Configure Okta for SAML

Sysdig supports SAML authentication via the Identity Provider (IdP) Okta.

Prerequisites

Sysdig

Okta

The topics below call out specific steps that require additional action.

Configure Okta

This topic describe the minimal configuration options in Okta. You may need to adjust them based on the specifics of your environment.

General Settings

Specify the application name, and optionally, add a logo.

If you don’t intend to configure the IdP-initiated login flow, select Do not display application icon to users and Do not display application icon in the Okta Mobile app.

SAML Settings

Specify the following:

  • Default Relay State: The format is #/&customer=<CUSTOMER-ID-NUMBER>. Replace <CUSTOMER-ID-NUMBER> with the number you have retrieved as described in Find Your Customer Number. Specify this option only if you wish to configure IdP-initiated login flow.

  • Single sign-on URL: See the table below for the correct URLs associated with your Sysdig application and region. For more information, see SaaS Regions and IP Ranges.

  • Audience URI (SP Entity ID): See the table below for the correct Entity ID associated with your Sysdig application and region. For additional details see SaaS Regions and IP Ranges.

RegionAppSingle Sign-on URLOkta Audience URI (Service Provider Entity ID)
usMonitorhttps://app.sysdigcloud.com/api/saml/authhttps://app.sysdigcloud.com/api/saml/metadata
usSecurehttps://secure.sysdig.com/api/saml/secureAuthhttps://secure.sysdig.com/api/saml/metadata
au1Monitorhttps://app.au1.sysdig.com/api/saml/authhttps://app.au1.sysdig.com/api/saml/metadata
au1Securehttps://app.au1.sysdig.com/api/saml/secureAuthhttps://app.au1.sysdig.com/secure/api/saml/metadata
eu1Monitorhttps://eu1.app.sysdig.com/api/saml/authhttps://eu1.app.sysdig.com/api/saml/metadata
eu1Securehttps://eu1.app.sysdig.com/api/saml/secureAuthhttps://eu1.app.sysdig.com/secure/api/saml/metadata
us2Monitorhttps://us2.app.sysdig.com/api/saml/authhttps://us2.app.sysdig.com/api/saml/metadata
us2Securehttps://us2.app.sysdig.com/api/saml/secureAuthhttps://us2.app.sysdig.com/secure/api/saml/metadata
us4Monitorhttps://app.us4.sysdig.com/api/saml/authhttps://app.us4.sysdig.com/api/saml/metadata
us4Securehttps://app.us4.sysdig.com/api/saml/secureAuthhttps://app.us4.sysdig.com/secure/api/saml/metadata

Attribute Statements (Optional)

Specify the following:

  • Name
  • Name Values

Instead of the values shown in the Okta example, add the values:

NameValue
emailuser.email
first nameuser.firstName
last nameuser.lastName

Note that the attributes are case-sensitive, so use caution when entering them.

Only email is required as the attribute. However, we recommend including first and last names for these values to be included in the records created in the Sysdig database when new users successfully log in via SAML for the first time.

SAML Metadata URL

Copy the Metadata URL. You will use it while configuring Sysdig.

Test Metadata (Optional)

To ensure the metadata URL you copy at the end of the IdP configuration procedure is correct, you can test it by directly accessing it via your browser.

When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IdP configuration.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkd7ltpz8HOv6Rkf5d7">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:X509Data>
         <ds:X509Certificate>xyz</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://domain.okta.com/app/domain_sysdigsecure/sso/saml"/>
   <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://domain.okta.com/app/domain_sysdigsecure/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

Configure Sysdig

Open the SAML Connection Settings page and enter the Metadata URL you have copied earlier in the Metadata field.