Azure Active Directory (SAML On-Prem)

This topic explains how to configure SAML Single Sign On (SSO) with Azure Active Directory (AD) and helps you configure Sysdig to allow users to access the Sysdig application by using SSO.

Prerequisites

Administrator privileges on Sysdig and Azure.

Configure the Sysdig Application in Azure AD

  1. Log in to the Azure AD portal.

  2. Select Azure Active Directory, then click Enterprise Applications.

    The Enterprise applications - All application screen is displayed.

  3. Click New Application.

  4. On the Add an Application screen, select Non-gallery application.

  5. Give your application a name, and click Add at the bottom of the page.

  6. On the menu, select Single sign-on.

  7. Choose SAML as the sign-on method.

  8. Edit the Basic SAML Configuration as follows:

    1. In the configuration page, click the edit icon.

    2. Specify the following:

      • Identifier (Entity ID): Uniquely identifies the Sysdig application. Azure AD sends the identifier to the Sysdig application as the audience parameter of the SAML token. Sysdig validates this as part of the SSO process.

        For example, the identifier for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com.

        See SaaS Regions and IP Ranges for the complete list of entity IDs for different regions.

      • Reply URL: Specifies where Sysdig expects to receive the SAML token.

        For example, the identifier for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com/api/saml/auth.

      • See SaaS Regions and IP Ranges for the complete list of reply URLs for different regions.

      • Relay State: Specifies to the application where to redirect the user after authentication is completed. Typically the value is a valid URL for Sysdig. If you are configuring SSO for SaaS, change the relay state to reflect the correct customer number associated with your Sysdig application. For on-prem installations, the customer number is always 1.

        The format is:

        #/&customer=1234
        
      • Sign on URL: It is the sign-in page for the Sysdig application that will perform the service provider-initiated SSO. Leave it blank if you want to perform identity-provider-initiated SSO.

      For more information on configuration parameters, see Configure SAML-based single sign-on to non-gallery applications.

Sysdig-Specific Steps for Active Directory Configuration

  1. Under SAML Signing Certificate, copy the App Federation Metadata URL.

  2. Log in to your Sysdig instance as an admin.

    For on-prem deployments, log in as the super admin.

  3. Navigate to Settings > Authentication, and select SAML under Connection Settings.

  4. Enter the following:

    • Metadata: Enter the App Federation Metadata URL you copied.

    • Email Parameter: Set the value to emailaddress.

      Azure AD claims are:

      saml = AD
      givenname = user.givenname
      surname = user.surname
      emailaddress = user.mail
      name = user.userprincipalname
      Unique User Identifier = user.userprincipalname
      

      In the Sysdig application, you need to set the email to emailaddress which is what Azure AD sends to Sysdig in the SAML assertion. Alternatively, Azure AD can be modified to send another attribute.

  5. Click Save.

  6. Select SAML from the Enable Single Sign On drop-down.

Create a User in Azure Active Directory Domain

  1. Log in to the Azure AD portal.

  2. Click Azure Active Directory, and note down the domain name.

  3. Select Azure Active Directory, then Users.

    The Users - All Users screen is displayed.

  4. Select New Users .

    You can either create a new user or invite an existing AD.

  5. Enter name, username, and other details, then click Create.

  6. In the Profile page, add the Email and Alternate Email parameters. The values can match

Assign the User to the Sysdig Application

  1. Navigate to the Sysdig application.

  2. Click Users and Group, then click the Add user button.

  3. Select the Users and Groups checkbox, then choose the newly created user to add to the application.

  4. Click Select, then Assign at the bottom of the screen.

Enable Authentication Settings in the Sysdig Instance

Ensure that Flag to enable/disable create user on login is enabled. Typically this setting is enabled by default.

If you are using both Sysdig Monitor and Secure, ensure that the user accounts are created on both the products. A user that is created only on one Sysdig application will not be able to log in to another by using SAML SSO.

if you are on Sysdig Platform versions 2.4.1 or prior, contact Sysdig Support to help with user creation.

(Optional) Configure Sysdig as a New Application

If Azure Active Directory does not allow you to create Sysdig as a Non- Gallery application, perform the following:

  1. In Azure AD, click Enterprise Applications > New Application.

  2. Select Application you’re developing.

    You will be taken to the app registration page:

  3. Select New Registration:

  4. Provide a name for the application you are registering.

  5. Enter the redirect URI.

    For example, the redirect URI for Sysdig Monitor for the EU region is https://eu1.app.sysdig.com/api/saml/auth. See SaaS Regions and IP Ranges for the redirect URLs for other regions.

  6. Click Register to complete the registration.

  7. In the Overview tab click Add an Application ID URI:

  8. Click Add a scope.

  9. Add the application ID URI as follows:

    https://<your_sysdig_url>:443
    

    Replace <*your_sysdig_*url> with the URL appropriate to your application and region. See SaaS Regions and IP Ranges for more information.

  10. In the Overview tab, click Endpoints, and copy the Federation Metadata URL.

  11. Log in to Sysdig, navigate to SAML Authentication screen, and enter the Federation Metadata URL.

    You will still need to ensure that the user creation on the login option is enabled.

  12. Save the settings.