SAML (SaaS)

Sysdig supports SAML authentication for your Identity Provider (IdP) of choice. Ordinarily, the Sysdig platform maintains a database to hold username and password hash data. When SAML is enabled, users can instead be redirected to your organization’s IdP to validate username, password and other policies necessary to grant access to the Sysdig platform. Upon successful authentication via SAML, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform.

Prerequisites

This topic is specific to cloud-based (SaaS) Sysdig environments. To configure an On-Premises Sysdig environment, see SAML(On-Prem).

If you want to set up SAML for both Sysdig Monitor and Sysdig Secure, you need to complete the setup process twice. Setting up SAML on one will not automatically set it up on the other.

To configure SAML Single Sign-On (SSO), you need:

Sysdig does not support signed AutthNRequests for AuthNRequest with embedded signature (HTTP-POST binding) requirements. For a possible alternative, see OpenID Connect.

Redirect URLs for Authentication

RegionAppSingle Sign-on URLService Provider Entity ID
au1Monitorhttps://app.au1.sysdig.com/api/saml/authhttps://app.au1.sysdig.com
au1Securehttps://app.au1.sysdig.com/api/saml/secureAuthhttps://app.au1.sysdig.com
eu1Monitorhttps://eu1.app.sysdig.com/api/saml/authhttps://eu1.app.sysdig.com
eu1Securehttps://eu1.app.sysdig.com/api/saml/secureAuthhttps://eu1.app.sysdig.com/secure/
in1Monitorhttps://app.in1.sysdig.com/api/saml/authhttps://app.in1.sysdig.com
in1Securehttps://app.in1.sysdig.com/api/saml/secureAuthhttps://app.in1.sysdig.com/secure/
me2Monitorhttps://app.me2.sysdig.com/api/saml/authhttps://app.me2.sysdig.com
me2Securehttps://app.me2.sysdig.com/api/saml/secureAuthhttps://app.me2.sysdig.com/secure/
usMonitorhttps://app.sysdigcloud.com/api/saml/authhttps://app.sysdigcloud.com
usSecurehttps://secure.sysdig.com/api/saml/secureAuthhttps://secure.sysdig.com
us2Monitorhttps://us2.app.sysdig.com/api/saml/authhttps://us2.app.sysdig.com
us2Securehttps://us2.app.sysdig.com/api/saml/secureAuthhttps://us2.app.sysdig.com/secure/
us4Monitorhttps://app.us4.sysdig.com/api/saml/authhttps://app.us4.sysdig.coma
us4Securehttps://app.us4.sysdig.com/api/saml/secureAuthhttps://app.us4.sysdig.com/secure/

If multiple integrations are used with the same IdP, make sure to enable Unique Entity ID. It appends a hash to the Entity ID which is unique for each integration.

Examples for EU1:

To learn more about SaaS regions, see SaaS Regions and IP Ranges

Basic Enablement Workflow

Contact Sysdig Support to set your company name on the account. This is applicable to all supported IdPs. To obtain your Company Name, See Find Your Customer ID, Name, and External ID.

Which IdP to Use?

Determine which IdP your company uses and will be configuring. The following IdPs have been tested:

Unlisted IdPs might work with the Sysdig platform. For help, contact Sysdig Support.

Which Login Flow to Use?

Decide which login flow you want users to experience from the following options:

Login From the Sysdig Login Page

Click the SAML button on the login page and enter Company Name.

Open the domain URL corresponding to your Sysdig application and region and enter your company name.

For example, domain URLs of Monitor and Secure for US East are app.sysdigcloud.com and secure.sysdig.com respectively.

For other regions, see Redirect URLs for Authentication.

Type or Bookmark a URL

Type or bookmark a URL in the browser.

Examples (with no integration name):

  • US East

    • Monitor: https://app.sysdigcloud.com/api/saml/COMPANY_NAME?redirectRoute=%2F&companyName=<COMPANY_NAME>

    • Secure: https://secure.sysdig.com/api/saml/COMPANY_NAME?product=SDS&redirectRoute=%2F&companyName=<COMPANY_NAME>

  • EU

    • Monitor: https://eu1.app.sysdig.com/api/saml/COMPANY_NAME?redirectRoute=%2F&companyName=<COMPANY_NAME>

    • Secure: https://eu1.app.sysdig.com/api/saml/COMPANY_NAME?product=SDS&redirectRoute=%2F&companyName=<COMPANY_NAME>

If multiple integrations are used, the integration name must be appended.

Examples (WITH integration name):

  • US East

    • Monitor: https://app.sysdigcloud.com/api/saml/COMPANY_NAME?redirectRoute=%2F&companyName=<COMPANY_NAME>&integrationName=<INTEGRATION_NAME>

    • Secure: https://secure.sysdig.com/api/saml/COMPANY_NAME?product=SDS&redirectRoute=%2F&companyName=<COMPANY_NAME>&integrationName=<INTEGRATION_NAME>

  • EU

    • Monitor: https://eu1.app.sysdig.com/api/saml/COMPANY_NAME?redirectRoute=%2F&companyName=<COMPANY_NAME>&integrationName=<INTEGRATION_NAME>

    • Secure: https://eu1.app.sysdig.com/api/saml/COMPANY_NAME?product=SDS&redirectRoute=%2F&companyName=<COMPANY_NAME>&integrationName=<INTEGRATION_NAME>

Access from IdP interface

Log in from an IdP interface. The individual IdP integration pages describe how to add Sysdig to the IdP interface.

You need your Customer ID.

Configure IdP

Perform the configuration steps in your IdP interface and collect the resulting configuration attributes.

Collect metadata URL (or XML) and test it. If you intend to configure IdP-initiated login flow, have your Customer ID ready (see Prerequisites).

Select your IdP from the list below, and follow the instructions:

Configure Sysdig

Log in to Sysdig Monitor or Sysdig Secure Settings as Admin, enter the necessary configuration information in the UI and enable the integration.

Ensure that you enter a separate redirect URL in your IdP for each product; otherwise, the integration processes are the same.

Adding or managing existing SAML SSO configuration

To enable baseline SAML functionality:

Create New SAML SSO Configuration

If you are a Platform customer, make sure to repeat the process in both Sysdig Monitor and Sysdig Secure.

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator.

  2. Select Settings from the User Profile button in the left navigation.

  3. Select Authentication (SSO).

  4. Select New Configuration.

  5. Select type SAML and click Add.

  6. (Optional) Integration Name - Integration name must be provided if more than one SSO configuration of the same type is required.

  7. Enter the relevant parameters (see table below) and click Save Settings.

    Connection SettingOptionsDescription
    Metadata DiscoveryURLThe URL provided at the end of the IdP configuration steps.
    XMLAn option you can use for an IdP that doesn’t support extracting metadata XML via URL.
    Unique Entity IDoff/onWhen enabled Entity ID becomes unique for each integration to allow the usage of multiple SAML integrations with the same IdP.
    Verify Signed Assertionoff/onSpecify whether Sysdig should check for assertions signed in responses (to assist in validating correct IdP). We strongly recommend you toggle this on to increase security.
    Email ParameteremailThe parameter for the user email in SAML response. Sysdig uses this to extract the user’s email from the response.
    Validate Signatureoff/onSpecify whether Sysdig backend should verify that the response is signed. We strongly recommend you toggle this on to increase security.
    Verify Destination Fieldoff/onSpecify whether Sysdig should check the “destination” field in the SAMLResponse. We recommend you toggle this on to increase security. You may toggle it off in special cases, such as when there is a proxy in front of the Sysdig back end.
    Create User on Loginoff/onSpecify whether a user record should be created in the Sysdig database after the first successful SAML login.
    SAML Single Logoutoff/onSpecify whether to use SAML single logout. See Configure SAML Single Logout.
    SAML Encryptionoff/onSpecify whether to enable enable encrypted SAML response. See Encrypted SAML response.
    Username and Password Loginoff/onSpecify whether to enable user name and password login.

Control if SSO Integration is in Use

Make sure at least one integration is enabled to be able to use it for logging users in.

  1. Find the integration that you want to control.

  2. Select the toggle on the left side of the integration and slide it to the right to enable or left to disable.

  3. If you want to manage multiple integration, repeat the process

Editing existing SSO Integration

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator.

  2. Select Settings from the User Profile button in the left navigation.

  3. Select Authentication (SSO).

  4. Select the pen icon on the right hand side of the window to edit the existing integration

Configure SAML Single Logout

Sysdig supports SAML Single Logout (SLO).

SLO is a feature in federated authentication where Sysdig users can sign out of both their Sysdig session (Service Provider) and associated IdP (Identity Provider) simultaneously. SLO lets you terminate all sessions established via SAML SSO with a single logout process. This prevents unauthorized users from gaining access to Sysdig resources.

SLO Process

When you initiate a logout, Sysdig sends a digitally signed logout request to the IdP. The IdP validates the request and terminates the current login session, then redirects you back to the Sysdig login page.

Configure IdP

  1. Configure logout URLs:

    • Monitor: <base_URL>/api/saml/slo/logout

    • Secure: <base_URL>/api/saml/slo/secureLogout

  2. Choose HTTP Redirect as the binding method.

    This option is an alternative to the HTTP POST method, which Sysdig does not support.

  3. If your IdP mandates, upload the signing certificate for Sysdig. For more information, see Retrieving the Public Keys.

    Certain IdPs, such as Microsoft Entra ID, don’t require you to upload the public key.

Encrypted SAML response

Enable encryption of SAML assertions to add an extra layer of security to your SSO authentication.

To enable encrypted SAML response:

  1. Obtain the encryption certificate. For information on obtaining the key, see Retrieving the Public Keys.

  2. Upload the certificate to your IdP.

  3. Enable encryption on IdP.

Some IdPs require the certificate in .crt format. You need to convert the X509Certificate from metadata to .crt format before uploading.

Retrieving the Public Keys

You can retrieve the public key from metadata.

You can obtain the metadata as follows:

  • Monitor: <base_URL>/api/saml/metadata/{customerName}

  • Secure: <base_URL>/api/saml/secureMetadata/{customerName}

If you provided an integration name or multiple integrations are used, you can obtain the metadata as follows:

  • Monitor: <base_URL>/api/saml/metadata/{customerName}?integrationName=<INTEGRATION_NAME>

  • Secure: <base_URL>/api/saml/secureMetadata/{customerName}?integrationName=<INTEGRATION_NAME>

{customerName} must be URL encoded.

Follow these instructions to find your {customerName}.

Two types of KeyDescriptor <md:KeyDescriptor> are provided:

  • Signing certificate: <md:KeyDescriptor use=”signing”> - Used to sign the SLO request.
  • Encryption certificate: <md:KeyDescriptor use=”encryption”> - Used to decrypt the encrypted assertions that we receive from the IdP.

If you are having issues retrieving the key, contact Sysdig Support to retrieve the public key associated with your deployment.

End User Login to Sysdig

You can offer users three ways to log in with a SAML configuration:

  • They can begin at the Sysdig SaaS URL and click the SAML button.

    See SaaS Regions and IP Ranges and identify the correct Sysdig SaaS URL associated with your Sysdig application and region. For example, URLs of Monitor and Secure for US East are:

    Monitor: app.sysdigcloud.com

    Secure: secure.sysdig.com

    They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.

Contact Sysdig Support to set your company name on the account.

  • You can provide an alternative URL to avoid the user having to enter a company name, in the format:

    Sysdig Monitor: https://us2.app.sysdig.com/api/saml/<COMPANY_NAME>

    Sysdig Secure: https://us2.app.sysdig.com/api/saml/<COMPANY_NAME>?product=SDS

    Replace <COMPANY_NAME> with your company name.

    If you are using multiple integrations and/or the integration name is not null, the integration name should be included in this information:

    Sysdig Monitor: https://us2.app.sysdig.com/api/saml/<COMPANY_NAME>?integrationName=<INTEGRATION_NAME>

    Sysdig Secure: https://us2.app.sysdig.com/api/saml/<COMPANY_NAME>?integrationName=<INTEGRATION_NAME>&product=SDS

    For other regions, the format is https://<region>.app.sysdig.com/api/saml/. Replace <region> with the region where your Sysdig application is hosted. For example, for Sysdig Secure in the EU, you use https://eu1.app.sysdig.com/api/saml/secureAuth.

  • You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IdP’s app directory and do not browse directly to a Sysdig application URL at all.

Users that complete their first successful SAML login to Sysdig Secure may receive the error message “User doesn’t have permission to log in to Sysdig Secure”. This is because only members of the Secure Operations team are permitted access to Sysdig Secure, and newly-created logins are not in this team by default. Such a user should contact an Administrator for the Sysdig environment to be added to the Secure Operations team.

Environments that wish to have all the users access Sysdig Secure by default could use this sample Python script to frequently “sync” the team memberships.

See Developer Documentation for tips on using the sample Python scripts provided by Sysdig.

See User and Team Administration for information on creating users.