Authentication and Authorization (SaaS)
Sysdig Monitor and Sysdig Secure are designed to work with several user
authentication/authorization methods:
| Type | Enabled by Default | Integration Steps Required |
|---|
| User email/password | Yes | No |
| Google OAuth | No | No |
| SAML | No | Yes |
| OpenID Connect | No | Yes |
The user’s view:
The pages in this section describe the integration and enablement steps
required for SAML or OpenID Connect, and the Identity Provider (IdP)
services
that support these protocols, such as Okta, OneLogin, Keycloak.
In the SaaS environment,
Google login can be
enabled with a simple drop-down selection; the integration has already
been performed.
See SaaS Regions and IP
Ranges before proceeding to
configure authentication.
To integrate SAML or OpenID Connect with both Sysdig Monitor and Sysdig
Secure, you must go through the integration steps twice, once for each
Sysdig product.
Workflow
With the new Authorization UI, the basic process of enabling a Single
Sign-On (SSO) option is:
Determine which SSO option (GoogleOAuth, SAML, OpenID) your
enterprise uses, and which IdP service (Okta, OneLogin, etc.) is
used, if any.
Enter the required connection settings for the chosen SSO on the
appropriate Authentication tab. (Note: for Google, the settings
are already entered.)
Configure any associated IdP settings on the IdP side.
Select the SSO option from the Enabled Single Sign-On drop-down
and click Save Authentication.
If enabling for both Sysdig Monitor and Sysdig Secure, repeat the
process on the second application.
View of the Authentication page for Google OAuth in the SaaS
environment.
1 - Google OAuth (SaaS)
This guide is specific to cloud-based (SaaS) Sysdig environments. If you
are configuring an On-Premises Sysdig environment, refer to Google
OAuth (On-Prem) instead.
In the SaaS environment, Google users have the option to log in via
Google OAuth.
As the SaaS platform is preconfigured to permit such logins,
environments that already use Google services (such as G Suite) may find
this the most convenient approach for simplified login.
Enable Google OAuth
Since Google OAuth is pre-configured by Sysdig, the administrator needs
only select it as the chosen Authentication option to enable it.
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Authentication.
(Select the Google OAuth tab if you want to see the preconfigured
(un-editable) settings. )
Select Google OAuth from the Enabled Single Sign-On dropdown
and click Save Authentication.
Repeat for Sysdig Monitor or Sysdig Secure, if you want to enable on
both applications.
User Experience
Note the following requirements for successful Google OAuth login:
The user must have already logged in successfully at least once to
your environment (such as via email-based Invitation and having set
an initial password)
The user’s login username in the Sysdig platform must precisely
match the user’s Google email address (that is, it cannot be a
shortened/altered Google email alias)
For such a user to log in via Google OAuth, click the
Log in with Google button.
If the user’s browser has not already successfully authenticated via
Google and/or has multiple Google profiles known by their browser, they
will be presented a Google page to select a profile and enter a password
(if necessary) before being redirected back to your Sysdig environment.
See also User and Team
Administration for
information on creating users.
2 - SAML (SaaS)
This guide is specific to cloud-based (SaaS) Sysdig environments. If you
are configuring an On-Premises Sysdig environment, refer to SAML
(On-Prem) instead.
SAML
support in the Sysdig platform allows authentication via your choice of
Identity Provider
(IdP).
The Sysdig platform ordinarily maintains its own user database to hold a
username and password hash. SAML instead allows for redirection to your
organization’s IdP to validate username/password and other policies
necessary to grant access to Sysdig application(s). Upon successful
authentication via SAML, a corresponding user record in the Sysdig
platform’s user database is automatically created, though the password
that was sent to the IdP is never seen nor stored by the Sysdig
platform.
This section describes how to integrate and enable SAML with both Sysdig
Monitor and Sysdig Secure.
For specific IdP integration information, refer to:
See also
Caveats.
Basic Enablement Workflow
Administrator Steps
Select the appropriate IdP from the list below, and follow the
instructions:
Enable SAML in Settings
To enable baseline SAML functionality:
Enter SAML Connection Settings
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the User Profile button in the left
navigation.
Select Authentication.
Select the SAML tab.
Enter the relevant parameters (see table below) and click Save.
It is strongly recommended that “Signed Assertion” and “Validate
Signature” are enabled to ensure that the SAML SSO process is as
secure as possible.
| Connection Setting | Options | Description | Sample Entry |
|---|
| Metadata | URL | The URL provided at the end of the IdP configuration steps. | |
| XML | An option that can be used for an IdP that doesn’t support extracting metadata XML via URL. | |
| Signed Assertion | off/on | Should Sysdig check for assertions signed in responses (to assist in validating correct IdP). | ON |
| Email Parameter | email | Name of parameter in the SAML response for user email ID. Sysdig uses this to extract the user’s email from the response. | email |
| Validate Signature | off/on | Sysdig backend should verify that the response is signed. | ON |
| Verify Destination | off/on | Flag to control whether Sysdig should check the “destination” field in the SAMLResponse. Recommend ON, as a security measure. May be OFF in special cases, such as a proxy in front of the Sysdig back end. | ON |
| Create user on login | off/on | Flag to control whether a user record should be created in the Sysdig database after first successful SAML log in. | |
| Disable username and password login | off/on | Switch “on” to disallow user name and password log in. (Useful with SAML OpenID.) | |
Select SAML for SSO
Select SAML from the Enabled Single Sign-On dropdown
Click Save Authentication.
Repeat the entire enablement process for Sysdig Monitor or Sysdig
Secure, if you want to enable it on both applications.
Sysdig supports SAML Single Logout (SLO).
SLO is a feature in federated authentication where Sysdig users can sign
out of both their Sysdig session (Service Provider) and associated IdP
(Identity Provider) simultaneously. SLO allows you to terminate all
sessions established via SAML SSO by initiating a single logout process.
Closing all user sessions prevents unauthorized users from gaining
access to Sysdig resources.
SLO Process
When a user initiates a logout, Sysdig sends a digitally-signed logout
request to the IdP. The IdP validates the request and terminates the
current login session, then redirects the user back to the Sysdig login
page.
Configure logout URLs:
Choose HTTP Redirect as the binding method.
This option is an alternative to the HTTP POST method, which Sysdig
does not support currently.
If your IdP mandates, upload the public key for Sysdig.
Public key can be retrieved from metadata.
Metadata is available here:
NOTE: {customerName} must be URL encoded.
If you are having issues retrieving the key, please contact Sysdig Support to
retrieve the public key associated with your deployment.
Certain IDPs, such as Azure, don’t require uploading the public key.
Log in to Sysdig Monitor or Sysdig Secure as an administrator and
select Settings.
For on-prem deployments, log in as the super admin.
Navigate to Settings > Authentication, and
select SAML under Connection Settings.
Enter the SAML configuration.
Ensure that Enable SAML single logout is toggled on.
Click Save.
Ensure that you select SAML from the Enable Single Sign
On drop-down.
End User Login to Sysdig
As noted in the Basic Enablement Workflow above, you can offer users
three ways to log in with a SAML configuration:
They can begin at the Sysdig SaaS URL and click the SAML button.
See SaaS Regions and IP
Ranges and identify the
correct Sysdig SaaS URL associated with your Sysdig application and
region. For example, URLs of Monitor and Secure for US East are:
Monitor: app.sysdigcloud.com
Secure: secure.sysdig.com
They will be prompted to enter a Company Name, so the Sysdig
platform can redirect the browser to your IdP for authentication.
Contact Sysdig Support to set your company name on the account.
You can provide an alternative URL to avoid the user having to enter
a company name, in the format:
Sysdig Monitor: https://app.sysdigcloud.com/api/saml/
COMPANY_NAME
Sysdig Secure: https://secure.sysdig.com/api/saml/
COMPANY_NAME?product=SDS
For other regions, the format is
https://<region>.app.sysdig.com/api/saml/auth.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Secure in the EU, you
use
https://eu1.app.sysdig.com/api/saml/secureAuth.
You can configure an IdP-initiated login flow when configuring your
IdP. The users then select the Sysdig application from your IDP’s
app directory and do not browse directly to a Sysdig application URL
at all.
Users that complete their first successful SAML login to Sysdig Secure
may receive the error message “User doesn’t have permission to login in
Sysdig Secure”. This is because only members of the Secure
Operations team are permitted access to Sysdig Secure, and
newly-created logins are not in this team by default. Such a user should
contact an Administrator for the Sysdig environment to be added to the
Secure Operations team.
Environments that wish to have all the users access Sysdig Secure by default
could use this sample Python
script
to frequently “sync” the team memberships.
See Developer Documentation for tips on using the sample Python
scripts provided by Sysdig.
See also User and Team
Administration for
information on creating users.
Caveats
- SAML Assertion Encryption/Decryption is not currently supported.
2.1 - Okta (SAML)
Review SAML (SaaS) before
you begin.
Configure Sysdig Monitor and/or Sysdig Secure as a SAML application
using Okta’s documentation for Setting Up a SAML Application in
Okta.
The notes below call out specific steps that require additional action.
Sysdig-Specific Steps for Okta Configuration
IDP-initiated Login Flow
If you don’t intend to configure IDP-initiated login flow, check the
boxes for “Do not display application icon to users” and “Do not display
application icon in the Okta Mobile app”.
URL, URI and RelayState Values
Enter the values shown in the table below. If you wish to configure
IDP-initiated login flow, replace CUSTOMER-ID-NUMBER with the
number retrieved as described in Find Your Customer
Number.
See SaaS Regions and IP
Ranges and identify the
correct URLs associated with your Sysdig application and region. For
example, in US East, the endpoints are:
Single sign on URL | https://app.sysdigcloud.com/api/saml/auth
| https://secure.sysdig.com/api/saml/secureAuth
|
Audience URI (SP Entity ID) | https://app.sysdigcloud.com/api/saml/metadata
| https://app.sysdigcloud.com/api/saml/metadata
|
Default RelayState (optional - only configure if you intend to use IDP-initiated login flow) | #/&customer=CUSTOMER-ID-NUMBER | #/&customer=CUSTOMER-ID-NUMBER |
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig application
is hosted. For example, for Sysdig Monitor in the EU, you use
https://eu1.app.sysdig.com/api/saml/auth.
Email and Name Values
Instead of the values shown in the Okta example, add the values:
| Name | Value |
|---|
email | user.email |
first name | user.firstName |
last name | user.lastName |
Note that the attributes are case sensitive, so use caution when
entering them.
Only email is required. However, including first/last name is
recommended, since these values will now be included in the records
created in the Sysdig platform’s database when new users successfully
login via SAML for the first time.
SAML Configuration Metadata Value
Copy the URL and paste in the Metadata entry on the SAML
Configuration page in the SAML connection settings.
To ensure the metadata URL you copy at the end of the IDP configuration
procedure is correct, you can test it by directly accessing it via your
browser.
When accessing the URL, your browser should immediately download an XML
file that begins similarly to the example shown below. No entry of
credentials or other security measures should be required to
successfully download it. If this is not the case, revisit the IDP
configuration steps.
|
|---|
<?xml version= "1.0" ?> <EntityDescriptor xmlns= "urn:oasis:names:tc:SAML:2.0:metadata" entityID= "https://app.onelogin.com/saml/metadata/680358" > `<IDPSSODescriptor xmlns:ds=` `"http://www.w3.org/2000/09/xmldsig#" ` `protocolSupportEnumeration=` `"urn:oasis:names:tc:SAML:2.0:protocol"` `>names:tc:SAML:` `2.0` `:metadata` `" entityID="` ` https://app.onelogin.com/saml/metadata/ ` `680358` `">` ... |
2.2 - OneLogin (SAML)
Review SAML (SaaS) before
you begin.
Configure Sysdig Monitor and/or Sysdig Secure as a SAML application
using OneLogin’s article titled Use the OneLogin SAML Test
Connector.
The notes below call out specific steps that require additional action.
Sysdig-Specific Steps for OneLogin Configuration
Adding the SAML Test Connector
At the step for “Adding the SAML Test Connector”, select SAML Test
Connector (IdP w/ attr w/ sign response). If you don’t intend to
configure IDP-initiated login flow, uncheck the slider so it will no
longer be “Visible in portal”.
Test Connector Configuration Page Settings
At the “Test Connector Configuration Page”, enter the values shown in
the table below. If you wish to configure IDP-initiated login flow,
replace CUSTOMER-ID-NUMBER with the number retrieved as described
in the Find Your Customer
Number article.
See SaaS Regions and IP
Ranges and identify the
correct URLs associated with your Sysdig application and region. For
example, given below are the URLs for the US East region.
RelayState (optional - only configure if you intend to use IDP-initiated login flow) | #/&customer=CUSTOMER-ID-NUMBER | #/&customer=CUSTOMER-ID-NUMBER |
Recipient | https://app.sysdigcloud.com/api/saml/auth
| https://secure.sysdig.com/api/saml/secureAuth
|
ACS (Consumer) URL Validator | https://app.sysdigcloud.com
| https://secure.sysdig.com
|
ACS (Consumer) URL | https://app.sysdigcloud.com/api/saml/auth
| https://secure.sysdig.com/api/saml/secureAuth
|
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig application
is hosted. For example, for Sysdig Monitor in the EU, you use
https://eu1.app.sysdig.com/api/saml/auth.
(Optional) If you want the user’s First Name and Last Name to be
included in the records created in the Sysdig platform’s database when
new users successfully login via SAML for the first time, click to the
Parameters tab. Click Add parameter and create each of two New
Fields, checking the box each time to Include in SAML assertion.
Then click to Edit each field and select the Value shown from
the drop-down menu before clicking Save.
| Field Name | Value |
|---|
email | Email |
first name | First Name |
last name | Last Name |
Note that the Field Names are case sensitive, so be careful to
enter them as all lowercase.
The following shows an example of a correctly-configured field for First
Name:
Issuer URL
Click to the SSO tab, copy the Issuer URL, and paste in the
Metadata entry on the SAML Configuration page in the SAML
connection settings.
To ensure the metadata URL you copy at the end of the IDP configuration
procedure is correct, you can test it by directly accessing it via your
browser.
When accessing the URL, your browser should immediately download an XML
file that begins similarly to the example shown below. No entry of
credentials or other security measures should be required to
successfully download it. If this is not the case, revisit the IDP
configuration steps.
|
|---|
<?xml version= "1.0" ?> <EntityDescriptor xmlns= "urn:oasis:names:tc:SAML:2.0:metadata" entityID= "https://app.onelogin.com/saml/metadata/680358" > `<IDPSSODescriptor xmlns:ds=` `"http://www.w3.org/2000/09/xmldsig#" ` `protocolSupportEnumeration=` `"urn:oasis:names:tc:SAML:2.0:protocol"` `>names:tc:SAML:` `2.0` `:metadata` `" entityID="` ` https://app.onelogin.com/saml/metadata/ ` `680358` `">` ... |
2.3 - ADFS (SAML)
Review SAML (SaaS) before
you begin.
These instructions assume you already have a working,
Internet-accessible ADFS ( Active Directory Federation Service) server.
Interoperability testing has been performed specifically with ADFS on
Windows Server 2012 R2.
Follow the instructions below to configure ADFS with the ADFS
Management tool in the Windows Server Manager.
For Service-Provider-Initiated Login Flow
Right-click to Service > Edit Federation Service Properties.
Note the hostname in the Federation Service Identifier, as this will
be used in the metadata URL that you paste in the Metadata entry on
the SAML Configuration page in the Sysdig authentication settings.
Specifically, the metadata URL will be of the format
https://HOSTNAME/FederationMetadata/2007-06/FederationMetadata.xml.
Also, so that the Sysdig platform can access this URL directly, this
host must resolve in DNS and have a valid (not self-signed)
SSL/TLS certificate.
Add a Relying Party Trust configuration for the Sysdig application.
Right-click to Relying Party Trusts > Add Relying Party
Trust and click Start to begin the wizard.
In the Select Data Source step, click the button to Enter
data about the relying party manually, then click Next
Enter a Display name of your choosing (e.g. “Sysdig Monitor”
or “Sysdig Secure”), then click Next
Click Next to accept the default option to use AD FS
profile
Click Next to skip the selection of an optional token
encryption certificate (Sysdig does not support this option)
Check the box to Enable support for the SAML 2.0 Web SSO
protocol, then enter one of the following values for Relying
party SAML 2.0 SSO service URL:
If configuring Sysdig Monitor, enter:
https://app.sysdigcloud.com/api/saml/auth
If configuring Sysdig Secure, enter:
https://secure.sysdig.com/api/saml/secureAuth
Then click Next.
For the Relying party trust identifier, enter one of the
following values:
If configuring Sysdig Monitor, enter:
https://app.sysdigcloud.com
If configuring Sysdig Secure, enter:
https://secure.sysdig.com
Then click Add, then click Next
Click Next to skip configuration of multi-factor
authentication
Choose a policy for whether users will be permitted to login to
the Sysdig application. The default to Permit all users to
access the relying party will typically be acceptable. Click
Next.
Review the summary and click Next to complete the
configuration of the Relying Party Trust
The next step will involve adding Claim Rules, so you can leave
the box checked to Open the Edit Claim Rules dialog and
click the Close button to be brought immediately into the
Claim Rules editor
Ensure that the SamlResponseSignature option matches the Sysdig
authentication configuration.
Use the
Set-AdfsRelyingPartyTrust/Get-AdfsRelyingPartyTrust cmdlets
via PowerShell to configure SamlResponseSignature .
-SamlResponseSignature
Specifies the response signatures that the relying party expects. The acceptable values for this parameter are:
AssertionOnly
MessageAndAssertion
MessageOnly
For more information, see
Set-AdfsRelyingPartyTrust.
Navigate to Settings > Authentication on the Sysdig
app and check the Sysdig authentication setting maps to the
SamlResponseSignature :
For MessageAndAssertion, enable both the options.
Next, use the Claim Rules to ensure that login data is sent as
needed to the Sysdig platform. A user’s login to the Sysdig platform
is based on an email address, and a default ADFS configuration would
not send the email address as required. The following configuration
ensures the correct field from Active Directory is delivered in the
claim.
If not already in the Claim Rules editor from the previous step,
navigate to it by right-clicking on the Relying Party Trust that
was just created and selecting Edit Claim Rules
Click Add Rule. At the following screen, accept the default
rule template to Send LDAP Attributes as Claims and click
Next.
Enter a name for the rule, select Active Directory as the
Attribute store, then use the pull-down selectors to pick
E-Mail as both the LDAP Attribute and Outgoing
Claim Type, then similarly make pull-down selections for
Given Name and Surname. Once these selections are made,
click Finish.
Now click Add Rule again, this time selecting the template
for Transform an incoming claim
Enter a name for the rule, then use the pull-downs to select an
Incoming claim type of E-Mail, an Outgoing
claim type of Name ID, and an Outgoing name ID format
of Email, then click Finish.
(Optional) If you want the user’s First Name and Last Name to be
included in the records created in the Sysdig platform database
when new users successfully login via SAML for the first time,
additional Transform rules must also be created. Only the
email-based username is strictly required and we already created
a rule for this, so this step is optional.
If you wish to do this, click Add Rule and once again select
the template for Transform an incoming claim. Enter a name
for the rule, then use the pull-down to select an Incoming
claim type of Given Name, and for the Outgoing claim
type, directly type first name into the field. After
clicking Finish, click Add Rule and create a similar
rule to transform the Incoming claim type of Surname to
the Outgoing claim type of last name.
Having clicked Finish after creating your last rule, you
will see all rules now in the editor. Click Ok, and your
ADFS configuration for your Sysdig application is complete.
For IdP-Initiated Login Flow (Optional)
(Optional) The steps above represent a Service-Provider-Initiated
SAML configuration. If you would prefer an IdP-initiated SAML
configuration, this is also possible with ADFS, but requires the
additional steps described below.
The Sysdig platform requires a specific setting of RelayState in
order to accept IdP-initiated login flows. On the ADFS versions
tested, we’ve found this use of RelayState is disabled by default,
and a Microsoft
article
describes the topic in detail. To enable it, as described in a
Microsoft forum
thread,
on your ADFS host, edit
%systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config
and add <useRelayStateForIdpInitiatedSignOn enabled="true" />
to the <microsoft.identityserver.web> section. Once the
modification is saved, restart ADFS services for the change to take
effect.
You will need to retrieve your Sysdig customer number as described
in the Find Your Customer
Number article.
You will then need to generate an IdP-initiated login URL.
In addition to having the correct settings, it must be properly URL
encoded. To ease this configuration, use this ADFS RelayState
Generator
tool. When launched, enter the values below, then hit the Generate
URL button.
For the IDP URL String, enter
https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx
For the Relying Party Identifier, enter one of the following
values:
If configuring Sysdig Monitor, enter
https://app.sysdigcloud.com
If configuring Sysdig Secure, enter
https://secure.sysdig.com
For other regions, the format
is https://<region>.app.sysdig.com. Replace <region>
with the region where your Sysidig application is hosted. For
example, for Sysdig Monitor in the EU, you
use https://eu1.app.sysdig.com/. See SaaS Regions and IP
Ranges for more
information.
For the Relay State/Target App, enter
#/&customer=CUSTOMER-ID-NUMBER, substituting the
CUSTOMER-ID-NUMBER you retrieved in the previous step
This Results URL will be used in the metadata URL that you paste
in the Metadata entry in the SAML connection
settings .
Use the Results URL from the tool to test your IdP-initiated
login. Note that per this Microsoft forum
thread,
it is apparently not possible to configure ADFS to use such a URL
when your users select the application from the pull-down menu at
https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx.
However, you may embed the URL into a custom portal or bookmarks
list.
Now you can test login using an Active Directory user that has an
Email address configured.
To ensure the metadata URL you copy at the end of the IDP configuration
procedure is correct, you can test it by directly accessing it via your
browser.
When accessing the URL, your browser should immediately download an XML
file that begins similarly to the example shown below. No entry of
credentials or other security measures should be required to
successfully download it. If this is not the case, revisit the IDP
configuration steps.
|
|---|
<?xml version= "1.0" ?> <EntityDescriptor xmlns= "urn:oasis:names:tc:SAML:2.0:metadata" entityID= "https://app.onelogin.com/saml/metadata/680358" > `<IDPSSODescriptor xmlns:ds=` `"http://www.w3.org/2000/09/xmldsig#" ` `protocolSupportEnumeration=` `"urn:oasis:names:tc:SAML:2.0:protocol"` `>names:tc:SAML:` `2.0` `:metadata` `" entityID="` ` https://app.onelogin.com/saml/metadata/ ` `680358` `">` ... |
2.4 - Azure Active Directory (SAML)
This topic explains how to configure SAML Single Sign On (SSO) with
Azure Active Directory (AD) and helps you configure Sysdig to allow
users to access Sysdig application by using SSO.
Prerequisites
Administrator privileges on Sysdig and Azure.
Log in to the Azure AD portal.
Select Azure Active Directory, then click Enterprise
Applications.
The Enterprise applications - All application screen is displayed.
Click New Application.
On the Add an Application screen, select Non-gallery
application.
Give your application a name, and click Add at the bottom of the
page.
On the menu, select Single sign-on.
Choose SAML as the sign-on method.
Edit the Basic SAML Configuration as follows:
In the configuration page, click the edit icon.
Specify the following:
Identifier (Entity ID): Uniquely identifies the Sysdig
application. Azure AD sends the identifier to the Sysdig
application as the audience parameter of the SAML token.
Sysdig validates this as part of the SSO process.
For example, the identifier for Sysdig Monitor for the EU
region is https://eu1.app.sysdig.com.
See SaaS Regions and IP
Ranges for the
complete list of entity IDs for different regions.
Reply URL: Specifies where Sysdig expects to receive the
SAML token.
For example, the identifier for Sysdig Monitor for the EU
region is https://eu1.app.sysdig.com/api/saml/auth.
See SaaS Regions and IP
Ranges for the
complete list of reply URLs for different regions.
Relay State: Specifies to the application where to
redirect the user after authentication is completed.
Typically the value is a valid URL for Sysdig. If you are
configuring SSO for SaaS, change the relay state to reflect
the correct customer number associated with your Sysdig
application. For on-prem installations, the customer number
is always 1.
The format is:
For more information on configuration parameters, see Configure
SAML-based single sign-on to non-gallery
applications.
Sysdig-Specific Steps for Active Directory Configuration
Under SAML Signing Certificate, copy the App Federation
Metadata URL.
Log in to your Sysdig instance as an admin.
For on-prem deployments, log in as the super admin.
Navigate to Settings > Authentication, and select SAML
under Connection Settings.
Enter the following:
Metadata: Enter the App Federation Metadata URL you
copied.
Email Parameter: Set the value to emailaddress.
Azure AD claims are:
saml = AD
first name = user.givenname
last name = user.surname
email = user.mail
name = user.userprincipalname
Unique User Identifier = user.userprincipalname
In the Sysdig application, you need to set the email to
email which is what Azure AD sends to Sysdig in the
SAML assertion. Alternatively, Azure AD can be modified to send
another attribute.
Click Save.
Select SAML from the Enable Single Sign On drop-down.
Create a User in Azure Active Directory Domain
Log in to the Azure AD portal.
Click Azure Active Directory, and note down the domain name.
Select Azure Active Directory, then Users.
The Users - All Users screen is displayed.
Select New Users .
You can either create a new user or invite an existing AD.
Enter name, username, and other details, then click Create.
In the Profile page, add the Email and Alternate Email
parameters. The values can match
Assign the User to the Sysdig Application
Navigate to the Sysdig application.
Click Users and Group, then click the Add user button.
Select the Users and Groups checkbox, then choose the newly
created user to add to the application.
Click Select, then Assign at the bottom of the screen.
Enable Authentication Settings in the Sysdig Instance
Ensure that Flag to enable/disable create user on login is enabled.
Typically this setting is enabled by default.
If you are using both Sysdig Monitor and Secure, ensure that the user
accounts are created on both the products. A user that is created only
on one Sysdig application will not be able to log in to another by using
SAML SSO.
if you are on Sysdig Platform versions 2.4.1 or prior, contact Sysdig
Support to help with user creation.
If Azure Active Directory does not allow you to create Sysdig as a
Non- Gallery application, perform the following:
In Azure AD, click Enterprise Applications > New
Application.
Select Application you’re developing.
You will be taken to the app registration page:
Select New Registration:
Provide a name for the application you are registering.
Enter the redirect URI.
For example, the redirect URI for Sysdig Monitor for the EU region
is https://eu1.app.sysdig.com/api/saml/auth. See SaaS Regions and
IP Ranges for the
redirect URLs for other regions.
Click Register to complete the registration.
In the Overview tab click Add an Application ID URI:
Click Add a scope.
Add the application ID URI as follows:
https://<your_sysdig_url>:443
Replace <*your_sysdig_*url> with the URL appropriate to your
application and region. See SaaS Regions and IP
Ranges for more
information.
In the Overview tab, click Endpoints, and copy the
Federation Metadata URL.
Log in to Sysdig, navigate to SAML Authentication screen, and enter
the Federation Metadata URL.
You will still need to ensure that the user creation on the login
option is enabled.
Save the settings.
3 - OpenID Connect (SaaS)
This guide is specific to cloud-based (SaaS) Sysdig environments. If you
are configuring an On-Premises Sysdig environment, refer to OpenID
Connect (On-Prem) instead.
OpenID support in the Sysdig
platform allows authentication via your choice of Identity Provider
(IdP). This section
describes how to integrate and enable OpenID Connect with both Sysdig
Monitor and Sysdig Secure.
Overview
Summary of OpenID Functionality in Sysdig
The Sysdig platform ordinarily maintains its own user database to hold a
username and password hash. OpenID instead allows for redirection to
your organization’s IdP to validate username/password and other policies
necessary to grant access to Sysdig application(s). Upon successful
authentication via OpenID, a corresponding user record in the Sysdig
platform’s user database is automatically created, though the password
that was sent to the IdP is never seen nor stored by the Sysdig
platform.
Basic Enablement Workflow
1. Know which IdP your company uses and will be configuring. | | These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs. If your OpenID Provider is not listed (including ones that do not support OpenID Connect Discovery), it may still work with the Sysdig platform. Contact Sysdig Support for help. |
2. Decide the login flow you want users to experience: 3 options | Click OpenID button and enter a company name | From app.sysdigcloud.com or secure.sysdig.com > page to enter company name. 
|
| Type/bookmark a URL in a browser | Contact Sysdig for the Company Name associated with your account. |
| Log in from an IdP interface | The individual IdP integration pages describe how to add Sysdig to the IdP interface. You will need your Company Name on hand. |
3. Perform the configuration steps in your IdP interface and collect the resulting config attributes. | | Collect metadata URL (or XML) and test it. If you intend to configure IDP-initiated login flow, you need the following: Redirect URLs See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are: For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region your where Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.
|
4 a. Log in to Sysdig Monitor or Sysdig Secure and configure authentication. 4 b. Repeat process for the other Sysdig product, if you are using both Monitor and Secure. | | Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO. Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.
You will enter a separate redirect URL in your IdP for each product; otherwise the integration processes are the same. |
Administrator Steps
Select the appropriate IdP link below, and follow the instructions:
Enable OpenID in Settings
To enable baseline OpenID functionality:
Enter OpenID Basic Connection Settings
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Authentication.
Select the OpenID tab.
Enter the relevant parameters (see table below) and click Save.
| Connection Setting | Description |
|---|
| Client ID | ID provided by your IdP |
| Client Secret | Secret provided by your IdP |
| Issuer URL | URL provided by your IdP. Example:https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc |
Okta, OneLogin, and Keycloak support metadata auto-discovery, so these
settings should be sufficient for those IdPs.
Enter OpenID Additional Settings (if needed)
In some cases, an OpenID IdP may not support metadata auto-discovery,
and additional configuration settings must be entered manually.
In this case:
On the OpenID tab, toggle the Metadata Discovery button to OFF
to display additional entries on the page.
Enter the relevant parameters derived from your IdP (see table
below) and click Save.
Base Issuer | Required. Often the same Issuer URL, but can be different for providers that have a separate general domain and user-specific domain (for example, general domain: https://openid-connect.onelogin.com/oidc, user-specific domain: https://sysdig-phil-dev.onelogin.com/oidc)f |
Authorization Endpoint | Required. Authorization request endpoint |
Token Endpoint | Required. Token exchange endpoint |
JSON Web Key Set Endpoint | Required. Endpoint that contains key credentials for token signature verification |
Token Auth Method | Authentication method. Supported values: client_secret_basic ,
client_secret_post . (case insensitive)
|
Select OpenID for SSO
Select OpenID from the Enabled Single Sign-On dropdown.
Click Save Authentication.
Repeat entire enablement process for Sysdig Monitor or Sysdig
Secure, if you want to enable on both applications.
User Experience
As noted in the Basic Enablement Workflow above, you can offer users
three ways to log in with an OpenID configuration:
They can begin at the Sysdig SaaS URL and click the OpenID button.
See SaaS Regions and IP
Ranges and identify the
correct SaaS URL associated with your Sysdig application and region.
For example, URLs of Monitor and Secure for US East are:
Monitor: app.sysdigcloud.com
Secure: secure.sysdig.com
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region>; with the region where your Sysdig
application is hosted. For example, for Sysdig Monitor in the EU,
you use
https://eu1.app.sysdig.com.
They will be prompted to enter a Company Name, so the Sysdig
platform can redirect the browser to your IdP for authentication.
=
You can provide an alternative URL to avoid the user having to enter
a company name, in the format:
Monitor: https://app.sysdigcloud.com/api/oauth/openid/
CompanyName Secure:
https://secure.sysdig.com/api/oauth/openid/
CompanyName?product=SDS
You can configure an IdP-initiated login flow when configuring your
IdP. The users then select the Sysdig application from your IDP’s
app directory and do not browse directly to a Sysdig application URL
at all.
3.1 - Okta (OpenID)
OpenID Provider Configuration for Okta
Review OpenID Connect
(SaaS) before you begin.
The notes below describe minimal steps to be taken in Okta. You may need
to adjust the steps based on the specifics of your environment.
Log in to your Okta organization as a user with administrative
privileges and click to the Admin dashboard
Click on the Add Applications shortcut, then click the Create
New App button
Select Web as the Platform type, then click OpenID Connect
as the Sign-on method, then click Create
Create a new application:
Enter your choice of General Settings.
For Login redirect URIs, enter one of the following values:
See SaaS Regions and IP
Ranges and identify
the correct domain URL (redirect URL) associated with your
Sysdig application and region. For example, domain URLs of
Monitor and Secure for US East are:
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Monitor in the
EU, you use
https://eu1.app.sysdig.com/api/oauth/openid/auth.
Click Save.
You should next be placed in a General tab. Take note of the
Client ID and Client secret that are shown.
You will enter them on the OpenID Configuration page in the Sysdig
authentication settings.
Click to the Sign On tab. Take note of the Issuer URL that
is shown, as it will need to be sent to Sysdig Support.
You will enter it in the OpenID Configuration page in the OpenID
settings.
3.2 - OneLogin (OpenID)
OpenID Provider Configuration for OneLogin
Review OpenID Connect
(SaaS) before you begin.
The notes below describe minimal steps to be taken in OneLogin. You may
need to adjust the steps based on the specifics of your environment.
Log in to your OneLogin organization as a user with administrative
privileges and click to Apps > Custom Connectors, then
click the New Connector button.
Create a new Connector:
Enter your choice of connector name.
Select a Sign on Method of OpenID Connect.
For Redirect URI, enter one of the following values:
See SaaS Regions and IP
Ranges and identify
the correct domain URL (redirect URL) associated with your
Sysdig application and region. For example, domain URLs of
Monitor and Secure for US East are:
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Secure you use
https://eu1.sysdig.com/api/oauth/openid/secureAuth.
Click Save.
From the More Actions pull-down menu, select Add App to
Connector
Click Save to add the app to your catalog. Once clicked,
additional tabs will appear.
Click to the SSO tab. Change the setting in the Token
Endpoint drop-down to POST, then click Save.
While still on the SSO tab, take note of the Client ID and
Client Secret that are shown (click Show client secret to
reveal it).
You will enter them in the OpenID settings.
Note that the Issuer URL will consist of
https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc
You will enter them in the OpenID settings.
During testing, we’ve found OneLogin sometimes does not persist changes
that are made in the OpenID Provider configuration. If you make changes
to your OneLogin configuration and experience issues such as HTTP 400
Bad Request when attempting logins to your Sysdig application, you may
need to delete your Custom Connector and App config in OneLogin and
recreate it from scratch.
3.3 - Keycloak (OpenID)
Review OpenID Connect
(SaaS) before you begin.
The notes below describe minimal steps to be taken in Keycloak. You may
need to adjust the steps based on the specifics of your environment.
Log in to your Keycloak server’s Administrative Console.
Select a realm or create a new one.
Click Clients, then click the Create button.
Enter the Client ID of your choosing (e.g. “SysdigMonitor”) and
take note of it.
You will enter it in the OpenID Configuration page in the Sysdig
Authentication Settings.
Make sure the Client Protocol drop-down has openid-connect
selected. Click the Save button.
Configure OpenID Connect client:
Click the toggle for Authorization Enabled to ON
For Valid Redirect URI, enter one of the following values:
See SaaS Regions and IP
Ranges and identify
the correct domain URL (Redirect URI) associated with your
Sysdig application and region. For example, domain URLs of
Monitor and Secure for US East are:
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Monitor you use
https://eu1.app.sysdig.com/api/oauth/openid/auth.
Click Save .
Click to the Credentials tab. Take note of the Secret that is
shown.
You will enter it in the OpenID
settings
Note that the Issuer URL will consist of
https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME, where
KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from your
environment where you just created the configuration. You will enter
it in the OpenID settings.
3.4 - Azure (OpenID)
OpenID Connect
is a security-token based extension of the OAuth
2.0 authorization protocol to do single sign-on. Azure Active Directory
provides an
implementation
of OpenID Connect (OIDC) protocol and Sysdig supports it for single
sign-on and API access to Sysdig application.
Enabling Azure OpenID Connect for single sign-on to Sysdig applications
include configuration on the Microsoft Active Directory as well as on
the Sysdig application.
Prerequisites
Administrator privileges on Sysdig and Azure Active Directory (AD).
Configuring Sysdig Application in Azure AD
Log in to the Azure AD portal.
Search for Azure Active Directory and do one of the following:
Click App registration > New registration.
In the Register an application page, specify the following:
Name: Display name to identify your Sysdig application. For
example, Sysdig Secure.
Supported account types: For Sysdig SaaS, choose Accounts
in this organizational directory only (Default Directory only -
Single tenant). All user and guest accounts created in your
active directory can use Sysdig application and API.
Redirect URI: Authenticated Sysdig users are redirected to
this URI.
See SaaS Regions and IP
Ranges and identify
the correct domain URL associated with your Sysdig application
and region. For example, domain URLs of Monitor and Secure for
US East are:
For other regions, the format is: https://<region>.app.sysdig.com
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Monitor you use
https://eu1.app.sysdig.com/api/oauth/openid/auth.
For on-prem installations, the redirect URI will be
deployment-specific.
You can add only a single redirect URI on this page. Use the
Authentication page associated with your application to add
additional redirect URIs.
Click Register.
Add additional redirect URIs.
Select your application from App registration.
Click Authentication from the left navigation.
Add the redirect URIs corresponding to Monitor and Secure.
Create a Secret for the Sysdig application.
It is a string that the Sysdig application uses to prove its
identity when requesting a token.
Click Certificates & secrets.
Under Client Secrets, click New client secret.
Enter a description that identifies the secret and choose an
expiration period.
Click Add.
Copy the client secret. You will need the client secret while
configuring OpenID Connect SSO on the Sysdig application.
Copy the Client ID and OpenID Connect endpoints corresponding to the
application that you have created.
Select your application from App registration.
Copy the Application (client) ID.
You will need the client ID while configuring OpenID Connect SSO
on the Sysdig application.
Click Endpoints.
Copy the OpenID Connect metadata document and open it in a
browser.
Copy the OpenID Connect URI (Issuer URI).
For example,
https://login.microsoftonline.com/5a4b56fc-dceb-4a64-94ff-21e08e5892f5/v2.0
To enable Azure OpenID functionality on the Sysdig application, you need
the following:
Client ID
Client Secret
Issuer URL.
See Enable OpenID in
Settings
to learn how to complete your configuration.
4 - Disable Password Authentication (SaaS)
Sysdig Platform supports disabling password-based authentication on both
SaaS and on-prem deployments. As an administrator (super administrator
for on-prem), you can use either the Authentication option on the UI or the API to achieve it. This configuration is
applicable to those who use single sign-on.
Using the UI
You can use the UI to disable password authentication only for SAML and OpenID authentication methods. For Google Oauth, use the API method as given below.
As an administrator, perform the following:
- Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.
- Click Authentication.
- Choose your authentication method.
Disabling password authentication through the UI is not supported for Google Oauth.
- Use the Disable username and password login slider to turn off password authentication.
- Click Save to save the settings.
Using the API
As an administrator, perform the following:
Get the Sysdig Platform settings:
See SaaS Regions and IP
Ranges and identify the
correct domain URL associated with your Sysdig application and
region. For example, for Sysdig Monitor on US East is:
GET https://app.sysdigcloud.com/api/auth/settings/
For other regions, the format is https://<region>.app.sysdig.com/api/auth/settings.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Monitor in the EU,
you use https://eu1.app.sysdig.com/api/auth/settings.
Find the ID of the active SSO setup:
GET https://app.sysdigcloud.com/api/auth/settings/active
Retrieve the specific settings associated with the SSO setup:
GET https://app.sysdigcloud.com/api/auth/settings/{id}
The setting is displayed in a JSON file.
In the JSON file, change the following from false to true:
settings/forbidPasswordLogin: True
Update the setting with a request to the same URL with the same
JSON, with the changed parameter. URL depends on the type of
deployment.
PUT https://app.sysdigcloud.com/api/auth/settings/{id}
5 - Configure Customized Session Expiration
(For SaaS) When you want inactive sessions to deactivate after a
time-out period, you can configure it on the Sysdig application. You can
determine how long a user’s browser can be idle after which they will be
automatically logged out from the session.
To do so
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Authentication.
Scroll down and locate the Session Expiration settings.
Specify the Session Expiration setting:
Enable session expiration by using the Terminate session after
inactivity period (in minutes) of slider.
Specify the time-out period in minutes.
Click Save.