This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 2:
      • 3:
        • 4:

          OpenID Connect (SaaS)

          This guide is specific to cloud-based (SaaS) Sysdig environments. If you are configuring an On-Premises Sysdig environment, refer to OpenID Connect (On-Prem) instead.

          OpenID support in the Sysdig platform allows authentication via your choice of Identity Provider (IdP). This section describes how to integrate and enable OpenID Connect with both Sysdig Monitor and Sysdig Secure.

          Overview

          Summary of OpenID Functionality in Sysdig

          The Sysdig platform ordinarily maintains its own user database to hold a username and password hash. OpenID instead allows for redirection to your organization’s IdP to validate username/password and other policies necessary to grant access to Sysdig application(s). Upon successful authentication via OpenID, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform.

          Basic Enablement Workflow

          Step

          Options

          Notes

          1. Know which IdP your company uses and will be configuring.

          These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs. If your OpenID Provider is not listed (including ones that do not support OpenID Connect Discovery), it may still work with the Sysdig platform. Contact Sysdig Support for help.

          2. Decide the login flow you want users to experience: 3 options

          Click OpenID button and enter a company name

          From app.sysdigcloud.com or secure.sysdig.com > page to enter company name.

          Type/bookmark a URL in a browser

          Contact Sysdig for the Company Name associated with your account.

          Log in from an IdP interface

          The individual IdP integration pages describe how to add Sysdig to the IdP interface.

          You will need your Company Name on hand.

          3. Perform the configuration steps in your IdP interface and collect the resulting config attributes.

          Collect metadata URL (or XML) and test it.

          If you intend to configure IDP-initiated login flow, you need the following:

          • Redirect URLs

            See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

            • Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

            • Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

            For other regions, the format is https://<region>.app.sysdig.com.

            Replace <region> with the region your where Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

          4 a. Log in to Sysdig Monitor or Sysdig Secure and configure authentication.

          4 b. Repeat process for the other Sysdig product, if you are using both Monitor and Secure.

          • Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.

          • Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.

          You will enter a separate redirect URL in your IdP for each product; otherwise the integration processes are the same.

          Administrator Steps

          Configure IdP

          Select the appropriate IdP link below, and follow the instructions:

          Enable OpenID in Settings

          To enable baseline OpenID functionality:

          Enter OpenID Basic Connection Settings

          1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

          2. Select Authentication.

          3. Select the OpenID tab.

          4. Enter the relevant parameters (see table below) and click Save.

          Connection SettingDescription
          Client IDID provided by your IdP
          Client SecretSecret provided by your IdP
          Issuer URLURL provided by your IdP. Example:https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc

          Okta, OneLogin, and Keycloak support metadata auto-discovery, so these settings should be sufficient for those IdPs.

          Enter OpenID Additional Settings (if needed)

          In some cases, an OpenID IdP may not support metadata auto-discovery, and additional configuration settings must be entered manually.

          In this case:

          1. On the OpenID tab, toggle the Metadata Discovery button to OFF to display additional entries on the page.

          2. Enter the relevant parameters derived from your IdP (see table below) and click Save.

          Connection Setting

          Description

          Base Issuer

          Required. Often the same Issuer URL, but can be different for providers that have a separate general domain and user-specific domain

          (for example, general domain: https://openid-connect.onelogin.com/oidc, user-specific domain: https://sysdig-phil-dev.onelogin.com/oidc)f

          Authorization Endpoint

          Required. Authorization request endpoint

          Token Endpoint

          Required. Token exchange endpoint

          JSON Web Key Set Endpoint

          Required. Endpoint that contains key credentials for token signature verification

          Token Auth Method

          Authentication method.

          Supported values:

          client_secret_basic ,

          client_secret_post . (case insensitive)

          Select OpenID for SSO

          1. Select OpenIDfrom the Enabled Single Sign-On dropdown.

          2. Click Save Authentication.

          3. Repeat entire enablement process for Sysdig Monitor or Sysdig Secure, if you want to enable on both applications.

          User Experience

          As noted in the Basic Enablement Workflow above, you can offer users three ways to log in with an OpenID configuration:

          • They can begin at the Sysdig SaaS URL and click the OpenID button.

            See SaaS Regions and IP Ranges and identify the correct SaaS URL associated with your Sysdig application and region. For example, URLs of Monitor and Secure for US East are:

            Monitor: app.sysdigcloud.com

            Secure: secure.sysdig.com

            For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

            They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.

            =

          • You can provide an alternative URL to avoid the user having to enter a company name, in the format:

            Monitor: https://app.sysdigcloud.com/api/oauth/openid/ CompanyName Secure: https://secure.sysdig.com/api/oauth/openid/ CompanyName?product=SDS

          • You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IDP’s app directory and do not browse directly to a Sysdig application URL at all.

          See also User and Team Administration for information on creating users.

          1 -

          Okta (OpenID)

          OpenID Provider Configuration for Okta

          Review OpenID Connect (SaaS) before you begin.

          The notes below describe minimal steps to be taken in Okta. You may need to adjust the steps based on the specifics of your environment.

          1. Log in to your Okta organization as a user with administrative privileges and click to the Admin dashboard

          2. Click on the Add Applications shortcut, then click the Create New App button

          3. Select Web as the Platform type, then click OpenID Connect as the Sign-on method, then click Create

          4. Create a new application:

            • Enter your choice of General Settings.

            • For Login redirect URIs, enter one of the following values:

              See SaaS Regions and IP Ranges and identify the correct domain URL (redirect URL) associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

              • Sysdig Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

              • Sysdig Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

              For other regions, the format is https://<region>.app.sysdig.com.

              Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

            • Click Save.

          5. You should next be placed in a General tab. Take note of the Client ID and Client secret that are shown.

            You will enter them on the OpenID Configuration page in the Sysdig authentication settings.

          6. Click to the Sign On tab. Take note of the Issuer URL that is shown, as it will need to be sent to Sysdig Support.

            You will enter it in the OpenID Configuration page in the OpenID settings.

          2 -

          OneLogin (OpenID)

          OpenID Provider Configuration for OneLogin

          Review OpenID Connect (SaaS) before you begin.

          The notes below describe minimal steps to be taken in OneLogin. You may need to adjust the steps based on the specifics of your environment.

          1. Log in to your OneLogin organization as a user with administrative privileges and click to Apps > Custom Connectors, then click the New Connector button.

          2. Create a new Connector:

            • Enter your choice of connector name.

            • Select a Sign on Method of OpenID Connect.

            • For Redirect URI, enter one of the following values:

              See SaaS Regions and IP Ranges and identify the correct domain URL (redirect URL) associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

              • Sysdig Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

              • Sysdig Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

              For other regions, the format is https://<region>.app.sysdig.com.

              Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Secure you use https://eu1.sysdig.com/api/oauth/openid/secureAuth.

            • Click Save.

          3. From the More Actions pull-down menu, select Add App to Connector

          4. Click Save to add the app to your catalog. Once clicked, additional tabs will appear.

          5. Click to the SSO tab. Change the setting in the Token Endpoint drop-down to POST, then click Save.

          6. While still on the SSO tab, take note of the Client ID and Client Secret that are shown (click Show client secret to reveal it).

            You will enter them in the OpenID settings.

          7. Note that the Issuer URL will consist of https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc

            You will enter them in the OpenID settings.

          During testing, we’ve found OneLogin sometimes does not persist changes that are made in the OpenID Provider configuration. If you make changes to your OneLogin configuration and experience issues such as HTTP 400 Bad Request when attempting logins to your Sysdig application, you may need to delete your Custom Connector and App config in OneLogin and recreate it from scratch.

          3 -

          Keycloak (OpenID)

          Configure OpenID Provider for Keycloak

          Review OpenID Connect (SaaS) before you begin.

          The notes below describe minimal steps to be taken in Keycloak. You may need to adjust the steps based on the specifics of your environment.

          1. Log in to your Keycloak server’s Administrative Console.

          2. Select a realm or create a new one.

          3. Click Clients, then click the **Create**button.

          4. Enter the Client ID of your choosing (e.g. “SysdigMonitor”) and take note of it.

            You will enter it in the OpenID Configuration page in the Sysdig Authentication Settings.

          5. Make sure the Client Protocol drop-down has openid-connect selected. Click the Save button.

          6. Configure OpenID Connect client:

            • Click the toggle for Authorization Enabled to ON

            • For Valid Redirect URI, enter one of the following values:

              See SaaS Regions and IP Ranges and identify the correct domain URL (Redirect URI) associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

              • Sysdig Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

              • Sysdig Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

              For other regions, the format is https://<region>.app.sysdig.com.

              Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

            • Click Save .

          7. Click to the Credentials tab. Take note of the Secret that is shown.

            You will enter it in the OpenID settings

          8. Note that the Issuer URL will consist of https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME, where KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from your environment where you just created the configuration. You will enter it in the OpenID settings.

          4 -

          Azure (OpenID)

          OpenID Connect is a security-token based extension of the OAuth 2.0 authorization protocol to do single sign-on. Azure Active Directory provides an implementation of OpenID Connect (OIDC) protocol and Sysdig supports it for single sign-on and API access to Sysdig application.

          Enabling Azure OpenID Connect for single sign-on to Sysdig applications include configuration on the Microsoft Active Directory as well as on the Sysdig application.

          Prerequisites

          Administrator privileges on Sysdig and Azure Active Directory (AD).

          Configuring Sysdig Application in Azure AD

          1. Log in to the Azure AD portal.

          2. Search for Azure Active Directory and do one of the following:

            • Select your Active Directory service

            • Create a new one.

          3. Click App registration > New registration.

          4. In the Register an application page, specify the following:

            • Name: Display name to identify your Sysdig application. For example, Sysdig Secure.

            • Supported account types: For Sysdig SaaS, choose Accounts in this organizational directory only (Default Directory only - Single tenant). All user and guest accounts created in your active directory can use Sysdig application and API.

            • Redirect URI: Authenticated Sysdig users are redirected to this URI.

              See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

              For other regions, the format is:

              https://<region>.app.sysdig.com

              Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

              For on-prem installations, the redirect URI will be deployment-specific.

              You can add only a single redirect URI on this page. Use the Authentication page associated with your application to add additional redirect URIs.

          5. Click Register.

          6. Add additional redirect URIs.

            1. Select your application from App registration.

            2. Click Authentication from the left navigation.

            3. Add the redirect URIs corresponding to Monitor and Secure.

          7. Create a Secret for the Sysdig application.

            It is a string that the Sysdig application uses to prove its identity when requesting a token.

            1. Click Certificates & secrets.

            2. Under Client Secrets, click New client secret.

            3. Enter a description that identifies the secret and choose an expiration period.

            4. Click Add.

            5. Copy the client secret. You will need the client secret while configuring OpenID Connect SSO on the Sysdig application.

          8. Copy the Client ID and OpenID Connect endpoints corresponding to the application that you have created.

            1. Select your application from App registration.

            2. Copy the Application (client) ID.

              You will need the client ID while configuring OpenID Connect SSO on the Sysdig application.

            3. Click Endpoints.

            4. Copy the OpenID Connect metadata document and open it in a browser.

            5. Copy the OpenID Connect URI (Issuer URI).

              For example, https://login.microsoftonline.com/5a4b56fc-dceb-4a64-94ff-21e08e5892f5/v2.0

          Configure Sysdig Settings

          To enable Azure OpenID functionality on the Sysdig application, you need the following:

          • Client ID

          • Client Secret

          • Issuer URL.

          See Enable OpenID in Settings to learn how to complete your configuration.