OpenID Connect (SaaS)

Note

This guide is specific to cloud-based (SaaS) Sysdig environments. If you are configuring an On-Premises Sysdig environment, refer to OpenID Connect (On-Prem) instead.

OpenID support in the Sysdig platform allows authentication via your choice of Identity Provider (IdP). This section describes how to integrate and enable OpenID Connect with both Sysdig Monitor and Sysdig Secure.

Overview

Summary of OpenID Functionality in Sysdig

The Sysdig platform ordinarily maintains its own user database to hold a username and password hash. OpenID instead allows for redirection to your organization's IdP to validate username/password and other policies necessary to grant access to Sysdig application(s). Upon successful authentication via OpenID, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform.

Basic Enablement Workflow

Step

Options

Notes

1. Know which IdP your company uses and will be configuring.

These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs. If your OpenID Provider is not listed (including ones that do not support OpenID Connect Discovery), it may still work with the Sysdig platform. Contact Sysdig Support for help.

2. Decide the login flow you want users to experience: 3 options

Click OpenID button and enter a company name

From app.sysdigcloud.com or secure.sysdig.com > page to enter company name.

373576326.png
373576319.png

Type/bookmark a URL in a browser

Contact Sysdig for the Company Name associated with your account.

Log in from an IdP interface

The individual IdP integration pages describe how to add Sysdig to the IdP interface.

You will need your Company Name on hand.

3. Perform the configuration steps in your IdP interface and collect the resulting config attributes.

Collect metadata URL (or XML) and test it.

If you intend to configure IDP-initiated login flow, you need the following:

  • Redirect URLs

    See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

    • Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

    • Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

    For other regions, the format is https://<region>.app.sysdig.com.

    Replace <region> with the region your where Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

4 a. Log in to Sysdig Monitor or Sysdig Secure and configure authentication.

4 b. Repeat process for the other Sysdig product, if you are using both Monitor and Secure.

  • Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.

  • Log in to Sysdig Monitor Settings (as super admin) and enter the necessary configuration information in the UI. Save and Enable OpenID as your SSO.

You will enter a separate redirect URL in your IdP for each product; otherwise the integration processes are the same.

Administrator Steps

Configure IdP

Select the appropriate IdP link below, and follow the instructions:

Enable OpenID in Settings

To enable baseline OpenID functionality:

Enter OpenID Basic Connection Settings

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

    373576313.png

  2. Select Authentication.

  3. Select the OpenID tab.

    373576307.png
  4. Enter the relevant parameters (see table below) and click Save.

Connection Setting

Description

Client ID

ID provided by your IdP

Client Secret

Secret provided by your IdP

Issuer URL

URL provided by your IdP. Example: https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc

Note

Okta, OneLogin, and Keycloak support metadata auto-discovery, so these settings should be sufficient for those IdPs.

Enter OpenID Additional Settings (if needed)

In some cases, an OpenID IdP may not support metadata auto-discovery, and additional configuration settings must be entered manually.

In this case:

  1. On the OpenID tab, toggle the Metadata Discovery button to OFF to display additional entries on the page.

    373576301.png
  2. Enter the relevant parameters derived from your IdP (see table below) and click Save.

Connection Setting

Description

Base Issuer

Required. Often the same Issuer URL, but can be different for providers that have a separate general domain and user-specific domain

(for example, general domain: https://openid-connect.onelogin.com/oidc, user-specific domain: https://sysdig-phil-dev.onelogin.com/oidc)f

Authorization Endpoint

Required. Authorization request endpoint

Token Endpoint

Required. Token exchange endpoint

JSON Web Key Set Endpoint

Required. Endpoint that contains key credentials for token signature verification

Token Auth Method

Authentication method.

Supported values:

client_secret_basic ,

client_secret_post . (case insensitive)

Select OpenID for SSO

  1. Select OpenIDfrom the Enabled Single Sign-On dropdown.

  2. Click Save Authentication.

  3. Repeat entire enablement process for Sysdig Monitor or Sysdig Secure, if you want to enable on both applications.

User Experience

As noted in the Basic Enablement Workflow above, you can offer users three ways to log in with an OpenID configuration:

  • They can begin at the Sysdig SaaS URL and click the OpenID button.

    See SaaS Regions and IP Ranges and identify the correct SaaS URL associated with your Sysdig application and region. For example, URLs of Monitor and Secure for US East are:

    Monitor: app.sysdigcloud.com

    Secure: secure.sysdig.com

    For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

    They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.

    =

    373576326.png
    373576319.png
  • You can provide an alternative URL to avoid the user having to enter a company name, in the format:

    Monitor: https://app.sysdigcloud.com/api/oauth/openid/ CompanyName Secure: https://secure.sysdig.com/api/oauth/openid/ CompanyName?product=SDS

  • You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IDP's app directory and do not browse directly to a Sysdig application URL at all.

Note

See also User and Team Administration for information on creating users.