LDAP/SAML Hybrid Authentication

This is an advanced option wherein LDAP Mapping is used to trigger the creation of user records in Sysdig, but authentication of those users is actually performed via SAML (with LDAP-based authentication disabled). In this configuration, if a user successfully authenticates via SAML, and the platform finds a user record with a matching email address in the Sysdig platform, they will be permitted to log in.

The process involves:

  1. Enable SAML login and disable automatic user creation via SAML.

  2. Enable LDAP user creation using LDAP mapping, but employ the _hybrid, rather than the _simple json configuration file.

  3. (Optional) Disable user creation via API.

  4. (Optional) Disable simple password login, to ensure SAML SSO is always used.

  5. Ensure SAML has been enabled in the UI as the chosen authentication method.

Enable SAML Log In

  1. Follow the instructions for SAML (On-Prem) configuration for your IdP. Use the UI in Sysidg Platform version 3.5.0, or the script-based option for earlier versions.

  2. To ensure that user records are created solely via LDAP mapping, disable user-creation-on-demand and (optionally) password authentication.

    1. UI-based option: Use the toggles in the UI to disable "create user on login" and "user name and password login."

      SAML_new.png
    2. Script-based option: Use the -n option of the saml_config.sh script, as described in the Optional: Auto-creation of user records section.

  3. User experience:

    With this configuration, if a user successfully logs in via SAML but does not have an existing username/email record in the Sysdig database, they will receive an error message.

    image2018-7-7_15-15-54.png

Enable LDAP User Creation using LDAP Mapping

  1. Configure the settings_mapping_hybrid.json file following the parameters and descriptions in Configure settings_mapping_simple.json.Configure settings_mapping_simple.json

    The only difference between the _simple and the _hybrid files is the userAttributeName value. In _hybrid, this is set to email, because SAML-derived usernames in the Sysdig platform area always based on email address.

  2. Apply the settings using the mapping_config.sh script:

    mapping_config.sh -s settings_mapping_hybrid.json

    See also: Options for Applying mapping_config.sh.

Optional: Disable User-Creation via API

If you want to ensure your user records are derived only from LDAP hybrid mapping, then use the -d option with the api_user_creation.sh script, as described in the Readme.

Optional: Disable Password Login

You may have pre-existing records in your Sysdig platform database for users who have previously authenticated via simple email/password. If you want to prevent such logins and ensure 100% authentication via SAML, you can disable password login.

In this configuration, only the "super" Admin can still login via email/password.

See Disable Password Authentication.

Ensure SAML is Enabled in the UI

When all configurations are complete, log in to the Settings in the Sysdig user interface and Select SAML for SSO, if it is not already selected.