This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 2:
      • 2.1:
        • 2.2:
          • 2.3:
            • 2.4:
            • 3:
              • 3.1:
                • 3.2:
                  • 3.3:
                    • 3.4:
                    • 4:
                      • 5:

                        Authentication and Authorization (SaaS)

                        Sysdig Monitor and Sysdig Secure are designed to work with several user authentication/authorization methods:

                        TypeEnabled by DefaultIntegration Steps Required
                        User email/passwordYesNo
                        Google OAuthNoNo
                        SAMLNoYes
                        OpenID ConnectNoYes

                        The user’s view:

                        The pages in this section describe the integration and enablement steps required for SAML or OpenID Connect, and the Identity Provider (IdP) services that support these protocols, such as Okta, OneLogin, Keycloak.

                        In the SaaS environment, Google login can be enabled with a simple drop-down selection; the integration has already been performed.

                        See SaaS Regions and IP Ranges before proceeding to configure authentication.

                        To integrate SAML or OpenID Connect with both Sysdig Monitor and Sysdig Secure, you must go through the integration steps twice, once for each Sysdig product.

                        Workflow

                        With the new Authorization UI, the basic process of enabling a Single Sign-On (SSO) option is:

                        1. Determine which SSO option (GoogleOAuth, SAML, OpenID) your enterprise uses, and which IdP service (Okta, OneLogin, etc.) is used, if any.

                        2. Enter the required connection settings for the chosen SSO on the appropriate Authentication tab. (Note: for Google, the settings are already entered.)

                        3. Configure any associated IdP settings on the IdP side.

                        4. Select the SSO option from the Enabled Single Sign-On drop-down and click Save Authentication.

                        5. If enabling for both Sysdig Monitor and Sysdig Secure, repeat the process on the second application.

                        View of the Authentication page for Google OAuth in the SaaS environment.

                        1 -

                        Google OAuth (SaaS)

                        This guide is specific to cloud-based (SaaS) Sysdig environments. If you are configuring an On-Premises Sysdig environment, refer to Google OAuth (On-Prem) instead.

                        In the SaaS environment, Google users have the option to log in via Google OAuth.

                        As the SaaS platform is preconfigured to permit such logins, environments that already use Google services (such as G Suite) may find this the most convenient approach for simplified login.

                        Enable Google OAuth

                        Since Google OAuth is pre-configured by Sysdig, the administrator needs only select it as the chosen Authentication option to enable it.

                        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

                        2. Select Authentication.

                          (Select the Google OAuth tab if you want to see the preconfigured (un-editable) settings. )

                        3. Select Google OAuth from the Enabled Single Sign-On dropdown and click Save Authentication.

                        4. Repeat for Sysdig Monitor or Sysdig Secure, if you want to enable on both applications.

                        User Experience

                        Note the following requirements for successful Google OAuth login:

                        • The user must have already logged in successfully at least once to your environment (such as via email-based Invitation and having set an initial password)

                        • The user’s login username in the Sysdig platform must precisely match the user’s Google email address (that is, it cannot be a shortened/altered Google email alias)

                        For such a user to log in via Google OAuth, click the Log in with Google button.

                        If the user’s browser has not already successfully authenticated via Google and/or has multiple Google profiles known by their browser, they will be presented a Google page to select a profile and enter a password (if necessary) before being redirected back to your Sysdig environment.

                        See also User and Team Administration for information on creating users.

                        2 -

                        SAML (SaaS)

                        This guide is specific to cloud-based (SaaS) Sysdig environments. If you are configuring an On-Premises Sysdig environment, refer to SAML (On-Prem) instead.

                        SAML support in the Sysdig platform allows authentication via your choice of Identity Provider (IdP).

                        The Sysdig platform ordinarily maintains its own user database to hold a username and password hash. SAML instead allows for redirection to your organization’s IdP to validate username/password and other policies necessary to grant access to Sysdig application(s). Upon successful authentication via SAML, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform.

                        This section describes how to integrate and enable SAML with both Sysdig Monitor and Sysdig Secure.

                        For specific IdP integration information, refer to:

                        See also Caveats

                        Basic Enablement Workflow

                        Step

                        Options

                        Notes

                        1. Know which IdP your company uses and will be configuring.

                        These are the IdPs for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs.

                        If your IDP is not listed, it may still work with the Sysdig platform. Contact Sysdig Support for help.

                        2. Decide the login flow you want users to experience (choose from three options):

                        Click SAML button and enter a company name

                        Open the domain URL corresponding to your Sysdig application and region and enter your company name.

                        For example, domain URLs of Monitor and Secure for US East are app.sysdigcloud.com and secure.sysdig.com respectively.

                        Contact the Sysdig Support to set your company name on the account. This is applicable to all supported IdPs.

                        Type/bookmark a URL in browser

                        For example, the URLs for the US East are:

                        Monitor: https://app.sysdigcloud.com/api/saml/COMPANY_NAME?redirectRoute=%2F&companyName=COMPANY_NAME

                        Secure: https://secure.sysdig.com/api/saml/COMPANY_NAME?product=SDS&redirectRoute=%2F&companyName=COMPANY_NAME

                        For example, for the EU region:

                        Monitor: https://eu1.app.sysdig.com/api/saml/COMPANY_NAME?product=SDS&redirectRoute=%2F&companyName=COMPANY_NAME>

                        Secure: https://eu1.app.sysdig.com/api/saml/COMPANY_NAME?product=SDS&redirectRoute=%2F&companyName=COMPANY_NAME

                        For URLs corresponding to other regions, see SaaS Regions and IP Ranges.

                        Log in from an IdP interface

                        The individual IdP integration pages describe how to add Sysdig to the IdP interface.

                        You will need your Sysdig customer number on hand.

                        3. Perform the configuration steps in your IdP interface and collect the resulting config attributes.

                        Collect metadata URL (or XML) and test it.

                        If you intend to configure IDP-initiated login flow, have your Sysdig customer number on hand. It will be referenced in later configuration steps as CUSTOMER_ID_NUMBER.

                        4 a. Log in to Sysdig Monitor or Sysdig Secure Settings (as admin) and enter the necessary configuration information in the UI. Enable SAML as your SSO.

                        4 b. Repeat process for the other Sysdig product, if you are using both Monitor and Secure.

                        You will enter a separate redirect URL in your IdP for each product; otherwise the integration processes are the same.

                        Administrator Steps

                        Configure IdP

                        Select the appropriate IdP from the list below, and follow the instructions:

                        Enable SAML in Settings

                        To enable baseline SAML functionality:

                        Enter SAML Connection Settings

                        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the User Profile button in the left navigation.

                        2. Select Authentication.

                        3. Select the SAML tab.

                        4. Enter the relevant parameters (see table below) and click Save.

                          It is strongly recommended that “Signed Assertion” and “Validate Signature” are enabled to ensure that the SAML SSO process is as secure as possible.

                        Connection SettingOptionsDescriptionSample Entry
                        MetadataURLThe URL provided at the end of the IdP configuration steps.
                        XMLAn option that can be used for an IdP that doesn’t support extracting metadata XML via URL.
                        Signed Assertionoff/onShould Sysdig check for assertions signed in responses (to assist in validating correct IdP).ON
                        Email ParameteremailName of parameter in the SAML response for user email ID. Sysdig uses this to extract the user’s email from the response.email
                        Validate Signatureoff/onSysdig backend should verify that the response is signed.ON
                        Verify Destinationoff/onFlag to control whether Sysdig should check the “destination” field in the SAMLResponse. Recommend ON, as a security measure. May be OFF in special cases, such as a proxy in front of the Sysdig back end.ON
                        Create user on loginoff/onFlag to control whether a user record should be created in the Sysdig database after first successful SAML log in.
                        Disable username and password loginoff/onSwitch “on” to disallow user name and password log in. (Useful with SAML OpenID.)

                        Select SAML for SSO

                        1. Select SAML from the Enabled Single Sign-On dropdown

                        2. Click Save Authentication.

                        3. Repeat entire enablement process for Sysdig Monitor or Sysdig Secure, if you want to enable on both applications.

                        Configure SAML Single Logout

                        Sysdig supports SAML Single Logout (SLO).

                        SLO is a feature in federated authentication where Sysdig users can sign out of both their Sysdig session (Service Provider) and associated IdP (Identity Provider) simultaneously. SLO allows you to terminate all sessions established via SAML SSO by initiating a single logout process. Closing all user sessions prevents unauthorized users from gaining access to Sysdig resources.

                        SLO Process

                        When a user initiates a logout, Sysdig sends a digitally-signed logout request to the IdP. The IdP validates the request and terminates the current login session, then redirects the user back to the Sysdig login page.

                        Caveats

                        • SLO is currently supported only in US-West and EU-Central regions.

                        • Sysdig does not support HTTP Post binding for single logout, and therefore, SLO with Okta is not functional at this point.

                        Configure IdP

                        1. Configure logout URLs:

                          • Monitor: <base_URL>/api/saml/slo/logout

                          • Secure: <base_URL>/api/saml/slo/secureLogout

                        2. Choose HTTP Redirect as the binding method.

                          This option is an alternative to the HTTP POST method, which Sysdig does not support currently.

                        3. If your IdP mandates, upload the public key for Sysdig.

                          Contact Sysdig Support to retrieve the public key associated with your deployment.

                          Certain IDPs, such as Azure, don’t require uploading the public key.

                        Configure Sysdig

                        1. Log in to Sysdig Monitor or Sysdig Secure as an administrator and select Settings.

                          For on-prem deployments, log in as the super admin.

                        2. Navigate to Settings > Authentication, and select SAML under Connection Settings.

                        3. Enter the SAML configuration.

                        4. Ensure that Enable SAML single logout is toggled on.

                        5. Click Save.

                        6. Ensure that you select SAML from the Enable Single Sign On drop-down.

                        User Experience

                        As noted in the Basic Enablement Workflow above, you can offer users three ways to log in with a SAML configuration:

                        • They can begin at the Sysdig SaaS URL and click the SAML button.

                          See SaaS Regions and IP Ranges and identify the correct Sysdig SaaS URL associated with your Sysdig application and region. For example, URLs of Monitor and Secure for US East are:

                          Monitor: app.sysdigcloud.com

                          Secure: secure.sysdig.com

                          They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.

                          Contact Sysdig Support to set your company name on the account.

                        • You can provide an alternative URL to avoid the user having to enter a company name, in the format:

                          Sysdig Monitor: https://app.sysdigcloud.com/api/saml/ COMPANY_NAME

                          Sysdig Secure: https://secure.sysdig.com/api/saml/ COMPANY_NAME?product=SDS

                          For other regions, the format is https://<region>.app.sysdig.com/api/saml/auth. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Secure in the EU, you use https://eu1.app.sysdig.com/api/saml/secureAuth.

                        • You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IDP’s app directory and do not browse directly to a Sysdig application URL at all.

                        Users that complete their first successful SAML login to Sysdig Secure may receive the error message “User doesn’t have permission to login in Sysdig Secure”. This is because only members of the Secure Operations team are permitted access to Sysdig Secure, and newly-created logins are not in this team by default. Such a user should contact an Administrator for the Sysdig environment to be added to the Secure Operations team.

                        Environments that wish to have all users access Secure by default could use this sample Python script to frequently “sync” the team memberships.

                        See Developer Documentation for tips on using the sample Python scripts provided by Sysdig.

                        See also User and Team Administration for information on creating users.

                        Caveats

                        • SAML Assertion Encryption/Decryption is not currently supported.

                        2.1 -

                        Okta (SAML)

                        Review SAML (SaaS) before you begin.

                        Configure Sysdig Monitor and/or Sysdig Secure as a SAML application using Okta’s documentation for Setting Up a SAML Application in Okta. The notes below call out specific steps that require additional action.

                        Sysdig-Specific Steps for Okta Configuration

                        IDP-initiated Login Flow

                        If you don’t intend to configure IDP-initiated login flow, check the boxes for “Do not display application icon to users” and “Do not display application icon in the Okta Mobile app”.

                        URL, URI and RelayState Values

                        Enter the values shown in the table below. If you wish to configure IDP-initiated login flow, replace CUSTOMER-ID-NUMBER with the number retrieved as described in Find Your Customer Number.

                        See SaaS Regions and IP Ranges and identify the correct URLs associated with your Sysdig application and region. For example, in US East, the endpoints are:

                        Setting

                        Value for Sysdig Monitor

                        Value for Sysdig Secure

                        Single sign on URL

                        https://app.sysdigcloud.com/api/saml/auth

                        https://secure.sysdig.com/api/saml/secureAuth

                        Audience URI (SP Entity ID)

                        https://app.sysdigcloud.com/api/saml/metadata

                        https://app.sysdigcloud.com/api/saml/metadata

                        Default RelayState

                        (optional - only configure if you intend to use IDP-initiated login flow)

                        #/&customer=CUSTOMER-ID-NUMBER

                        #/&customer=CUSTOMER-ID-NUMBER

                        For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com/api/saml/auth.

                        Email and Name Values

                        Instead of the values shown in the Okta example, add the values:

                        NameValue
                        emailuser.email
                        first nameuser.firstName
                        last nameuser.lastName

                        Note that the attributes are case sensitive, so use caution when entering them.

                        Only email is required. However, including first/last name is recommended, since these values will now be included in the records created in the Sysdig platform’s database when new users successfully login via SAML for the first time.

                        SAML Configuration Metadata Value

                        Copy the URL and paste in the Metadata entry on the SAML Configuration page in the SAML connection settings.

                        Test Metadata (Optional)

                        To ensure the metadata URL you copy at the end of the IDP configuration procedure is correct, you can test it by directly accessing it via your browser.

                        When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IDP configuration steps.

                        <?xml version= "1.0" ?> <EntityDescriptor xmlns= "urn:oasis:names:tc:SAML:2.0:metadata" entityID= "https://app.onelogin.com/saml/metadata/680358" > `<IDPSSODescriptor xmlns:ds=` `"http://www.w3.org/2000/09/xmldsig#" ` `protocolSupportEnumeration=` `"urn:oasis:names:tc:SAML:2.0:protocol"` `>names:tc:SAML:` `2.0` `:metadata` `" entityID="` ` https://app.onelogin.com/saml/metadata/ ` `680358` `">` ...

                        2.2 -

                        OneLogin (SAML)

                        Review SAML (SaaS) before you begin.

                        Configure Sysdig Monitor and/or Sysdig Secure as a SAML application using OneLogin’s article titled Use the OneLogin SAML Test Connector. The notes below call out specific steps that require additional action.

                        Sysdig-Specific Steps for OneLogin Configuration

                        Adding the SAML Test Connector

                        At the step for “Adding the SAML Test Connector”, select SAML Test Connector (IdP w/ attr w/ sign response). If you don’t intend to configure IDP-initiated login flow, uncheck the slider so it will no longer be “Visible in portal”.

                        Test Connector Configuration Page Settings

                        At the “Test Connector Configuration Page”, enter the values shown in the table below. If you wish to configure IDP-initiated login flow, replace CUSTOMER-ID-NUMBER with the number retrieved as described in the Find Your Customer Number article.

                        See SaaS Regions and IP Ranges and identify the correct URLs associated with your Sysdig application and region. For example, given below are the URLs for the US East region.

                        Field

                        Value for Sysdig Monitor

                        Value for Sysdig Secure

                        RelayState

                        (optional - only configure if you intend to use IDP-initiated login flow)

                        #/&customer=CUSTOMER-ID-NUMBER

                        #/&customer=CUSTOMER-ID-NUMBER

                        Recipient

                        https://app.sysdigcloud.com/api/saml/auth

                        https://secure.sysdig.com/api/saml/secureAuth

                        ACS (Consumer) URL Validator

                        https://app.sysdigcloud.com

                        https://secure.sysdig.com

                        ACS (Consumer) URL

                        https://app.sysdigcloud.com/api/saml/auth

                        https://secure.sysdig.com/api/saml/secureAuth

                        For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com/api/saml/auth.

                        (Optional) If you want the user’s First Name and Last Name to be included in the records created in the Sysdig platform’s database when new users successfully login via SAML for the first time, click to the Parameters tab. Click Add parameter and create each of two New Fields, checking the box each time to Include in SAML assertion. Then click to Edit each field and select the Value shown from the drop-down menu before clicking Save.

                        Field NameValue
                        first nameFirst Name
                        last nameLast Name

                        Note that the Field Names are case sensitive, so be careful to enter them as all lowercase.

                        The following shows an example of a correctly-configured field for First Name:

                        Issuer URL

                        Click to the SSO tab, copy the Issuer URL, and paste in the Metadata entry on the SAML Configuration page in the SAML connection settings.

                        Test Metadata (Optional)

                        To ensure the metadata URL you copy at the end of the IDP configuration procedure is correct, you can test it by directly accessing it via your browser.

                        When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IDP configuration steps.

                        <?xml version= "1.0" ?> <EntityDescriptor xmlns= "urn:oasis:names:tc:SAML:2.0:metadata" entityID= "https://app.onelogin.com/saml/metadata/680358" > `<IDPSSODescriptor xmlns:ds=` `"http://www.w3.org/2000/09/xmldsig#" ` `protocolSupportEnumeration=` `"urn:oasis:names:tc:SAML:2.0:protocol"` `>names:tc:SAML:` `2.0` `:metadata` `" entityID="` ` https://app.onelogin.com/saml/metadata/ ` `680358` `">` ...

                        2.3 -

                        ADFS (SAML)

                        Review SAML (SaaS) before you begin.

                        These instructions assume you already have a working, Internet-accessible ADFS ( Active Directory Federation Service) server. Interoperability testing has been performed specifically with ADFS on Windows Server 2012 R2.

                        Follow the instructions below to configure ADFS with the ADFS Management tool in the Windows Server Manager.

                        For Service-Provider-Initiated Login Flow

                        1. Right-click to Service > Edit Federation Service Properties. Note the hostname in the Federation Service Identifier, as this will be used in the metadata URL that you paste in the Metadata entry on the SAML Configuration page in the Sysdig authentication settings. Specifically, the metadata URL will be of the format https://HOSTNAME/FederationMetadata/2007-06/FederationMetadata.xml. Also, so that the Sysdig platform can access this URL directly, this host must resolve in DNS and have a valid (not self-signed) SSL/TLS certificate.

                        2. Add a Relying Party Trust configuration for the Sysdig application.

                          1. Right-click to Relying Party Trusts > Add Relying Party Trust and click Start to begin the wizard.

                          2. In the Select Data Source step, click the button to Enter data about the relying party manually, then click Next

                          3. Enter a Display name of your choosing (e.g. “Sysdig Monitor” or “Sysdig Secure”), then click Next

                          4. Click Next to accept the default option to use AD FS profile

                          5. Click Next to skip the selection of an optional token encryption certificate (Sysdig does not support this option)

                          6. Check the box to Enable support for the SAML 2.0 Web SSO protocol, then enter one of the following values for Relying party SAML 2.0 SSO service URL:

                            If configuring Sysdig Monitor, enter: https://app.sysdigcloud.com/api/saml/auth

                            If configuring Sysdig Secure, enter: https://secure.sysdig.com/api/saml/secureAuth

                            Then click Next.

                          7. For the Relying party trust identifier, enter one of the following values:

                            If configuring Sysdig Monitor, enter: https://app.sysdigcloud.com

                            If configuring Sysdig Secure, enter: https://secure.sysdig.com

                            Then click Add, then click Next

                          8. Click Next to skip configuration of multi-factor authentication

                          9. Choose a policy for whether users will be permitted to login to the Sysdig application. The default to Permit all users to access the relying party will typically be acceptable. Click Next.

                          10. Review the summary and click Next to complete the configuration of the Relying Party Trust

                          11. The next step will involve adding Claim Rules, so you can leave the box checked to Open the Edit Claim Rules dialog and click the Close button to be brought immediately into the Claim Rules editor

                        3. Ensure that the SamlResponseSignature option matches the Sysdig authentication configuration.

                          1. Use the Set-AdfsRelyingPartyTrust/Get-AdfsRelyingPartyTrust cmdlets via PowerShell to configure SamlResponseSignature .

                            -SamlResponseSignature
                            Specifies the response signatures that the relying party expects. The acceptable values for this parameter are:
                            
                            AssertionOnly
                            MessageAndAssertion
                            MessageOnly
                            

                            For more information, see Set-AdfsRelyingPartyTrust.

                          2. Navigate to Settings > Authentication on the Sysdig app and check the Sysdig authentication setting maps to the SamlResponseSignature :

                            For MessageAndAssertion, enable both the options.

                        4. Next, use the Claim Rules to ensure that login data is sent as needed to the Sysdig platform. A user’s login to the Sysdig platform is based on an email address, and a default ADFS configuration would not send the email address as required. The following configuration ensures the correct field from Active Directory is delivered in the claim.

                          1. If not already in the Claim Rules editor from the previous step, navigate to it by right-clicking on the Relying Party Trust that was just created and selecting Edit Claim Rules

                          2. Click Add Rule. At the following screen, accept the default rule template to Send LDAP Attributes as Claims and click Next.

                          3. Enter a name for the rule, select Active Directory as the Attribute store, then use the pull-down selectors to pick E-Mail Address as both the LDAP Attribute and Outgoing Claim Type, then similarly make pull-down selections for Given Name and Surname. Once these selections are made, click Finish.

                          4. Now click Add Rule again, this time selecting the template for Transform an incoming claim

                          5. Enter a name for the rule, then use the pull-downs to select an Incoming claim type of E-Mail Address, an Outgoing claim type of Name ID, and an Outgoing name ID format of Email, then click Finish.

                          6. (Optional) If you want the user’s First Name and Last Name to be included in the records created in the Sysdig platform database when new users successfully login via SAML for the first time, additional Transform rules must also be created. Only the email-based username is strictly required and we already created a rule for this, so this step is optional.

                            If you wish to do this, click Add Rule and once again select the template for Transform an incoming claim. Enter a name for the rule, then use the pull-down to select an Incoming claim type of Given Name, and for the Outgoing claim type, directly type first name into the field. After clicking Finish, click Add Rule and create a similar rule to transform the Incoming claim type of Surname to the Outgoing claim type of last name.

                          7. Having clicked Finish after creating your last rule, you will see all rules now in the editor. Click Ok, and your ADFS configuration for your Sysdig application is complete.

                        For IdP-Initiated Login Flow (Optional)

                        (Optional) The steps above represent a Service-Provider-Initiated SAML configuration. If you would prefer an IdP-initiated SAML configuration, this is also possible with ADFS, but requires the additional steps described below.

                        1. The Sysdig platform requires a specific setting of RelayState in order to accept IdP-initiated login flows. On the ADFS versions tested, we’ve found this use of RelayState is disabled by default, and a Microsoft article describes the topic in detail. To enable it, as described in a Microsoft forum thread, on your ADFS host, edit %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config and add <useRelayStateForIdpInitiatedSignOn enabled="true" /> to the <microsoft.identityserver.web> section. Once the modification is saved, restart ADFS services for the change to take effect.

                        2. You will need to retrieve your Sysdig customer number as described in the Find Your Customer Number article.

                        3. You will then need to generate an IdP-initiated login URL.

                          In addition to having the correct settings, it must be properly URL encoded. To ease this configuration, use this ADFS RelayState Generator tool. When launched, enter the values below, then hit the Generate URL button.

                          • For the IDP URL String, enter https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx

                          • For the Relying Party Identifier, enter one of the following values:

                            • If configuring Sysdig Monitor, enter https://app.sysdigcloud.com

                            • If configuring Sysdig Secure, enter https://secure.sysdig.com

                            For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com/. See SaaS Regions and IP Ranges for more information.

                          • For the Relay State/Target App, enter #/&customer=CUSTOMER-ID-NUMBER, substituting the CUSTOMER-ID-NUMBER you retrieved in the previous step

                            This Results URL will be used in the metadata URL that you paste in the Metadata entry in the SAML connection settings .

                        4. Use the Results URL from the tool to test your IdP-initiated login. Note that per this Microsoft forum thread, it is apparently not possible to configure ADFS to use such a URL when your users select the application from the pull-down menu at https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx. However, you may embed the URL into a custom portal or bookmarks list.

                        5. Now you can test login using an Active Directory user that has an Email address configured.

                        Test Metadata (Optional)

                        To ensure the metadata URL you copy at the end of the IDP configuration procedure is correct, you can test it by directly accessing it via your browser.

                        When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IDP configuration steps.

                        <?xml version= "1.0" ?> <EntityDescriptor xmlns= "urn:oasis:names:tc:SAML:2.0:metadata" entityID= "https://app.onelogin.com/saml/metadata/680358" > `<IDPSSODescriptor xmlns:ds=` `"http://www.w3.org/2000/09/xmldsig#" ` `protocolSupportEnumeration=` `"urn:oasis:names:tc:SAML:2.0:protocol"` `>names:tc:SAML:` `2.0` `:metadata` `" entityID="` ` https://app.onelogin.com/saml/metadata/ ` `680358` `">` ...

                        2.4 -

                        Azure Active Directory (SAML)

                        This topic explains how to configure SAML Single Sign On (SSO) with Azure Active Directory (AD) and helps you configure Sysdig to allow users to access Sysdig application by using SSO.

                        Prerequisites

                        Administrator privileges on Sysdig and Azure.

                        Configure the Sysdig Application in Azure AD

                        1. Log in to the Azure AD portal.

                        2. Select Azure Active Directory, then click Enterprise Applications.

                          The Enterprise applications - All application screen is displayed.

                        3. Click New Application.

                        4. On the Add an Application screen, select Non-gallery application.

                        5. Give your application a name, and click Add at the bottom of the page.

                        6. On the menu, select Single sign-on.

                        7. Choose SAML as the sign-on method.

                        8. Edit the Basic SAML Configuration as follows:

                          1. In the configuration page, click the edit icon.

                          2. Specify the following:

                            • Identifier (Entity ID): Uniquely identifies the Sysdig application. Azure AD sends the identifier to the Sysdig application as the audience parameter of the SAML token. Sysdig validates this as part of the SSO process.

                              For example, the identifier for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com.

                              See SaaS Regions and IP Ranges for the complete list of entity IDs for different regions.

                            • Reply URL: Specifies where Sysdig expects to receive the SAML token.

                              For example, the identifier for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com/api/saml/auth.

                            • See SaaS Regions and IP Ranges for the complete list of reply URLs for different regions.

                            • Relay State: Specifies to the application where to redirect the user after authentication is completed. Typically the value is a valid URL for Sysdig. If you are configuring SSO for SaaS, change the relay state to reflect the correct customer number associated with your Sysdig application. For on-prem installations, the customer number is always 1.

                              The format is:

                              #/&customer=1234
                              
                            • Sign on URL: It is the sign-in page for the Sysdig application that will perform the service provider-initiated SSO. Leave it blank if you want to perform identity-provider-initiated SSO.

                            For more information on configuration parameters, see Configure SAML-based single sign-on to non-gallery applications.

                        Sysdig-Specific Steps for Active Directory Configuration

                        1. Under SAML Signing Certificate, copy the App Federation Metadata URL.

                        2. Log in to your Sysdig instance as an admin.

                          For on-prem deployments, log in as the super admin.

                        3. Navigate to Settings > Authentication, and select SAML under Connection Settings.

                        4. Enter the following:

                          • Metadata: Enter the App Federation Metadata URL you copied.

                          • Email Parameter: Set the value to emailaddress.

                            Azure AD claims are:

                            saml = AD
                            givenname = user.givenname
                            surname = user.surname
                            emailaddress = user.mail
                            name = user.userprincipalname
                            Unique User Identifier = user.userprincipalname
                            

                            In the Sysdig application, you need to set the email to emailaddress which is what Azure AD sends to Sysdig in the SAML assertion. Alternatively, Azure AD can be modified to send another attribute.

                        5. Click Save.

                        6. Select SAML from the Enable Single Sign On drop-down.

                        Create a User in Azure Active Directory Domain

                        1. Log in to the Azure AD portal.

                        2. Click Azure Active Directory, and note down the domain name.

                        3. Select Azure Active Directory, then Users.

                          The Users - All Users screen is displayed.

                        4. Select New Users .

                          You can either create a new user or invite an existing AD.

                        5. Enter name, username, and other details, then click Create.

                        6. In the Profile page, add the Email and Alternate Email parameters. The values can match

                        Assign the User to the Sysdig Application

                        1. Navigate to the Sysdig application.

                        2. Click Users and Group, then click the Add user button.

                        3. Select the Users and Groups checkbox, then choose the newly created user to add to the application.

                        4. Click Select, then Assign at the bottom of the screen.

                        Enable Authentication Settings in the Sysdig Instance

                        Ensure that Flag to enable/disable create user on login is enabled. Typically this setting is enabled by default.

                        If you are using both Sysdig Monitor and Secure, ensure that the user accounts are created on both the products. A user that is created only on one Sysdig application will not be able to log in to another by using SAML SSO.

                        if you are on Sysdig Platform versions 2.4.1 or prior, contact Sysdig Support to help with user creation.

                        (Optional) Configure Sysdig as a New Application

                        If Azure Active Directory does not allow you to create Sysdig as a Non- Gallery application, perform the following:

                        1. In Azure AD, click Enterprise Applications > New Application.

                        2. Select Application you’re developing.

                          You will be taken to the app registration page:

                        3. Select New Registration:

                        4. Provide a name for the application you are registering.

                        5. Enter the redirect URI.

                          For example, the redirect URI for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com/api/saml/auth. See SaaS Regions and IP Ranges for the redirect URLs for other regions.

                        6. Click Register to complete the registration.

                        7. In the Overview tab click Add an Application ID URI:

                        8. Click Add a scope.

                        9. Add the application ID URI as follows:

                          https://<your_sysdig_url>:443
                          

                          Replace <*your_sysdig_*url> with the URL appropriate to your application and region. See SaaS Regions and IP Ranges for more information.

                        10. In the Overview tab, click Endpoints, and copy the Federation Metadata URL.

                        11. Log in to Sysdig, navigate to SAML Authentication screen, and enter the Federation Metadata URL.

                          You will still need to ensure that the user creation on the login option is enabled.

                        12. Save the settings.

                        3 -

                        OpenID Connect (SaaS)

                        This guide is specific to cloud-based (SaaS) Sysdig environments. If you are configuring an On-Premises Sysdig environment, refer to OpenID Connect (On-Prem) instead.

                        OpenID support in the Sysdig platform allows authentication via your choice of Identity Provider (IdP). This section describes how to integrate and enable OpenID Connect with both Sysdig Monitor and Sysdig Secure.

                        Overview

                        Summary of OpenID Functionality in Sysdig

                        The Sysdig platform ordinarily maintains its own user database to hold a username and password hash. OpenID instead allows for redirection to your organization’s IdP to validate username/password and other policies necessary to grant access to Sysdig application(s). Upon successful authentication via OpenID, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform.

                        Basic Enablement Workflow

                        Step

                        Options

                        Notes

                        1. Know which IdP your company uses and will be configuring.

                        These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs. If your OpenID Provider is not listed (including ones that do not support OpenID Connect Discovery), it may still work with the Sysdig platform. Contact Sysdig Support for help.

                        2. Decide the login flow you want users to experience: 3 options

                        Click OpenID button and enter a company name

                        From app.sysdigcloud.com or secure.sysdig.com > page to enter company name.

                        Type/bookmark a URL in a browser

                        Contact Sysdig for the Company Name associated with your account.

                        Log in from an IdP interface

                        The individual IdP integration pages describe how to add Sysdig to the IdP interface.

                        You will need your Company Name on hand.

                        3. Perform the configuration steps in your IdP interface and collect the resulting config attributes.

                        Collect metadata URL (or XML) and test it.

                        If you intend to configure IDP-initiated login flow, you need the following:

                        • Redirect URLs

                          See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

                          • Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

                          • Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

                          For other regions, the format is https://<region>.app.sysdig.com.

                          Replace <region> with the region your where Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

                        4 a. Log in to Sysdig Monitor or Sysdig Secure and configure authentication.

                        4 b. Repeat process for the other Sysdig product, if you are using both Monitor and Secure.

                        • Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.

                        • Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.

                        You will enter a separate redirect URL in your IdP for each product; otherwise the integration processes are the same.

                        Administrator Steps

                        Configure IdP

                        Select the appropriate IdP link below, and follow the instructions:

                        Enable OpenID in Settings

                        To enable baseline OpenID functionality:

                        Enter OpenID Basic Connection Settings

                        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

                        2. Select Authentication.

                        3. Select the OpenID tab.

                        4. Enter the relevant parameters (see table below) and click Save.

                        Connection SettingDescription
                        Client IDID provided by your IdP
                        Client SecretSecret provided by your IdP
                        Issuer URLURL provided by your IdP. Example:https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc

                        Okta, OneLogin, and Keycloak support metadata auto-discovery, so these settings should be sufficient for those IdPs.

                        Enter OpenID Additional Settings (if needed)

                        In some cases, an OpenID IdP may not support metadata auto-discovery, and additional configuration settings must be entered manually.

                        In this case:

                        1. On the OpenID tab, toggle the Metadata Discovery button to OFF to display additional entries on the page.

                        2. Enter the relevant parameters derived from your IdP (see table below) and click Save.

                        Connection Setting

                        Description

                        Base Issuer

                        Required. Often the same Issuer URL, but can be different for providers that have a separate general domain and user-specific domain

                        (for example, general domain: https://openid-connect.onelogin.com/oidc, user-specific domain: https://sysdig-phil-dev.onelogin.com/oidc)f

                        Authorization Endpoint

                        Required. Authorization request endpoint

                        Token Endpoint

                        Required. Token exchange endpoint

                        JSON Web Key Set Endpoint

                        Required. Endpoint that contains key credentials for token signature verification

                        Token Auth Method

                        Authentication method.

                        Supported values:

                        client_secret_basic ,

                        client_secret_post . (case insensitive)

                        Select OpenID for SSO

                        1. Select OpenIDfrom the Enabled Single Sign-On dropdown.

                        2. Click Save Authentication.

                        3. Repeat entire enablement process for Sysdig Monitor or Sysdig Secure, if you want to enable on both applications.

                        User Experience

                        As noted in the Basic Enablement Workflow above, you can offer users three ways to log in with an OpenID configuration:

                        • They can begin at the Sysdig SaaS URL and click the OpenID button.

                          See SaaS Regions and IP Ranges and identify the correct SaaS URL associated with your Sysdig application and region. For example, URLs of Monitor and Secure for US East are:

                          Monitor: app.sysdigcloud.com

                          Secure: secure.sysdig.com

                          For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                          They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.

                          =

                        • You can provide an alternative URL to avoid the user having to enter a company name, in the format:

                          Monitor: https://app.sysdigcloud.com/api/oauth/openid/ CompanyName Secure: https://secure.sysdig.com/api/oauth/openid/ CompanyName?product=SDS

                        • You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IDP’s app directory and do not browse directly to a Sysdig application URL at all.

                        See also User and Team Administration for information on creating users.

                        3.1 -

                        Okta (OpenID)

                        OpenID Provider Configuration for Okta

                        Review OpenID Connect (SaaS) before you begin.

                        The notes below describe minimal steps to be taken in Okta. You may need to adjust the steps based on the specifics of your environment.

                        1. Log in to your Okta organization as a user with administrative privileges and click to the Admin dashboard

                        2. Click on the Add Applications shortcut, then click the Create New App button

                        3. Select Web as the Platform type, then click OpenID Connect as the Sign-on method, then click Create

                        4. Create a new application:

                          • Enter your choice of General Settings.

                          • For Login redirect URIs, enter one of the following values:

                            See SaaS Regions and IP Ranges and identify the correct domain URL (redirect URL) associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

                            • Sysdig Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

                            • Sysdig Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

                            For other regions, the format is https://<region>.app.sysdig.com.

                            Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

                          • Click Save.

                        5. You should next be placed in a General tab. Take note of the Client ID and Client secret that are shown.

                          You will enter them on the OpenID Configuration page in the Sysdig authentication settings.

                        6. Click to the Sign On tab. Take note of the Issuer URL that is shown, as it will need to be sent to Sysdig Support.

                          You will enter it in the OpenID Configuration page in the OpenID settings.

                        3.2 -

                        OneLogin (OpenID)

                        OpenID Provider Configuration for OneLogin

                        Review OpenID Connect (SaaS) before you begin.

                        The notes below describe minimal steps to be taken in OneLogin. You may need to adjust the steps based on the specifics of your environment.

                        1. Log in to your OneLogin organization as a user with administrative privileges and click to Apps > Custom Connectors, then click the New Connector button.

                        2. Create a new Connector:

                          • Enter your choice of connector name.

                          • Select a Sign on Method of OpenID Connect.

                          • For Redirect URI, enter one of the following values:

                            See SaaS Regions and IP Ranges and identify the correct domain URL (redirect URL) associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

                            • Sysdig Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

                            • Sysdig Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

                            For other regions, the format is https://<region>.app.sysdig.com.

                            Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Secure you use https://eu1.sysdig.com/api/oauth/openid/secureAuth.

                          • Click Save.

                        3. From the More Actions pull-down menu, select Add App to Connector

                        4. Click Save to add the app to your catalog. Once clicked, additional tabs will appear.

                        5. Click to the SSO tab. Change the setting in the Token Endpoint drop-down to POST, then click Save.

                        6. While still on the SSO tab, take note of the Client ID and Client Secret that are shown (click Show client secret to reveal it).

                          You will enter them in the OpenID settings.

                        7. Note that the Issuer URL will consist of https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc

                          You will enter them in the OpenID settings.

                        During testing, we’ve found OneLogin sometimes does not persist changes that are made in the OpenID Provider configuration. If you make changes to your OneLogin configuration and experience issues such as HTTP 400 Bad Request when attempting logins to your Sysdig application, you may need to delete your Custom Connector and App config in OneLogin and recreate it from scratch.

                        3.3 -

                        Keycloak (OpenID)

                        Configure OpenID Provider for Keycloak

                        Review OpenID Connect (SaaS) before you begin.

                        The notes below describe minimal steps to be taken in Keycloak. You may need to adjust the steps based on the specifics of your environment.

                        1. Log in to your Keycloak server’s Administrative Console.

                        2. Select a realm or create a new one.

                        3. Click Clients, then click the **Create**button.

                        4. Enter the Client ID of your choosing (e.g. “SysdigMonitor”) and take note of it.

                          You will enter it in the OpenID Configuration page in the Sysdig Authentication Settings.

                        5. Make sure the Client Protocol drop-down has openid-connect selected. Click the Save button.

                        6. Configure OpenID Connect client:

                          • Click the toggle for Authorization Enabled to ON

                          • For Valid Redirect URI, enter one of the following values:

                            See SaaS Regions and IP Ranges and identify the correct domain URL (Redirect URI) associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

                            • Sysdig Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

                            • Sysdig Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

                            For other regions, the format is https://<region>.app.sysdig.com.

                            Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

                          • Click Save .

                        7. Click to the Credentials tab. Take note of the Secret that is shown.

                          You will enter it in the OpenID settings

                        8. Note that the Issuer URL will consist of https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME, where KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from your environment where you just created the configuration. You will enter it in the OpenID settings.

                        3.4 -

                        Azure (OpenID)

                        OpenID Connect is a security-token based extension of the OAuth 2.0 authorization protocol to do single sign-on. Azure Active Directory provides an implementation of OpenID Connect (OIDC) protocol and Sysdig supports it for single sign-on and API access to Sysdig application.

                        Enabling Azure OpenID Connect for single sign-on to Sysdig applications include configuration on the Microsoft Active Directory as well as on the Sysdig application.

                        Prerequisites

                        Administrator privileges on Sysdig and Azure Active Directory (AD).

                        Configuring Sysdig Application in Azure AD

                        1. Log in to the Azure AD portal.

                        2. Search for Azure Active Directory and do one of the following:

                          • Select your Active Directory service

                          • Create a new one.

                        3. Click App registration > New registration.

                        4. In the Register an application page, specify the following:

                          • Name: Display name to identify your Sysdig application. For example, Sysdig Secure.

                          • Supported account types: For Sysdig SaaS, choose Accounts in this organizational directory only (Default Directory only - Single tenant). All user and guest accounts created in your active directory can use Sysdig application and API.

                          • Redirect URI: Authenticated Sysdig users are redirected to this URI.

                            See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

                            For other regions, the format is:

                            https://<region>.app.sysdig.com

                            Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

                            For on-prem installations, the redirect URI will be deployment-specific.

                            You can add only a single redirect URI on this page. Use the Authentication page associated with your application to add additional redirect URIs.

                        5. Click Register.

                        6. Add additional redirect URIs.

                          1. Select your application from App registration.

                          2. Click Authentication from the left navigation.

                          3. Add the redirect URIs corresponding to Monitor and Secure.

                        7. Create a Secret for the Sysdig application.

                          It is a string that the Sysdig application uses to prove its identity when requesting a token.

                          1. Click Certificates & secrets.

                          2. Under Client Secrets, click New client secret.

                          3. Enter a description that identifies the secret and choose an expiration period.

                          4. Click Add.

                          5. Copy the client secret. You will need the client secret while configuring OpenID Connect SSO on the Sysdig application.

                        8. Copy the Client ID and OpenID Connect endpoints corresponding to the application that you have created.

                          1. Select your application from App registration.

                          2. Copy the Application (client) ID.

                            You will need the client ID while configuring OpenID Connect SSO on the Sysdig application.

                          3. Click Endpoints.

                          4. Copy the OpenID Connect metadata document and open it in a browser.

                          5. Copy the OpenID Connect URI (Issuer URI).

                            For example, https://login.microsoftonline.com/5a4b56fc-dceb-4a64-94ff-21e08e5892f5/v2.0

                        Configure Sysdig Settings

                        To enable Azure OpenID functionality on the Sysdig application, you need the following:

                        • Client ID

                        • Client Secret

                        • Issuer URL.

                        See Enable OpenID in Settings to learn how to complete your configuration.

                        4 -

                        Disable Password Authentication (SaaS)

                        Sysdig Platform supports disabling password-based authentication on both SaaS and on-prem deployments. As an administrator (super administrator for on-prem), you can use an API to achieve it. This configuration is applicable to those who use single sign-on.

                        For On-Prem environments, see Disable Password Authentication.

                        SaaS Deployments

                        As an administrator, perform the following:

                        1. Get the Sysdig Platform settings:

                          See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for Sysdig Monitor on US East is:

                          GET https://app.sysdigcloud.com/api/auth/settings/
                          

                          For other regions, the format is https://<region>.app.sysdig.com/api/auth/settings. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com/api/auth/settings.

                        2. Find the ID of the active SSO setup:

                          GET https://app.sysdigcloud.com/api/auth/settings/active
                          
                        3. Retrieve the specific settings associated with the SSO setup:

                          GET https://app.sysdigcloud.com/api/auth/settings/{id}
                          

                          The setting is displayed in a JSON file.

                        4. In the JSON file, change the following from false to true:

                          settings/forbidPasswordLogin: True
                          
                        5. Update the setting with a request to the same URL with the same JSON, with the changed parameter. URL depends on the type of deployment.

                          PUT https://app.sysdigcloud.com/api/auth/settings/{id}
                          

                        Migrating from the ConfigMap Method

                        Previously, the sysdigcloud.restrict.password.login parameter in the Kubernetes ConfigMap has been used to disable password authentication. After installing 3.2.0, deployments utilizing the sysdigcloud.restrict.password.login settings will be automatically migrated to use the new settings.

                        5 -

                        Configure Customized Session Expiration

                        (For SaaS) When you want inactive sessions to deactivate after a time-out period, you can configure it on the Sysdig application. You can determine how long a user’s browser can be idle after which they will be automatically logged out from the session.

                        To do so

                        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

                        2. Select Authentication.

                        3. Scroll down and locate the Session Expiration settings.

                        4. Specify the Session Expiration setting:

                          1. Enable session expiration by using the Terminate session after inactivity period (in minutes) of slider.

                          2. Specify the time-out period in minutes.

                          3. Click Save.