Configure OneLogin for SAML

Prerequisites

• Review SAML (SaaS).

• To configure Sysdig Monitor and/or Sysdig Secure as a SAML application, consult OneLogin’s article on the Advanced SAML Custom Connector.

The notes below call out specific steps that require additional action.

Sysdig-Specific Steps for OneLogin Configuration

Add the SAML Test Connector

To add a SAML Test Connector in OneLogin:

1. Log in to OneLogin and select the Applications tab.

2. Select Add App.

3. Search for SAML Custom Connector.

4. Select SAML Custom Connector (Advanced).

5. Choose a Display Name and click Save to access the configuration.

If you don’t intend to configure IdP-initiated login flow, uncheck the slider so it will no longer be Visible in portal.

Configure Test Connector

In the SAML Test Connector Configuration tab, enter the values shown in the table below.

Replace CUSTOMER-ID-NUMBER with the number retrieved as described in Find Your Customer Number.

See SaaS Regions and IP Ranges and identify the correct URLs associated with your Sysdig application and region. For example, given below are the URLs for the US East region.

For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com/api/saml/auth. For other regions, see Saas Regions and IP Ranges.

For SAML signature element, select Both from the drop-down. This will allow you to enabled Signed Assertion when you set up SAML in Sysdig Platform.

You can leave the other configuration settings as default.

Email and Name Values (Optional)

If you want the user’s First Name and Last Name to be included in the records created in the Sysdig platform’s database when new users successfully login via SAML for the first time:

1. Open the Parameters tab.

2. Click + to add a New Field.

3. Create the following fields with the names and values given in the table below.

Each time you add a field, ensure you Include in SAML assertion:

| Field Name   | Value        |
|--------------|--------------|
| `email`      | `Email`      |
| `first name` | `First Name` |
| `last name`  | `Last Name`  |

4. Edit each field and select the Value shown from the drop-down menu. Field Names are case sensitive; therefore, enter them in lowercase.

5. Save your changes.

The following shows an example of a correctly-configured field for First Name:

Issuer URL

Click the SSO tab and copy the Issuer URL. Save this for later.

You will need it for the Metadata field when you set up SAML in Sysdig Platform. See Configure Sysdig.

Assign Privileges

To give SAML permission to a user:

1. Open the Privileges tab.

2. Under Add new user search for the desired user and select Check.

3. Select the user and click Add Admin.

4. Save your changes.

Configure Sysdig

To configure OneLogin for Sysdig:

1. Log in to Sysdig Platform.

2. Navigate to Settings via the user menu icon at the bottom of the left navigation bar.

3. Under Access & Secrets, select Authentication (SSO).

4. Under Connection Settings, select the SAML tab.

5. In the Metadata field, paste the url you copied earlier. See Issuer URL.

6. Enable Signed Assertion.

Signed Assertions are available if you selected Both in the SAML signature element drop-down in OneLogin. See Configure Test Connector.

7. For Email Parameter, write email.

The rest of the fields and toggles can be left as default.

8. Select Save Settings.

9. On the top navigation, choose SAML from the Enable Sign On drop-down and click Set.

Test Metadata (Optional)

To ensure the metadata URL you copy at the end of the IdP configuration procedure is correct, you can test it by directly accessing it via your browser.

When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IdP configuration steps.