LDAP/SAML Hybrid Authentication
This is an advanced option wherein LDAP Mapping is used to trigger the creation of user records in Sysdig, but authentication of those users is actually performed via SAML (with LDAP-based authentication disabled). In this configuration, if a user successfully authenticates via SAML, and the platform finds a user record with a matching email address in the Sysdig platform, they will be permitted to log in.
The process involves:
Enable SAML login and disable automatic user creation via SAML.
Enable LDAP user creation using LDAP mapping, but employ the
_hybrid, rather than the
_simplejson configuration file.
(Optional) Disable simple password login, to ensure SAML SSO is always used.
Ensure SAML has been enabled in the UI as the chosen authentication method.
Enable SAML Log In
To ensure that user records are created solely via LDAP mapping, disable user-creation-on-demand and (optionally) password authentication.
UI-based option: Use the toggles in the UI to disable “create user on login” and “user name and password login.”
Script-based option: Use the
-noption of the
saml_config.shscript, as described in the Optional: Auto-creation of user records section.
With this configuration, if a user successfully logs in via SAML but does not have an existing username/email record in the Sysdig database, they will receive an error message.
Enable LDAP User Creation using LDAP Mapping
The only difference between the
_hybridfiles is the
_hybrid, this is set to
Apply the settings using the mapping_config.sh script:
mapping_config.sh -s settings_mapping_hybrid.json
See also: Options for Applying mapping_config.sh.
Optional: Disable User-Creation via API
If you want to ensure your user records are derived only from LDAP
hybrid mapping, then use the -d option with the
script, as described in the
Optional: Disable Password Login
You may have pre-existing records in your Sysdig platform database for users who have previously authenticated via simple email/password. If you want to prevent such logins and ensure 100% authentication via SAML, you can disable password login.
In this configuration, only the “super” Admin can still login via email/password.
Ensure SAML is Enabled in the UI
When all configurations are complete, log in to the Settings in the Sysdig user interface and Select SAML for SSO, if it is not already selected.