OpenID Connect (SaaS)
Instructions in this section are specific to cloud-based (SaaS) Sysdig environments. If you are configuring an on-premises Sysdig environment, refer to OpenID Connect (On-Prem) instead.
OpenID support in the Sysdig platform allows authentication via your choice of Identity Provider (IdP). This section describes how to integrate and enable OpenID Connect with both Sysdig Monitor and Sysdig Secure.
Overview
Using OpenID with Sysdig
The Sysdig platform ordinarily maintains its own user database to hold a username and password hash. OpenID instead allows for redirection to your organization’s IdP to validate user credentials and other policies necessary to grant access to Sysdig applications. Upon successful authentication via OpenID, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform.
Enable OpenID
Step | Options | Notes |
|---|---|---|
1. Know which IdP your company uses and will be configuring. | These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs. If your OpenID Provider is not listed (including ones that do not support OpenID Connect Discovery), it may still work with the Sysdig platform. Contact Sysdig Support for help. | |
2. Decide the login flow you want users to experience. | Click OpenID button and enter a company name. | From app.sysdigcloud.com or secure.sysdig.com page enter the company name. |
Enter a URL in a browser. |
Contact Sysdig for the Company Name associated with your account. | |
Log in from an IdP interface. | The individual IdP integration pages describe how to add Sysdig to the IdP interface. You will need your Company Name on hand. | |
3. Configure your IdP and collect the resulting config attributes. | Collect the metadata URL (or XML) and test it. If you intend to configure IdP-initiated login flow, you need the following:
| |
4 a. Log in to Sysdig Monitor or Sysdig Secure and configure authentication. 4 b. Repeat the process for the other Sysdig product, if you are using both Monitor and Secure. |
You will enter a separate redirect URL in your IdP for each product; otherwise, the integration processes are the same. |
Configure IdP in Sysdig
Choose Your IdP
Select the appropriate IdP link below, and follow the instructions:
Enable OpenID
This section helps you enable baseline OpenID functionality.
Enter OpenID Basic Connection Settings
Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the user menu.
Select Authentication(SSO) > OpenID.
Enter the relevant parameters and click Save Settings.
| Connection Setting | Description |
|---|---|
| Client ID | The unique ID provided by your IdP. |
| Client Secret | The secret provided by your IdP. |
| Issuer URL | The URL provided by your IdP. For example:https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc. Use the entire domain path for OpenID Connect, including any trailing /. |
Okta, OneLogin, and Keycloak support metadata auto-discovery; so these settings should be sufficient for these IdPs.
(Optional) Enter OpenID Additional Settings
In some cases, an OpenID IdP may not support metadata auto-discovery, and additional configuration settings must be entered manually.
In this case:
In the OpenID tab, toggle the Metadata Discovery button to off to display additional entries on the page.
Enter the relevant parameters derived from your IdP and click Save.
Connection Setting | Description |
|---|---|
Issuer URL | Required parameter. This value is often the same Issuer URL, but can be different for providers that have a separate general domain and user-specific domain For example, general domain: https://openid-connect.onelogin.com/oidc, user-specific domain: https://sysdig-phil-dev.onelogin.com/oidc The URL provided by your IdP. For example, |
Authorization Endpoint | Required. Authorization request endpoint. |
Token Endpoint | Required. Token exchange endpoint. |
JSON Web Key Set Endpoint | Required. The endpoint that contains key credentials for token signature verification. |
End session endpoint | Optional. The URL at the IdP to which a Relying Party (RP) can perform a redirect to request that the end user be logged out at the IdP. This option is required if the single-logout toggle is enabled. |
Token Auth Method | Authentication method. Supported values:
|
Select OpenID for SSO
Select OpenID from the Enabled Single Sign-On dropdown.
Click Set Authentication.
Repeat the entire enablement process for Sysdig Monitor or Sysdig Secure, if you want to enable both applications.
Configure OpenID Single Logout
With Single Logout (SLO), users only need to sign out of one service provider, and all the active sessions will be terminated without any additional effort. This is vastly convenient from a usability perspective.
SLO Process
Sysdig requests that the IdP logs the end user out by redirecting the user’s User Agent to the IdP’s Logout Endpoint. The IdP’s endpoint can be retrieved via the end_session_endpoint element of the IdP’s Discovery response (metadata). After a logout has been performed, the User Agent associated with the user will be redirected to the Sysdig login page.
Configure IdP
Configure Sign-out redirect URIs:
US East
Other regions
https://<region>.app.sysdig.com?follow_redirect=falseReplace
<region>with the region where your Sysdig application is hosted.
Configure Sysdig
Log in to Sysdig Monitor or Sysdig Secure as an administrator.
For on-prem deployments, log in as the super admin.
Navigate to Settings > Authentication(SSO), and select OpenID under Connection Settings.
Enter the OpenID configuration.
Ensure that Enable OpenID single logout is toggled on.
Click Save Settings.
Select OpenID from the Enable Single Sign On drop-down, and click Set Authentication.
Login Experience
As noted in the enablement workflow above, you can offer users three ways to log in with an OpenID configuration:
Sysdig Saas URL
Users can begin at the Sysdig SaaS URL and click the OpenID button.
See SaaS Regions and IP Ranges and identify the correct SaaS URL associated with your Sysdig application and region. For example, the URLs of Monitor and Secure for US East are:
Monitor: app.sysdigcloud.com
Secure: secure.sysdig.com
For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysdig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.
They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.
Direct URL
You can provide an alternative URL to avoid the user having to enter a company name, in the format:
Monitor: https://app.sysdigcloud.com/api/oauth/openid/
CompanyNameSecure: https://secure.sysdig.com/api/oauth/openid/
CompanyName?product=SDS
IdP-Initiated Login
You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IdP’s app directory and do not need to browse directly to a Sysdig application URL.
See User and Team Administration for information on creating users.
Configure Google Cloud Authentication for OIDC
You can configure Google Cloud Authentication as an OpenID authentication mechanism in Sysdig. You may need to adjust the procedures based on the specifics of your environment.
Configure Okta for OIDC
You can configure Okta as an OpenID Connect (OIDC) authentication mechanism in Sysdig.
Configure OneLogin for OIDC
You can configure OneLogin as an OpenID authentication mechanism in Sysdig.
Configure Keycloak for OIDC
You can configure Keycloak as an OpenID authentication mechanism in Sysdig.
Configure Azure Active Directory for OIDC
OpenID Connect (OIDC) is a security-token based extension of the OAuth 2.0 authorization protocol to do single sign-on. Azure Active Directory (AD) provides an implementation of OIDC protocol and Sysdig supports it for single sign-on and API access to Sysdig application.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.