Okta (OpenID On-Prem)

This section provides instructions to configure Okta as an OpenID Connect (OIDC) authentication mechanism in Sysdig on-prem environments.

Prerequisites

Sysdig

Okta

The topics below call out specific instructions that require additional action.

Configure Okta

This topic describes the minimal configuration options in Okta. You may need to adjust them based on the specifics of your environment.

General Settings

Specify the application name, and optionally, add a logo.

If you don’t intend to configure the IdP-initiated login flow, select Do not display application icon to users and Do not display application icon in the Okta Mobile app.

Login

For Sign-in redirect URI enter one of the following values, replacing HOSTNAME with the hostname through which your users access the Sysdig application(s) and PORT with the TCP port number, which is typically 443:

Sysdig Monitor: https://HOSTNAME:PORT/api/oauth/openid/auth

Sysdig Secure: https://HOSTNAME:PORT/api/oauth/openid/secureAuth

This is the callback URL to which Okta sends the authentication response and ID token when an user attempts to log in to Sysdig using SSO.

Parameters Required for Sysdig Configuration

Copy the following OpenID configuration parameters. You need them to complete the configuration in the Sysdig application.

  • Client ID: Copy the value from the Client Credentials section on the General tab.
  • Client Secrets: Copy the Client Secrets from the General tab.
  • Issuer URL: Copy the value from the OpenID Connect ID Token section on the Sign On tab.

Configure Sysdig Settings

To enable Okta OpenID functionality on the Sysdig application, specify the following:

ConfigurationDescription
Client IDSpecify the value you have copied from the Client Credentials section on the General tab.
Client SecretSpecify the value you have copied from the Client Secrets section on the General tab.
Issuer URLSpecify the value you have copied from the OpenID Connect ID Token section on the Sign On tab.
Base IssuerThe value is your Okta domain name. For example, https://myOktaOrg.okta.com
Authorization EndpointTo view the metadata tied to your Okta application, including the Authorization Endpoint, use the following endpoint.
https://{myOktaOrg}/.well-known/openid-configuration?client_id={ClientId}
Replace {myOktaOrg} with your Okta domain name and {ClientId} with the Client ID associated with your Okta web application.