to your organization’s IdP to validate user credentials and other policies necessary to grant access to Sysdig applications. Upon successful authentication via OpenID, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform.

Enable OpenID

1. Know which IdP your company uses and will be configuring

These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs. If your OpenID Provider is not listed (including ones that do not support OpenID Connect Discovery), it may still work with the Sysdig platform. Contact Sysdig Support for help.

  1. Okta (OpenID)
  2. Google Cloud Authentication (OpenID)
  3. OneLogin (OpenID)
  4. Keycloak (OpenID)
  5. Azure (OpenID)

2. Decide the login flow you want users to experience

Contact Sysdig for the Company Name associated with your account.

  1. Sysdig SaaS URL - On the main Sysdig login page select the OpenID button and enter your company name.

  2. Direct URL - Access the URL directly from a browser:

    1. Monitor: <Monitor Region URL>/api/oauth/openid/COMPANY_NAME
    2. Secure: <Secure Region URL>/api/oauth/openid/COMPANY_NAME?product=SDS

Replace the <Monitor Region URL> and <Secure Region URL> with a valid URL from SaaS Regions and IP Ranges.

  1. IdP-Initiated Login - Log in from an IdP interface.

    The individual IdP integration pages describe how to add Sysdig to the IdP interface. You will need your Company Name on hand.

3. Configure your IdP and collect the resulting configuration attributes

Collect the metadata URL (or XML) and test it. If you intend to configure IdP-initiated login flow, you need the configure the Redirect URI. See Redirect URI.

4. Configure Sysdig

  1. Log in to Sysdig Monitor or Sysdig Secure and configure authentication.
    • Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.
    • Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.
  2. Repeat the process for the other Sysdig product, if you are using both Monitor and Secure. Enter a separate redirect URI in your IdP for each product; otherwise, the integration processes are the same.

Configure IdP in Sysdig

Choose Your IdP

Select the appropriate IdP link below, and follow the instructions:

  1. Okta (OpenID)
  2. Google Cloud Authentication (OpenID)
  3. OneLogin (OpenID)
  4. Keycloak (OpenID)
  5. Azure (OpenID)

To enable baseline OpenID Connect functionality:

Create a New OpenID SSO Configuration

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator.

  2. Select Settings from the User Profile button in the left navigation.

  3. Select Authentication (SSO).

  4. In the SSO Configuration section, select New Configuration.

  5. Select type OpenID and click Add.

  6. Enter the relevant parameters in the configuration:

    Connection SettingDescription
    Integration NameYou must provide an integration name if you have more than one SSO configuration of the same type.
    Client IDThe unique ID provided by your IdP.
    Client SecretThe secret provided by your IdP.
    Issuer URLThe URL provided by your IdP. For example: https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc</. Use the entire domain path for OpenID Connect, including any trailing /.
    Create User on loginEnable to allow creating users on login. Otherwise only existing users can login. Default: Enabled.
    Metadata DiscoveryIdP supports Metadata Discovery. Default: Enabled.
    Disable username and password loginPrevent users from logging in using username and password (require IdP login).
    Toggle Enable OpenID single logoutFlag to enable single logout. See Configure OpenID Single Logout.
    Use External IDRequire customer specific External ID in Redirect URI. See Use External ID in Redirect URI
    Group MappingUse Group Mapping. See Group Mappings
    Group Attribute NameFor use with Group Mapping. See Group Mappings
    Additional ScopesThe additional scopes required for logging in. The mandatory scopes are openid, profile, and email. You do not need to enter these as additional scopes, only any additional scopes beyond these three.
  7. Select Save.

Okta, OneLogin, and Keycloak support metadata auto-discovery; so these settings should be sufficient for these IdPs.

Enable or Disable a SSO Integration

Make sure at least one integration is enabled to be able to use it for logging users in.

  1. Find the integration that you want to control.

  2. Select the toggle on the left side of the integration and slide it to the right to enable or left to disable.

  3. If you want to manage multiple integration, repeat the process

Edit an Existing SSO Integration
  1. Log in to Sysdig Monitor or Sysdig Secure as administrator.

  2. Select Settings from the User Profile button in the left navigation.

  3. Select Authentication (SSO).

  4. Select the pen icon on the right hand side of the window to edit the existing integration

(Optional) Enter OpenID Additional Settings

In some cases, an OpenID IdP may not support metadata auto-discovery, and additional configuration settings must be entered manually.

In this case:

  1. In the OpenID tab, toggle the Metadata Discovery button to off to display additional entries on the page.

  2. Enter the relevant parameters derived from your IdP and click Save.

    Connection SettingDescription
    Issuer URLRequired. Case-sensitive URL that uniquely identifies the OpenID Provider.
    Authorization EndpointRequired. Authorization request endpoint.
    Token EndpointRequired. Token exchange endpoint.
    JSON Web Key Set EndpointRequired. The endpoint that contains key credentials for token signature verification.
    End session endpointOptional. The URL at the IdP to which a Relying Party (RP) can perform a redirect to request that the end user be logged out at the IdP. This option is required if the single-logout toggle is enabled.
    Token Auth MethodAuthentication method. Supported values: client_secret_basic or client_secret_post (case insensitive).

Issuer URL value is often the same, but can be different for providers that have a separate general domain and user-specific domain.

For example, general domain: https://openid-connect.onelogin.com/oidc, user-specific domain: https://sysdig-phil-dev.onelogin.com/oidc

The URL provided by your IdP. For example, https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc. Ensure that you use the entire domain path for OpenID Connect, including any trailing slash (/).

Redirect URI

Identify the correct Redirect URI associated with your Sysdig application and region.

RegionAppSign-In Redirect URIs
usMonitorhttps://app.sysdigcloud.com/api/oauth/openid/auth
usSecurehttps://secure.sysdig.com/api/oauth/openid/secureAuth
us2Monitorhttps://us2.app.sysdig.com/api/oauth/openid/auth
us2Securehttps://us2.app.sysdig.com/api/oauth/openid/secureAuth
us4Monitorhttps://app.us4.sysdig.com/api/oauth/openid/auth
us4Securehttps://app.us4.sysdig.com/api/oauth/openid/secureAuth
au1Monitorhttps://app.au1.sysdig.com/api/oauth/openid/auth
au1Securehttps://app.au1.sysdig.com/api/oauth/openid/secureAuth
eu1Monitorhttps://eu1.app.sysdig.com/api/oauth/openid/auth
eu1Securehttps://eu1.app.sysdig.com/api/oauth/openid/secureAuth
me2Monitorhttps://app.me2.sysdig.com/api/oauth/openid/auth
me2Securehttps://app.me2.sysdig.com/api/oauth/openid/secureAuth

For more information on regions, see SaaS Regions and IP Ranges.

Use External ID in Redirect URI

To improve security, Sysdig introduced the option to enable customer-specific (unique, generated), External ID. The ID is automatically generated for each customer and you cannot modify it. External ID is in UUID format - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

When the option to use External ID is enabled, the External ID must appended to the Redirect URI. The format is as follows: <REDIRECT_URI>/<EXTERNAL_ID>. Replace <REDIRECT_URI> with actual Redirect URI and <EXTERNAL_ID> with actual External ID.

See Main Authentication Settings to retrieve your External ID.

The use of External ID is going to be required after July 1st 2024. After this date it won’t be possible to disable the toggle and the toggle will be removed from the UI. It is recommended to switch your IdP to Redirect URI with External ID in your settings as soon as possible.

Configure OpenID Single Logout

With Single Logout (SLO), users only need to sign out of one service provider, and all the active sessions will be terminated without any additional effort. This is vastly convenient from a usability perspective.

SLO Process

Sysdig requests that the IdP logs the end user out by redirecting the user’s User Agent to the IdP’s Logout Endpoint. The IdP’s endpoint can be retrieved via the end_session_endpoint element of the IdP’s Discovery response (metadata). After a logout has been performed, the User Agent associated with the user will be redirected to the Sysdig login page.

Configure IdP

Configure Sign-out redirect URIs:

Configure Sysdig

  1. Log in to Sysdig Monitor or Sysdig Secure as an administrator.

    For on-prem deployments, log in as the super admin.

  2. Navigate to Settings > Authentication(SSO), and select OpenID under Connection Settings.

  3. Enter the OpenID configuration.

  4. Ensure that Enable OpenID single logout is toggled on.

  5. Click Save Settings.

  6. Select OpenID from the Enable Single Sign On drop-down, and click Set Authentication.

Login Experience

As noted in the enablement workflow above, you can offer users three ways to log in with an OpenID configuration:

Sysdig SaaS URL

Users can begin at the Sysdig SaaS URL and click the OpenID button.

See SaaS Regions and IP Ranges and identify the correct SaaS URL associated with your Sysdig application and region. For example, the URLs of Monitor and Secure for US East are:

Monitor: https://app.sysdigcloud.com

Secure: https://secure.sysdig.com

For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysdig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.

Direct URL

You can provide an alternative URL to avoid the user having to enter a company name, in the format:

  • Monitor: https://app.sysdigcloud.com/api/oauth/openid/<COMPANY_NAME>

  • Secure: https://secure.sysdig.com/api/oauth/openid/<COMPANY_NAME>?product=SDS

If multiple integrations are used or you specified the integration name, this parameter must be included as well:

  • Monitor: https://app.sysdigcloud.com/api/oauth/openid/<COMPANY_NAME>?integrationName=<INTEGRATION_NAME>

  • Secure: https://secure.sysdig.com/api/oauth/openid/<COMPANY_NAME>?product=SDS&integrationName=<INTEGRATION_NAME>

IdP-Initiated Login

You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IdP’s app directory and do not need to browse directly to a Sysdig application URL.

See User and Team Administration for information on creating users.