Okta (OpenID On-Prem)

This section provides instructions to configure Okta as an OpenID Connect (OIDC) authentication mechanism in Sysdig on-prem environments.

Prerequisites

Sysdig

Review OpenID Connect (On-Prem).

Okta

Review the Prerequisites.
Get administrative privileges.
Configure an OIDC - OpenID Connect Web application separately for each Sysdig product: Sysdig Monitor and Sysdig Secure.
For more information, see Setting Up an OpenID Connect Application in Okta.

The topics below call out specific instructions that require additional action.

Configure Okta

This topic describes the minimal configuration options in Okta. You may need to adjust them based on the specifics of your environment.

General Settings

Specify the application name, and optionally, add a logo.

If you don’t intend to configure the IdP-initiated login flow, select Do not display application icon to users and Do not display application icon in the Okta Mobile app.

For Sign-in redirect URI enter one of the following values, replacing HOSTNAME with the hostname through which your users access the Sysdig application(s) and PORT with the TCP port number, which is typically 443:

Sysdig Monitor: https://HOSTNAME:PORT/api/oauth/openid/auth

Sysdig Secure: https://HOSTNAME:PORT/api/oauth/openid/secureAuth

This is the callback URL to which Okta sends the authentication response and ID token when an user attempts to log in to Sysdig using SSO.

Parameters Required for Sysdig Configuration

Copy the following OpenID configuration parameters. You need them to complete the configuration in the Sysdig application.

Client ID: Copy the value from the Client Credentials section on the General tab.
Client Secrets: Copy the Client Secrets from the General tab.
Issuer URL: Copy the value from the OpenID Connect ID Token section on the Sign On tab.

Configure Sysdig Settings

To enable Okta OpenID functionality on the Sysdig application, specify the following:

Configuration	Description
Client ID	Specify the value you have copied from the Client Credentials section on the General tab.
Client Secret	Specify the value you have copied from the Client Secrets section on the General tab.
Issuer URL	Specify the value you have copied from the OpenID Connect ID Token section on the Sign On tab.
Base Issuer	The value is your Okta domain name. For example, https://myOktaOrg.okta.com
Authorization Endpoint	To view the metadata tied to your Okta application, including the Authorization Endpoint, use the following endpoint. `https://{myOktaOrg}/.well-known/openid-configuration?client_id={ClientId}` Replace `{myOktaOrg}` with your Okta domain name and `{ClientId}` with the Client ID associated with your Okta web application.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.