Okta (SAML On-Prem)
Prerequisites
Sysdig
- Review SAML (On-Prem).
Okta
Review the Prerequisites.
Configure a SAML application separately for each Sysdig product: Sysdig Monitor and Sysdig Secure.
For more information, see Setting Up a SAML Application in Okta.
The topics below call out specific steps that require additional action.
Configure Okta
This topic describe the minimal configuration options in Okta. You may need to adjust them based on the specifics of your environment.
General Settings
Specify the application name, and optionally, add a logo.
If you don’t intend to configure the IdP-initiated login, select Do not display application icon to users and Do not display application icon in the Okta Mobile app.
SAML Settings
Enter the values shown in the table below, replacing HOSTNAME
with the hostname through which your users access the Sysdig applications and PORT
with the TCP port number, which is typically 443.
Replace CUSTOMER-ID-NUMBER
with the number retrieved as described in Find Your Customer Number. Normally the Customer ID will be 1
in on-prem installations.
Setting | Value for Sysdig Monitor | Value for Sysdig Secure |
---|---|---|
Single sign-on URL |
|
|
Audience URI (SP Entity ID) |
|
|
Default Relay State This is optional field. Specify this value only if you wish to configure IdP-initiated login method. |
|
|
You must include the port number in the IDP-side configuration even though port 443 is the typical default for https://
URLs.
Attribute Statements (Optional)
Specify the following:
- Name
- Name Values
Instead of the values shown in the Okta example, add the values:
Name | Value |
---|---|
email | user.email |
first name | user.firstName |
last name | user.lastName |
Note that the attributes are case-sensitive, so use caution when entering them.
Only email is required as the attribute. However, we recommend including first and last names for these values to be included in the records created in the Sysdig database when new users successfully log in via SAML for the first time.
SAML Metadata URL
Copy the Metadata URL. You will use it while configuring Sysdig.
Test Metadata (Optional)
To ensure the metadata URL you copy at the end of the IDP configuration procedure is correct, you can test it by directly accessing it via your browser.
When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IDP configuration.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkd7ltpz8HOv6Rkf5d7">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>xyz</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://domain.okta.com/app/domain_sysdigsecure/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://domain.okta.com/app/domain_sysdigsecure/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Configure Sysdig
Open the SAML Connection Settings page and enter the Metadata URL you have copied earlier in the Metadata field.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.