Okta (SAML On-Prem)

Sysdig supports SAML authentication via the Identity Provider (IdP) Okta in Sysdig on-prem environments.

Prerequisites

Sysdig

Okta

The topics below call out specific steps that require additional action.

Configure Okta

This topic describe the minimal configuration options in Okta. You may need to adjust them based on the specifics of your environment.

General Settings

Specify the application name, and optionally, add a logo.

If you don’t intend to configure the IdP-initiated login, select Do not display application icon to users and Do not display application icon in the Okta Mobile app.

SAML Settings

Enter the values shown in the table below, replacing HOSTNAME with the hostname through which your users access the Sysdig applications and PORT with the TCP port number, which is typically 443.

Replace CUSTOMER-ID-NUMBER with the number retrieved as described in Find Your Customer Number. Normally the Customer ID will be 1 in on-prem installations.

Setting

Value for Sysdig Monitor

Value for Sysdig Secure

Single sign-on URL

https://HOSTNAME:PORT/api/saml/auth

https://HOSTNAME:PORT/api/saml/secureAuth

Audience URI (SP Entity ID)

https://HOSTNAME:PORT/api/saml/metadata

https://HOSTNAME:PORT/api/saml/metadata

Default Relay State

This is optional field. Specify this value only if you wish to configure IdP-initiated login method.

#/&customer=CUSTOMER-ID-NUMBER

#/&customer=CUSTOMER-ID-NUMBER

You must include the port number in the IDP-side configuration even though port 443 is the typical default for https:// URLs.

Attribute Statements (Optional)

Specify the following:

  • Name
  • Name Values

Instead of the values shown in the Okta example, add the values:

NameValue
emailuser.email
first nameuser.firstName
last nameuser.lastName

Note that the attributes are case-sensitive, so use caution when entering them.

Only email is required as the attribute. However, we recommend including first and last names for these values to be included in the records created in the Sysdig database when new users successfully log in via SAML for the first time.

SAML Metadata URL

Copy the Metadata URL. You will use it while configuring Sysdig.

Test Metadata (Optional)

To ensure the metadata URL you copy at the end of the IDP configuration procedure is correct, you can test it by directly accessing it via your browser.

When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IDP configuration.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkd7ltpz8HOv6Rkf5d7">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:X509Data>
         <ds:X509Certificate>xyz</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://domain.okta.com/app/domain_sysdigsecure/sso/saml"/>
   <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://domain.okta.com/app/domain_sysdigsecure/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

Configure Sysdig

Open the SAML Connection Settings page and enter the Metadata URL you have copied earlier in the Metadata field.