This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

OpenID Connect (On-Prem)

These instructions are specific to On-Premises Deployments of the Sysdig platform. If you are using the cloud-based (SaaS) Sysdig platform, refer to OpenID Connect (SaaS) instead.

OpenID support in the Sysdig platform allows authentication via your choice of Identity Provider (IdP).

This section describes how to integrate and enable OpenID Connect with both Sysdig Monitor and Sysdig Secure.

Overview

Summary of OpenID Functionality in Sysdig

The Sysdig platform ordinarily maintains its own user database to hold a username and password hash. OpenID instead allows for redirection to your organization’s IdP to validate username/password and other policies necessary to grant access to Sysdig application(s). Upon successful authentication via OpenID, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform.

Basic Enablement Workflow

Step

Options

Notes

1. Know which IdP your company uses and will be configuring.

These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs. If your OpenID Provider is not listed (including ones that do not support OpenID Connect Discovery), it may still work with the Sysdig platform. Contact Sysdig Support for help.

2. Decide the login flow you want users to experience: 3 options

Click OpenID button

From https://HOSTNAME/ or https://HOSTNAME/secure

Type/bookmark a URL in browser

  • Monitor: https://<HOSTNAME>/api/oauth/openid

  • Secure: https://<HOSTNAME>:<PORT>/api/oauth/openid/secureAuth

Replace <HOSTNAME> and <PORT> with that which specific to your deployment.

Log in from an IdP interface

The individual IdP integration pages describe how to add Sysdig to the IdP interface.

You will need the following:

  • Your Sysdig customer number and Customer Name.

  • Redirect URLs:

    • https://<hostname>/api/oauth/openid/auth

    • https://<hostname>:<port>/api/oauth/openid/secureAuth

    Replace <hostname> with the hostname of your deployment.

3. Perform the configuration steps in your IdP interface and collect the resulting config attributes.

Collect metadata URL (or XML) and test it.

If you intend to configure IDP-initiated login flow find your Customer Name. Contact Sysdig if you do not know the customer name corresponding to your account.

4a. Log in to Sysdig Monitor and configure authentication.

4b. Log in to Sysdig Secure and configure authentication.

  • Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.

  • Log in to Sysdig Secure Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.

Administrator Steps

Configure IdP

Select the appropriate IdP link below, and follow the instructions:

UI-Based: Configure OpenID in Settings

At this time, the Authorization UI is available only for Sysdig Monitor.

To enable baseline OpenID functionality:

Enter OpenID Basic Connection Settings

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

  2. Select Authentication.

  3. Select the OpenID tab.

  4. Enter the relevant parameters (see table below) and click Save.

Connection SettingDescription
Client IDID provided by your IdP
Client SecretSecret provided by your IdP
Issuer URLURL provided by your IdP. Example:https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc

Okta, OneLogin, and Keycloak support metadata auto-discovery, so these settings should be sufficient for those IdPs.

Enter OpenID Additional Settings (if needed)

In some cases, an OpenID IdP may not support metadata auto-discovery, and additional configuration settings must be entered manually.

In this case:

  1. On the OpenID tab, toggle the Metadata Discovery button to OFF to display additional entries on the page.

  2. Enter the relevant parameters derived from your IdP (see table below) and click Save.

Connection Setting

Description

Base Issuer

Required. Often the same Issuer URL, but can be different for providers that have a separate general domain and user-specific domain

(for example, general domain: https://openid-connect.onelogin.com/oidc, user-specific domain: https://sysdig-phil-dev.onelogin.com/oidc)f

Authorization Endpoint

Required. Authorization request endpoint

Token Endpoint

Required. Token exchange endpoint

JSON Web Key Set Endpoint

Required. Endpoint that contains key credentials for token signature verification

Token Auth Method

Authentication method.

Supported values:

client_secret_basic ,

client_secret_post . (case insensitive)

Select OpenID for SSO

  1. Select OpenID from the Enabled Single Sign-On dropdown.

  2. Click Save Authentication.

Script-Based: Configure OpenID Using Scripts

The configuration of the OpenID Connect feature can be viewed, updated, and deleted by the “super” Admin. An oidc_config.sh helper script is available in the SSO folder at sysdig-cloud-scripts repository to assist in completing this configuration. Invoking the script with no options will display help text.

# ./oidc_config.sh
Must specify the Sysdig App whose OpenID Connect configuration will be viewed/set

Usage: ./oidc_config.sh [OPTIONS]

Affect OpenID Connect login settings for your Sysdig software platform installation

To use the helper script, modify env.sh to set the required values for API_TOKEN of the “super” Admin user and the URL for accessing the Sysdig platform API (which will be the same URL that your users access for the Sysdig Monitor application).

Depending if the API_TOKEN has been obtained from the Sysdig Monitor or Sysdig Secure application UI, the settings will be applied to the consequent product.

Initially no OpenID settings are set. A initial run of the script would confirm that:

# ./oidc_config.sh
No openid settings are set
Run for further info: ./oidc_config.sh -h

Add the -s option to set the OpenID Connect configuration for a particular Sysdig application. When setting the config, you’ll use additional options to provide the config details you saved in the earlier OpenID Provider configuration step.

Config DetailOption
Issuer URL-u
Client ID-i
Client Secret-e

If the configuration is successfully posted to the Sysdig platform, the new configuration will be echoed back.

An example of creating the two separate OpenID Connect configurations for both Monitor and Secure, each using Okta as an OpenID Provider:

# ./oidc_config.sh -s -u https://dev-824158.oktapreview.com -i 0oafpykpv7JMS4gMe0h7 -e ZctTGJMNJmuseEJHJGhvnb0pniZvz9Gf6RStxhHn
{
  "authenticationSettings": {
    "id": 1,
    "version": 1,
    "createdOn": 1547541009000,
    "type": "openid",
    "scope": "SYSTEM",
    "settings": {
      "issuer": "https://dev-824158.oktapreview.com",
      "clientId": "your-client-ID",
      "clientSecret": "your-client-secret",
      "metadataDiscovery": true
    }
  }
}

Once you’ve completed this configuration, clicking the OpenID button at the login screen of the appropriate Sysdig application(s) should redirect to your OpenID Provider for authentication.

If you wish to delete your OpenID Connect configuration, invoke the -d option. If successful, the disabled configuration will be printed.

./oidc_config.sh -d
{
  "authenticationSettings": {
    "id": 1,
    "version": 1,
    "createdOn": 1547541009000,
    "type": "openid",
    "scope": "SYSTEM",
    "settings": {
      "issuer": "https://dev-824158.oktapreview.com",
      "clientId": "your-client-id",
      "clientSecret": "Your-client-secret",
      "metadataDiscovery": true
    }
  }
}

User Experience

As noted in the Basic Workflow above, you can offer users three ways to log in with a OpenID configuration:

  • They can begin at the Sysdig SaaS URL and click the OpenID button.

    Monitor: https://HOSTNAME/ or Secure: https://HOSTNAME/secure.

    They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.

    =

  • You can provide an alternative URL to avoid the user having to enter a company name, in the format:

    • Monitor: https://HOSTNAME/api/oauth/openid
    • Secure: https://HOSTNAME/api/oauth/openid?product=SDS

  • You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IDP’s app directory and do not browse directly to a Sysdig application URL at all.

See also User and Team Administration for information on creating users.

1 - Okta (OpenID On-Prem)

Review OpenID Connect (On-Prem) before you begin.

The notes below describe minimal steps to be taken in Okta. You may need to adjust the steps based on the specifics of your environment.

  1. Log in to your Okta organization as a user with administrative privileges and click the Admin page.

  2. Click Add Applications, then click the Create New App button.

  3. Select Web as the Platform type, then click OpenID Connect as the Sign-on method, then click Create.

  4. Create a new application

    • Enter your choice of General Settings

    • For Login redirect URIs, enter one of the following values, replacing HOSTNAME with the hostname through which your users access the Sysdig application(s) and PORT with the TCP port # (typically 443):

      If configuring Sysdig Monitor, enter: https://HOSTNAME:PORT/api/oauth/openid/auth

      If configuring Sysdig Secure, enter: https://HOSTNAME:PORT/api/oauth/openid/secureAuth

    • Click Save.

  5. You should next be placed in a General tab. Take note of the Client ID and Client secret that are shown, as you will need them to complete the configuration in the Sysdig platform.

  6. Click the Sign On tab. Take note of the Issuer URL that is shown, as you will need it to complete the configuration in the Sysdig platform.

  7. Return to the bottom section of the OpenID Connect (On-Prem) article for instructions on using the helper script to complete the configuration in the Sysdig platform.

2 - OneLogin (OpenID On-Prem)

Review OpenID Connect (On-Prem) before you begin.

The notes below describe minimal steps to be taken in OneLogin. You may need to adjust the steps based on the specifics of your environment.

  1. Login to your OneLogin organization as a user with administrative privileges and click to Apps > Custom Connectors, then click the New Connector button.

  2. Create a new Connector

    • Enter your choice of connector name

    • Select a Sign on Method of OpenID Connect

    • For Redirect URI to, enter one of the following values, replacing HOSTNAME with the hostname through which your users access the Sysdig application(s) and PORT with the TCP port # (typically 443):

      If configuring Sysdig Monitor, enter: https://HOSTNAME:PORT/api/oauth/openid/auth

      If configuring Sysdig Secure, enter: https://HOSTNAME:PORT/api/oauth/openid/secureAuth

    • Click the Save button

  3. From the More Actions pull-down menu, select Add App to Connector.

  4. Click Save to add the app to your catalog. Once clicked, additional tabs will appear.

  5. Click to the SSO tab. Change the setting in the Token Endpoint drop-down to POST, then click Save.

  6. While still on the SSO tab, take note of the Client ID and Client Secret that are shown (click Show client secret to reveal it), as you will need them to complete the configuration in the Sysdig platform.

  7. Note that the Issuer URL you will need to complete the Sysdig platform configuration will consist of https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc

  8. Return to the bottom section of the OpenID Connect (On-Prem) article for instructions on using the helper script to complete the configuration in the Sysdig platform.

3 - Keycloak (OpenID On-Prem)

Review OpenID Connect (On-Prem) before you begin.

The notes below describe minimal steps to be taken in Keycloak. You may need to adjust the steps based on the specifics of your environment.

  1. Login to your Keycloak server’s Administrative Console.

  2. Select a realm or create a new one.

  3. Click Clients, then click the Create button.

  4. Enter the Client ID of your choosing (e.g. “SysdigMonitor”) and take note of it, as you will need it later to complete the configuration in the Sysdig platform.

  5. Make sure the Client Protocol drop-down has openid-connect selected. Click the Save button.

  6. Configure OpenID Connect client

    • Click the toggle for Authorization Enabled to ON

    • For Valid Redirect URI, enter one of the following values, replacing HOSTNAME with the hostname through which your users access the Sysdig application(s) and PORT with the TCP port # (typically 443):

      If configuring Sysdig Monitor, enter: https://HOSTNAME:PORT/api/oauth/openid/auth

      If configuring Sysdig Secure, enter: https://HOSTNAME:PORT/api/oauth/openid/secureAuth

    • Click the Save button

  7. Click to the Credentials tab. Take note of the Secret that is shown, as you will need it to complete the configuration in the Sysdig platform.

  8. Note that the Issuer URL you will need to configure in the Sysdig platform will consist of https://{KEYCLOAK-SERVER-ADDRESS}/auth/realms/{REALM_NAME}, where {KEYCLOAK-SERVER-ADDRESS} and {REALM-NAME} are derived from your environment where you just created the configuration.

  9. Return to the bottom section of the OpenID Connect (On-Prem) article for instructions on using the helper script to complete the configuration in the Sysdig platform.

4 - Azure (OpenID On-Prem)

OpenID Connect is a security-token based extension of the OAuth 2.0 authorization protocol to do single sign-on. Azure Active Directory provides an implementation of OpenID Connect (OIDC) protocol and Sysdig supports it for single sign-on and API access to Sysdig application.

Enabling Azure OpenID Connect for single sign-on to Sysdig applications include configuration on the Microsoft Active Directory as well as on the Sysdig application.

Prerequisites

Administrator privileges on Sysdig and Azure Active Directory (AD).

Configuring Sysdig Application in Azure AD

  1. Log in to the Azure AD portal.

  2. Select your Azure Active Directory service or create a new one.

  3. Click App registration > New registration.

  4. In the Register an application page, specify the following:

    • Name: Display name to identify your Sysdig application. For example, Sysdig Secure.

    • Supported account types: Choose an account type that is appropriate for your deployment. If you choose single-tenant, all user and guest accounts created in your active directory can use Sysdig application and API. If you choose multi-tenant, all users with a work or school account from Microsoft can use Sysdig application and API.

    • Redirect URI: Authenticated Sysdig users are redirected to this URI.

      For Login redirect URIs, enter one of the following values, replacing HOSTNAME with the hostname through which your users access the Sysdig applications and PORT with the TCP port number, typically 443:

      For Sysdig Monitor: https://HOSTNAME:PORT/api/oauth/openid/auth

      For Sysdig Secure: https://HOSTNAME:PORT/api/oauth/openid/secureAuth

      You can add only a single redirect URL on this page. Use the Authentication page associated with your application to add additional redirect URIs.

  5. Click Register.

  6. Add additional redirect URIs.

    1. Select your application from App registration.

    2. Click Authentication from the left navigation.

    3. Add the redirect URIs corresponding to Monitor and Secure.

  7. Create a Secret for the Sysdig application.

    It is a string that the Sysdig application uses to prove its identity when requesting a token.

    1. Click Certificates & secrets.

    2. Under Client Secrets, click New client secret.

    3. Enter a description that identifies the secret and choose an expiration period.

    4. Click Add.

    5. Copy the client secret. You will need the client secret while configuring OpenID Connect SSO on the Sysdig application.

  8. Copy the Client ID and OpenID Connect endpoints corresponding to the application that you have created.

    1. Select your application from App registration.

    2. Copy the Application (client) ID.

      You will need the client ID while configuring OpenID Connect SSO on the Sysdig application.

    3. Click Endpoints.

    4. Copy the OpenID Connect metadata document and open it in a browser.

    5. Copy the OpenID Connect URI (Issuer URI).

      For example, https://login.microsoftonline.com/5a4b56fc-dceb-4a64-94ff-21e08e5892f5/v2.0

Configure Sysdig Settings

To enable Azure OpenID functionality on the Sysdig application, you need the following:

  • Client ID

  • Client Secret

  • Issuer URL.

See OpenID Connect (On-Prem) to learn how to complete your configuration.