Configure Microsoft Entra ID for SAML

This topic helps you configure SAML Single Sign On (SSO) with Microsoft Entra ID (formerly Azure Active Directory) and set up Sysdig to allow users to access Sysdig application by using SSO.

Prerequisites

Configure the Sysdig Application in Microsoft Entra ID

  1. Log in to the Microsoft Entra ID portal.

  2. Select Enterprise Applications.

    The Enterprise applications - All application screen is displayed.

  3. Click New Application.

  4. On the Add an Application screen, select Non-gallery application.

  5. Give your application a name, and click Add at the bottom of the page.

  6. On the menu, select Single sign-on.

  7. Choose SAML as the sign-on method.

  8. Edit the Basic SAML Configuration as follows:

    1. In the configuration page, click the edit icon.

    1. Specify the following:

      • Identifier (Entity ID): Uniquely identifies the Sysdig application. Entra ID sends the identifier to the Sysdig application as the audience parameter of the SAML token. Sysdig validates this as part of the SSO process.

        Find the entity ID for your SaaS region in Redirect URLs for Authentication. For example, the identifier for Sysdig Monitor for the EU Central region is https://eu1.app.sysdig.com and for Sysdig Secure is https://eu1.app.sysdig.com/secure/.

        If you are using multiple integrations, or are integrating with multiple tenants from the same Microsoft Entra ID, enable the option Unique Entity ID later when you Configure Sysdig.

      • Reply URL: Specifies where Sysdig expects to receive the SAML token.

        Find the appropriate URL for your SaaS region in Redirect URLs for Authentication. For example, the identifier for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com/api/saml/auth and for Sysdig Secure is https://eu1.app.sysdig.com/api/saml/secureAuth.

      • Relay State: Specifies to the application where to redirect the user after authentication is completed. Typically, the value is a valid URL for Sysdig. If you are configuring SSO for SaaS, change the relay state to reflect the customer number associated with your Sysdig application.

        The format is:

        #/&customer=1234

        If you use multiple integrations, add the integration name to the Relay State parameter in the format:

        &integrationName=<INTEGRATION_NAME>

        This combines to result in:

        #/&customer=1234&integrationName=<INTEGRATION_NAME>

      For more information on configuration parameters, see the Microsoft documentation page Configure SAML-based single sign-on to non-gallery applications.

  9. To enable Signed Assertion and Validate Signature, select Edit on SAML Certificates. In the Signing Option drop-down, select Sign SAML response and assertion.

  10. Select Save.

Configure Sysdig

To configure Sysdig for Microsoft Entra ID, ensure you have the correct parameters to hand, then proceed to the steps below.

ParametersDescription
MetadataUnder SAML Signing Certificate, copy the App Federation Metadata URL.

Email ParameterCopy the Full claim URL, including the Name and Namespace.
For example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email

Once you have the necessary parameters, proceed with configuration in the Sysdig UI:

  1. Log in to Sysdig Monitor or Secure.

  2. Navigate to Settings via the user menu icon at the bottom of the left navigation bar.

  3. Under Access & Secrets, select Authentication (SSO).

  4. Edit existing or create a new SSO configuration (type: SAML).

  5. In Metadata Enter the App Federation Metadata URL you copied.

  6. In Email Parameter Set the value to the full claim URL. Ensure that the claim fully matches the Email parameter used in Sysdig UI.

    The rest of the fields and toggles can be left as default.

  7. If using multiple tenants or multiple integrations from the same Microsoft Entra ID, enable Unique Entity ID option and copy the Entity ID value.

  8. Select Save Settings.

  9. Enable the integration by selecting the option from the Enabled column in the integration

Create a User in Microsoft Entra ID Domain

  1. Log in to the Microsoft Microsoft Azure portal.

  2. Click Entra ID, and note down the domain name.

  3. Select Entra ID, then Users.

    The Users - All Users screen is displayed.

  4. Select New Users .

    You can either create a new user or invite an existing one.

  5. Enter name, username, and other details, then click Create.

  6. In the Profile page, add the Email and Alternate Email parameters.

    The values can match.

Assign the User to the Sysdig Application

  1. Navigate to the Sysdig application.

  2. Click Users and Group, then click the Add user button.

  3. Select the Users and Groups checkbox, then choose the newly created user to add to the application.

  4. Click Select, then Assign at the bottom of the screen.

Enable Authentication Settings in the Sysdig Instance

Ensure the flag to enable/disable create user on login is enabled. Typically this setting is enabled by default.

If you are using both Sysdig Monitor and Secure, ensure that the user accounts are created on both the products. A user that is created only on one Sysdig application will not be able to log in to another through SAML SSO.

If you are on Sysdig Platform versions 2.4.1 or prior, contact Sysdig Support to help with user creation.

(Optional) Configure Sysdig as a New Application

If Microsoft Entra ID does not allow you to create Sysdig as a Non-Gallery application, perform the following:

  1. In Entra ID, click Enterprise Applications > New Application.

  2. Select Application you’re developing.

    You will be taken to the app registration page:

  3. Select New Registration:

  4. Provide a name for the application you are registering.

  5. Enter the redirect URI. Find the redirect URL in Redirect URLs for Authentication. For example, the redirect URI for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com/api/saml/auth and for Sysdig Secure is https://eu1.app.sysdig.com/api/saml/secureAuth.

  6. Click Register to complete the registration.

  7. In the Overview tab click Add an Application ID URI:

  8. Click Add a scope.

  9. Add the application ID URI as follows:

    https://<your_sysdig_url>:443

    Replace <your_sysdig_url> with the URL appropriate to your application and region. You can find the correct URL in SaaS Regions and IP Ranges.

  10. In the Overview tab, click Endpoints, and copy the Federation Metadata URL.

  11. Log in to Sysdig, navigate to SAML Authentication screen, and enter the Federation Metadata URL.

    You will still need to ensure that the user creation on the login option is enabled.

  12. Save the settings.