Okta (SAML)

Review SAML (SaaS) before you begin.

Configure Sysdig Monitor and/or Sysdig Secure as a SAML application using Okta’s documentation for Setting Up a SAML Application in Okta. The notes below call out specific steps that require additional action.

Sysdig-Specific Steps for Okta Configuration

IDP-initiated Login Flow

If you don’t intend to configure IDP-initiated login flow, check the boxes for “Do not display application icon to users” and “Do not display application icon in the Okta Mobile app”.

URL, URI and RelayState Values

Enter the values shown in the table below. If you wish to configure IDP-initiated login flow, replace CUSTOMER-ID-NUMBER with the number retrieved as described in Find Your Customer Number.

See SaaS Regions and IP Ranges and identify the correct URLs associated with your Sysdig application and region. For example, in US East, the endpoints are:

Setting	Value for Sysdig Monitor	Value for Sysdig Secure
Single sign on URL	`https://app.sysdigcloud.com/api/saml/auth`	`https://secure.sysdig.com/api/saml/secureAuth`
Audience URI (SP Entity ID)	`https://app.sysdigcloud.com/api/saml/metadata`	`https://app.sysdigcloud.com/api/saml/metadata`
Default RelayState (optional - only configure if you intend to use IDP-initiated login flow)	#/&customer=`CUSTOMER-ID-NUMBER`	#/&customer=`CUSTOMER-ID-NUMBER`

Setting

Value for Sysdig Monitor

Value for Sysdig Secure

Single sign on URL

https://app.sysdigcloud.com/api/saml/auth

https://secure.sysdig.com/api/saml/secureAuth

Audience URI (SP Entity ID)

https://app.sysdigcloud.com/api/saml/metadata

Default RelayState

(optional - only configure if you intend to use IDP-initiated login flow)

#/&customer=CUSTOMER-ID-NUMBER

For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com/api/saml/auth.

Email and Name Values

Instead of the values shown in the Okta example, add the values:

Name	Value
`email`	`user.email`
`first name`	`user.firstName`
`last name`	`user.lastName`

Note that the attributes are case sensitive, so use caution when entering them.

Only email is required. However, including first/last name is recommended, since these values will now be included in the records created in the Sysdig platform’s database when new users successfully login via SAML for the first time.

SAML Configuration Metadata Value

Copy the URL and paste in the Metadata entry on the SAML Configuration page in the SAML connection settings.

Test Metadata (Optional)

To ensure the metadata URL you copy at the end of the IDP configuration procedure is correct, you can test it by directly accessing it via your browser.

When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IDP configuration steps.


`<?xml version=` `"1.0"` `?>` `<EntityDescriptor xmlns=` `"urn:oasis:names:tc:SAML:2.0:metadata"` `entityID=` `"https://app.onelogin.com/saml/metadata/680358"` `>` `<IDPSSODescriptor xmlns:ds=` `"http://www.w3.org/2000/09/xmldsig#" ` `protocolSupportEnumeration=` `"urn:oasis:names:tc:SAML:2.0:protocol"` `>names:tc:SAML:` `2.0` `:metadata` `" entityID="` ` https://app.onelogin.com/saml/metadata/ ` `680358` `">` `...`

<?xml version= "1.0" ?> <EntityDescriptor xmlns= "urn:oasis:names:tc:SAML:2.0:metadata" entityID= "https://app.onelogin.com/saml/metadata/680358" >

`<IDPSSODescriptor xmlns:ds=` `"http://www.w3.org/2000/09/xmldsig#" ` `protocolSupportEnumeration=` `"urn:oasis:names:tc:SAML:2.0:protocol"` `>names:tc:SAML:` `2.0` `:metadata` `" entityID="` ` https://app.onelogin.com/saml/metadata/ ` `680358` `">`

...