Azure (OpenID On-Prem)

OpenID Connect is a security-token based extension of the OAuth 2.0 authorization protocol to do single sign-on. Azure Active Directory provides an implementation of OpenID Connect (OIDC) protocol and Sysdig supports it for single sign-on and API access to Sysdig application.

Enabling Azure OpenID Connect for single sign-on to Sysdig applications include configuration on the Microsoft Active Directory as well as on the Sysdig application.

Prerequisites

Administrator privileges on Sysdig and Azure Active Directory (AD).

Configuring Sysdig Application in Azure AD

  1. Log in to the Azure AD portal.

  2. Select your Azure Active Directory service or create a new one.

  3. Click App registration > New registration.

  4. In the Register an application page, specify the following:

    • Name: Display name to identify your Sysdig application. For example, Sysdig Secure.

    • Supported account types: Choose an account type that is appropriate for your deployment. If you choose single-tenant, all user and guest accounts created in your active directory can use Sysdig application and API. If you choose multi-tenant, all users with a work or school account from Microsoft can use Sysdig application and API.

    • Redirect URI: Authenticated Sysdig users are redirected to this URI.

      For Login redirect URIs, enter one of the following values, replacing HOSTNAME with the hostname through which your users access the Sysdig applications and PORT with the TCP port number, typically 443:

      For Sysdig Monitor: https://HOSTNAME:PORT/api/oauth/openid/auth

      For Sysdig Secure: https://HOSTNAME:PORT/api/oauth/openid/secureAuth

      You can add only a single redirect URL on this page. Use the Authentication page associated with your application to add additional redirect URIs.

  5. Click Register.

  6. Add additional redirect URIs.

    1. Select your application from App registration.

    2. Click Authentication from the left navigation.

    3. Add the redirect URIs corresponding to Monitor and Secure.

      redirect-uri.png
  7. Create a Secret for the Sysdig application.

    It is a string that the Sysdig application uses to prove its identity when requesting a token.

    1. Click Certificates & secrets.

      create_secrets.png
    2. Under Client Secrets, click New client secret.

    3. Enter a description that identifies the secret and choose an expiration period.

    4. Click Add.

    5. Copy the client secret. You will need the client secret while configuring OpenID Connect SSO on the Sysdig application.

  8. Copy the Client ID and OpenID Connect endpoints corresponding to the application that you have created.

    1. Select your application from App registration.

    2. Copy the Application (client) ID.

      You will need the client ID while configuring OpenID Connect SSO on the Sysdig application.

    3. Click Endpoints.

      OIDC_enpoints.png
    4. Copy the OpenID Connect metadata document and open it in a browser.

    5. Copy the OpenID Connect URI (Issuer URI).

      For example, https://login.microsoftonline.com/5a4b56fc-dceb-4a64-94ff-21e08e5892f5/v2.0

Configure Sysdig Settings

To enable Azure OpenID functionality on the Sysdig application, you need the following:

  • Client ID

  • Client Secret

  • Issuer URL.

See OpenID Connect (On-Prem) to learn how to complete your configuration.