SAML (SaaS)

SAML support in the Sysdig platform allows authentication via your choice of Identity Provider (IdP). The Sysdig platform ordinarily maintains its own user database to hold a username and password hash. SAML instead allows for redirection to your organization’s IdP to validate username/password and other policies necessary to grant access to Sysdig applications. Upon successful authentication via SAML, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform. This topic describes how to integrate and enable SAML with both Sysdig Monitor and Sysdig Secure. If you are using both Sysdig Monitor and Sysdig Secure, you need to repeat the process for each Sysdig product.

This topic is specific to cloud-based (SaaS) Sysdig environments. If you are configuring an On-Premises Sysdig environment, see SAML(On-Prem) instead.

Sysdig does not support signed AutthNRequests for AuthNRequest with embedded signature (HTTP-POST binding) requirements. For a possible alternative, see OpenID Connect.

Redirect URLs for Authentication

RegionAppSingle Sign-on URLService Provider Entity ID
au1Monitorhttps://app.au1.sysdig.com/api/saml/authhttps://app.au1.sysdig.com/api/saml/metadata
au1Securehttps://app.au1.sysdig.com/api/saml/secureAuthhttps://app.au1.sysdig.com/secure/api/saml/metadata
eu1Monitorhttps://eu1.app.sysdig.com/api/saml/authhttps://eu1.app.sysdig.com/api/saml/metadata
eu1Securehttps://eu1.app.sysdig.com/api/saml/secureAuthhttps://eu1.app.sysdig.com/secure/api/saml/metadata
in1Monitorhttps://app.in1.sysdig.com/api/saml/authhttps://app.in1.sysdig.com/api/saml/metadata
in1Securehttps://app.in1.sysdig.com/api/saml/secureAuthhttps://app.in1.sysdig.com/secure/api/saml/metadata
me2Monitorhttps://app.me2.sysdig.com/api/saml/authhttps://app.me2.sysdig.com/api/saml/metadata
me2Securehttps://app.me2.sysdig.com/api/saml/secureAuthhttps://app.me2.sysdig.com/secure/api/saml/metadata
usMonitorhttps://app.sysdigcloud.com/api/saml/authhttps://app.sysdigcloud.com/api/saml/metadata
usSecurehttps://secure.sysdig.com/api/saml/secureAuthhttps://secure.sysdig.com/api/saml/metadata
us2Monitorhttps://us2.app.sysdig.com/api/saml/authhttps://us2.app.sysdig.com/api/saml/metadata
us2Securehttps://us2.app.sysdig.com/api/saml/secureAuthhttps://us2.app.sysdig.com/secure/api/saml/metadata
us4Monitorhttps://app.us4.sysdig.com/api/saml/authhttps://app.us4.sysdig.com/api/saml/metadata
us4Securehttps://app.us4.sysdig.com/api/saml/secureAuthhttps://app.us4.sysdig.com/secure/api/saml/metadata

To learn more about SaaS regions, see SaaS Regions and IP Ranges

Basic Enablement Workflow

  1. Determine which IdP your company uses and will be configuring.

These are the IdPs for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their documentation. Even if your IdP is not listed, it might still work with the Sysdig platform. Contact Sysdig Support for help.

  1. Decide the login flow you want users to experience - choose one of the following options:
  • Click the SAML button and enter a company name.

  • Open the domain URL corresponding to your Sysdig application and region and enter your company name.

    For example, domain URLs of Monitor and Secure for US East are app.sysdigcloud.com and secure.sysdig.com respectively.

See Redirect URLs for Authentication for other regions.

Contact Sysdig Support to set your company name on the account. This is applicable to all supported IdPs.

  1. Perform the configuration steps in your IdP interface and collect the resulting configuration attributes. Check your IdP information in step 1. Collect metadata URL (or XML) and test it. If you intend to configure IdP-initiated login flow, have your Sysdig customer number ready. It will be referenced in later configuration steps as CUSTOMER_ID_NUMBER.

  2. Log in to Sysdig Monitor or Sysdig Secure Settings as Admin and enter the necessary configuration information in the UI. Enable SAML as your SSO.

Ensure that you enter a separate redirect URL in your IdP for each product; otherwise, the integration processes are the same.

Configure SAML

Configure IdP

Select your IdP from the list below, and follow the instructions:

Enable SAML in Settings

To enable baseline SAML functionality:

Enter SAML Connection Settings

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the User Profile button in the left navigation.

  2. Select Authentication.

  3. Select the SAML tab.

  4. Enter the relevant parameters (see table below) and click Save Settings.

It is strongly recommended that you enable Signed Assertion and Validate Signature to ensure that the SAML SSO process is as secure as possible.

Connection SettingOptionsDescription
MetadataURLThe URL provided at the end of the IdP configuration steps.
XMLAn option that you can use for an IdP that doesn’t support extracting metadata XML via URL.
Signed Assertionoff/onSpecify whether Sysdig should check for assertions signed in responses (to assist in validating correct IdP).
Email ParameteremailName of parameter in the SAML response for user email ID. Sysdig uses this to extract the user’s email from the response.
Validate Signatureoff/onSpecify whether Sysdig backend should verify that the response is signed.
Verify Destinationoff/onFlag to control whether Sysdig should check the “destination” field in the SAMLResponse. Recommend ON, as a security measure. May be OFF in special cases, such as a proxy in front of the Sysdig back end.
Create user on loginoff/onFlag to control whether a user record should be created in the Sysdig database after the first successful SAML login.
Enable SAML single logoutoff/onFlag to control if SAML single logout should be used (see Configure SAML Single Logout)
Enable SAML encryption supportoff/onSet this to “on” to enable encrypted SAML response (see Encrypted SAML response)
Disable username and password loginoff/onSet this to “on” to disallow user name and password login.

Select SAML for SSO

  1. Select SAML from the Enable Single Sign-On dropdown.

  2. Click Save Authentication.

  3. Repeat the enablement process for Sysdig Monitor or Sysdig Secure, if you want to enable it on both applications.

Configure SAML Single Logout

Sysdig supports SAML Single Logout (SLO).

SLO is a feature in federated authentication where Sysdig users can sign out of both their Sysdig session (Service Provider) and associated IdP (Identity Provider) simultaneously. SLO allows you to terminate all sessions established via SAML SSO by initiating a single logout process. Closing all user sessions prevents unauthorized users from gaining access to Sysdig resources.

SLO Process

When you initiate a logout, Sysdig sends a digitally signed logout request to the IDP. The IdP validates the request and terminates the current login session, then redirects you back to the Sysdig login page.

Configure IdP

  1. Configure logout URLs:

    • Monitor: <base_URL>/api/saml/slo/logout

    • Secure: <base_URL>/api/saml/slo/secureLogout

  2. Choose HTTP Redirect as the binding method.

    This option is an alternative to the HTTP POST method, which Sysdig does not currently support.

  3. If your IdP mandates, upload the signing certificate for Sysdig. See Retrieving the Public Keys for more information.

Certain IDPs, such as Entra ID, don’t require uploading the public key.

Configure Sysdig

  1. Log in to Sysdig Monitor or Sysdig Secure as an administrator.

    For on-prem deployments, log in as the super admin.

  2. Navigate to Settings > Authentication, and select SAML under Connection Settings.

  3. Enter the SAML configuration.

  4. Ensure that Enable SAML single logout is toggled on.

  5. Click Save Settings.

  6. Ensure that you select SAML from the Enable Single Sign On drop-down.

Encrypted SAML response

Enabling encryption of SAML assertions adds an extra layer of security to your Single Sign On (SSO) authentication.

To enable encrypted SAML response:

  1. Obtain the encryption certificate. See Retrieving the Public Keys) for more information on obtaining the key.

  2. Upload the certificate to your IdP.

  3. Enable encryption on IdP.

Some IdPs require the certificate in .crt format. You need to convert the X509Certificate from metadata to .crt format before uploading.

Retrieving the Public Keys

You can retrieve the public key from metadata.

You can obtain the metadata as follows:

  • Monitor: <base_URL>/api/saml/metadata/{customerName}

  • Secure: <base_URL>/api/saml/secureMetadata/{customerName}

{customerName} must be URL encoded.

Follow these instructions to find your {customerName}.

Two types of KeyDescriptor <md:KeyDescriptor> are provided:

  • Signing certificate: <md:KeyDescriptor use=”signing”> - Used to sign the SLO request.
  • Encryption certificate: <md:KeyDescriptor use=”encryption”> - Used to decrypt the encrypted assertions that we receive from the IdP.

If you are having issues retrieving the key, contact Sysdig Support to retrieve the public key associated with your deployment.

End User Login to Sysdig

As noted in the Basic Enablement Workflow above, you can offer users three ways to log in with a SAML configuration:

  • They can begin at the Sysdig SaaS URL and click the SAML button.

    See SaaS Regions and IP Ranges and identify the correct Sysdig SaaS URL associated with your Sysdig application and region. For example, URLs of Monitor and Secure for US East are:

    Monitor: app.sysdigcloud.com

    Secure: secure.sysdig.com

    They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.

Contact Sysdig Support to set your company name on the account.

  • You can provide an alternative URL to avoid the user having to enter a company name, in the format:

    Sysdig Monitor: <https://app.sysdigcloud.com/api/saml/> <COMPANY_NAME>

    Sysdig Secure: <https://secure.sysdig.com/api/saml/><COMPANY_NAME>?product=SDS

    Replace <COMPANY_NAME> with your company name.

    For other regions, the format is https://<region>.app.sysdig.com/api/saml/auth. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Secure in the EU, you use https://eu1.app.sysdig.com/api/saml/secureAuth.

  • You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IdP’s app directory and do not browse directly to a Sysdig application URL at all.

Users that complete their first successful SAML login to Sysdig Secure may receive the error message “User doesn’t have permission to log in to Sysdig Secure”. This is because only members of the Secure Operations team are permitted access to Sysdig Secure, and newly-created logins are not in this team by default. Such a user should contact an Administrator for the Sysdig environment to be added to the Secure Operations team.

Environments that wish to have all the users access Sysdig Secure by default could use this sample Python script to frequently “sync” the team memberships.

See Developer Documentation for tips on using the sample Python scripts provided by Sysdig.

See User and Team Administration for information on creating users.