Configure Microsoft Entra ID for SAML

This topic helps you configure SAML Single Sign On (SSO) with Microsoft Entra ID (formerly Azure Active Directory) and set up Sysdig to allow users to access Sysdig application by using SSO.

Prerequisites

Administrator privileges on Sysdig and Microsoft Entra ID.

Configure the Sysdig Application in Microsoft Entra ID

  1. Log in to the Microsoft Entra ID portal.

  2. Select Enterprise Applications.

    The Enterprise applications - All application screen is displayed.

  3. Click New Application.

  4. On the Add an Application screen, select Non-gallery application.

  5. Give your application a name, and click Add at the bottom of the page.

  6. On the menu, select Single sign-on.

  7. Choose SAML as the sign-on method.

  8. Edit the Basic SAML Configuration as follows:

    1. In the configuration page, click the edit icon.

    2. Specify the following:

      • Identifier (Entity ID): Uniquely identifies the Sysdig application. Entra ID sends the identifier to the Sysdig application as the audience parameter of the SAML token. Sysdig validates this as part of the SSO process.

        For example, the identifier for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com.

        See SaaS Regions and IP Ranges for the complete list of entity IDs for different regions.

      • Reply URL: Specifies where Sysdig expects to receive the SAML token.

        For example, the identifier for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com/api/saml/auth.

      • See SaaS Regions and IP Ranges for the complete list of reply URLs for different regions.

      • Relay State: Specifies to the application where to redirect the user after authentication is completed. Typically the value is a valid URL for Sysdig. If you are configuring SSO for SaaS, change the relay state to reflect the correct customer number associated with your Sysdig application.

        The format is:

        #/&customer=1234
        

      For more information on configuration parameters, see Configure SAML-based single sign-on to non-gallery applications.

  9. To enable Signed Assertion and Validate Signature, select Edit on SAML Certificates, and in the Signing Option drop-down, select Sign SAML response and assertion.

  10. Select Save.

Parameters Required for Sysdig Configuration

ParametersDescription
MetadataUnder SAML Signing Certificate, copy the App Federation Metadata URL.


Email ParameterCopy the Full claim URL, including the Name and Namespace.
For example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email


Configure Sysdig for Microsoft Entra ID Authentication

  1. Log in to your Sysdig instance as an admin.

  2. Navigate to Settings > Authentication(SSO).

  3. Select SAML from Connection Settings.

  4. Enter the following:

    • Metadata: Enter the App Federation Metadata URL you copied.

    • Email Parameter: Set the value to the full claim URL. Ensure that the claim fully matches the Email parameter used in Sysdig UI.


  1. Click Save.

  2. Select SAML from the Enable Single Sign On drop-down, and click Set Authentication to save your choice.

Create a User in Microsoft Entra ID Domain

  1. Log in to the Microsoft Microsoft Azure portal.

  2. Click Entra ID, and note down the domain name.

  3. Select Entra ID, then Users.

    The Users - All Users screen is displayed.

  4. Select New Users .

    You can either create a new user or invite an existing one.

  5. Enter name, username, and other details, then click Create.

  6. In the Profile page, add the Email and Alternate Email parameters. The values can match.

Assign the User to the Sysdig Application

  1. Navigate to the Sysdig application.

  2. Click Users and Group, then click the Add user button.

  3. Select the Users and Groups checkbox, then choose the newly created user to add to the application.

  4. Click Select, then Assign at the bottom of the screen.

Enable Authentication Settings in the Sysdig Instance

Ensure the flag to enable/disable create user on login is enabled. Typically this setting is enabled by default.

If you are using both Sysdig Monitor and Secure, ensure that the user accounts are created on both the products. A user that is created only on one Sysdig application will not be able to log in to another through SAML SSO.

If you are on Sysdig Platform versions 2.4.1 or prior, contact Sysdig Support to help with user creation.

(Optional) Configure Sysdig as a New Application

If Microsoft Entra ID does not allow you to create Sysdig as a Non- Gallery application, perform the following:

  1. In Entra AD, click Enterprise Applications > New Application.

  2. Select Application you’re developing.

    You will be taken to the app registration page:

  3. Select New Registration:

  4. Provide a name for the application you are registering.

  5. Enter the redirect URI.

    For example, the redirect URI for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com/api/saml/auth. See SaaS Regions and IP Ranges for the redirect URLs for other regions.

  6. Click Register to complete the registration.

  7. In the Overview tab click Add an Application ID URI:

  8. Click Add a scope.

  9. Add the application ID URI as follows:

    https://<your_sysdig_url>:443
    

    Replace <your_sysdig_url> with the URL appropriate to your application and region. See SaaS Regions and IP Ranges for more information.

  10. In the Overview tab, click Endpoints, and copy the Federation Metadata URL.

  11. Log in to Sysdig, navigate to SAML Authentication screen, and enter the Federation Metadata URL.

    You will still need to ensure that the user creation on the login option is enabled.

  12. Save the settings.