Azure (OpenID)

OpenID Connect is a security-token based extension of the OAuth 2.0 authorization protocol to do single sign-on. Azure Active Directory provides an implementation of OpenID Connect (OIDC) protocol and Sysdig supports it for single sign-on and API access to Sysdig application.

Enabling Azure OpenID Connect for single sign-on to Sysdig applications include configuration on the Microsoft Active Directory as well as on the Sysdig application.

Prerequisites

Administrator privileges on Sysdig and Azure Active Directory (AD).

Configuring Sysdig Application in Azure AD

  1. Log in to the Azure AD portal.

  2. Search for Azure Active Directory and do one of the following:

    • Select your Active Directory service

    • Create a new one.

  3. Click App registration > New registration.

  4. In the Register an application page, specify the following:

    • Name: Display name to identify your Sysdig application. For example, Sysdig Secure.

    • Supported account types: For Sysdig SaaS, choose Accounts in this organizational directory only (Default Directory only - Single tenant). All user and guest accounts created in your active directory can use Sysdig application and API.

    • Redirect URI: Authenticated Sysdig users are redirected to this URI.

      See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

      • For Sysdig Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

      • For Sysdig Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

      For other regions, the format is:

      https://<region>.app.sysdig.com

      Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

      For on-prem installations, the redirect URI will be deployment-specific.

      You can add only a single redirect URI on this page. Use the Authentication page associated with your application to add additional redirect URIs.

  5. Click Register.

  6. Add additional redirect URIs.

    1. Select your application from App registration.

    2. Click Authentication from the left navigation.

    3. Add the redirect URIs corresponding to Monitor and Secure.

      redirect-uri.png
  7. Create a Secret for the Sysdig application.

    It is a string that the Sysdig application uses to prove its identity when requesting a token.

    1. Click Certificates & secrets.

      create_secrets.png
    2. Under Client Secrets, click New client secret.

    3. Enter a description that identifies the secret and choose an expiration period.

    4. Click Add.

    5. Copy the client secret. You will need the client secret while configuring OpenID Connect SSO on the Sysdig application.

  8. Copy the Client ID and OpenID Connect endpoints corresponding to the application that you have created.

    1. Select your application from App registration.

    2. Copy the Application (client) ID.

      You will need the client ID while configuring OpenID Connect SSO on the Sysdig application.

    3. Click Endpoints.

      OIDC_enpoints.png
    4. Copy the OpenID Connect metadata document and open it in a browser.

    5. Copy the OpenID Connect URI (Issuer URI).

      For example, https://login.microsoftonline.com/5a4b56fc-dceb-4a64-94ff-21e08e5892f5/v2.0

Configure Sysdig Settings

To enable Azure OpenID functionality on the Sysdig application, you need the following:

  • Client ID

  • Client Secret

  • Issuer URL.

See Enable OpenID in Settings to learn how to complete your configuration.