OpenID Connect is a security-token based extension of the OAuth 2.0 authorization protocol to do single sign-on. Azure Active Directory provides an implementation of OpenID Connect (OIDC) protocol and Sysdig supports it for single sign-on and API access to Sysdig application.
Enabling Azure OpenID Connect for single sign-on to Sysdig applications include configuration on the Microsoft Active Directory as well as on the Sysdig application.
Administrator privileges on Sysdig and Azure Active Directory (AD).
Configuring Sysdig Application in Azure AD
Log in to the Azure AD portal.
Select your Azure Active Directory service or create a new one.
Click App registration > New registration.
In the Register an application page, specify the following:
Name: Display name to identify your Sysdig application. For example, Sysdig Secure.
Supported account types: Choose an account type that is appropriate for your deployment. If you choose single-tenant, all user and guest accounts created in your active directory can use Sysdig application and API. If you choose multi-tenant, all users with a work or school account from Microsoft can use Sysdig application and API.
Redirect URI: Authenticated Sysdig users are redirected to this URI.
For Login redirect URIs, enter one of the following values, replacing HOSTNAME with the hostname through which your users access the Sysdig applications and PORT with the TCP port number, typically 443:
For Sysdig Monitor: https://HOSTNAME:PORT/api/oauth/openid/auth
For Sysdig Secure: https://HOSTNAME:PORT/api/oauth/openid/secureAuth
You can add only a single redirect URL on this page. Use the Authentication page associated with your application to add additional redirect URIs.
Add additional redirect URIs.
Create a Secret for the Sysdig application.
It is a string that the Sysdig application uses to prove its identity when requesting a token.
Copy the Client ID and OpenID Connect endpoints corresponding to the application that you have created.
Select your application from App registration.
Copy the Application (client) ID.
You will need the client ID while configuring OpenID Connect SSO on the Sysdig application.
Copy the OpenID Connect metadata document and open it in a browser.
Copy the OpenID Connect URI (Issuer URI).
For example, https://login.microsoftonline.com/5a4b56fc-dceb-4a64-94ff-21e08e5892f5/v2.0
Configure Sysdig Settings
To enable Azure OpenID functionality on the Sysdig application, you need the following:
See OpenID Connect (On-Prem) to learn how to complete your configuration.