Configure Okta for SAML
Prerequisites
Sysdig
- Review SAML (SaaS).
Okta
Review the Prerequisites.
Configure a SAML application separately for each Sysdig product: Sysdig Monitor and Sysdig Secure.
For more information, see Setting Up a SAML Application in Okta.
The topics below call out specific steps that require additional action.
Configure Okta
This topic describe the minimal configuration options in Okta. You may need to adjust them based on the specifics of your environment.
General Settings
Specify the application name, and optionally, add a logo.
If you don’t intend to configure the IdP-initiated login flow, select Do not display application icon to users and Do not display application icon in the Okta Mobile app.
SAML Settings
Specify the following:
Default Relay State: The format is
#/&customer=<CUSTOMER-ID-NUMBER>
. Replace<CUSTOMER-ID-NUMBER>
with the number you have retrieved as described in Find Your Customer Number. Specify this option only if you wish to configure IdP-initiated login flow.Single sign-on URL: See the table below for the correct URLs associated with your Sysdig application and region. For more information, see SaaS Regions and IP Ranges.
Audience URI (SP Entity ID): See the table below for the correct Entity ID associated with your Sysdig application and region.
For additional details, see Redirect URLs for Authentication and SaaS Regions and IP Ranges.
Attribute Statements (Optional)
Specify the following:
- Name
- Name Values
Instead of the values shown in the Okta example, add the values:
Name | Value |
---|---|
email | user.email |
first name | user.firstName |
last name | user.lastName |
Note that the attributes are case-sensitive, so use caution when entering them.
Only email is required as the attribute. However, we recommend including first and last names for these values to be included in the records created in the Sysdig database when new users successfully log in via SAML for the first time.
SAML Metadata URL
Copy the Metadata URL. You will use it while configuring Sysdig.
Test Metadata (Optional)
To ensure the metadata URL you copy at the end of the IdP configuration procedure is correct, you can test it by directly accessing it via your browser.
When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IdP configuration.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkd7ltpz8HOv6Rkf5d7">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>xyz</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://domain.okta.com/app/domain_sysdigsecure/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://domain.okta.com/app/domain_sysdigsecure/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Configure Sysdig
Open the SAML Connection Settings page and enter the Metadata URL you have copied earlier in the Metadata field.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.