SAML (SaaS)
Note
This guide is specific to cloud-based (SaaS) Sysdig environments. If you are configuring an On-Premises Sysdig environment, refer to SAML (On-Prem) instead.
SAML support in the Sysdig platform allows authentication via your choice of Identity Provider (IdP).
The Sysdig platform ordinarily maintains its own user database to hold a username and password hash. SAML instead allows for redirection to your organization's IdP to validate username/password and other policies necessary to grant access to Sysdig application(s). Upon successful authentication via SAML, a corresponding user record in the Sysdig platform’s user database is automatically created, though the password that was sent to the IdP is never seen nor stored by the Sysdig platform.
This section describes how to integrate and enable SAML with both Sysdig Monitor and Sysdig Secure.
For specific IdP integration information, refer to:
See also Caveats
Basic Enablement Workflow
Step | Options | Notes | ||
|---|---|---|---|---|
1. Know which IdP your company uses and will be configuring. | These are the IdPs for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs. If your IDP is not listed, it may still work with the Sysdig platform. Contact Sysdig Support for help. | |||
2. Decide the login flow you want users to experience (choose from three options): | Click SAML button and enter a company name | Open the domain URL corresponding to your Sysdig application and region and enter your company name. For example, domain URLs of Monitor and Secure for US East are app.sysdigcloud.com and secure.sysdig.com respectively. NoteContact the Sysdig Support to set your company name on the account. This is applicable to all supported IdPs.
| ||
Type/bookmark a URL in browser | For example, the URLs for the US East are: Monitor: https://app.sysdigcloud.com/api/saml/ Secure: https://secure.sysdig.com/api/saml/ For example, for the EU region: Monitor: https://eu1.app.sysdig.com/api/saml/ Secure: https://eu1.app.sysdig.com/api/saml/ For URLs corresponding to other regions, see SaaS Regions and IP Ranges. | |||
Log in from an IdP interface | The individual IdP integration pages describe how to add Sysdig to the IdP interface. You will need your Sysdig customer number on hand. | |||
3. Perform the configuration steps in your IdP interface and collect the resulting config attributes. | Collect metadata URL (or XML) and test it. If you intend to configure IDP-initiated login flow, have your Sysdig customer number on hand. It will be referenced in later configuration steps as | |||
4 a. Log in to Sysdig Monitor or Sysdig Secure 4 b. Repeat process for the other Sysdig product, if you are using both Monitor and Secure. | You will enter a separate redirect URL in your IdP for each product; otherwise the integration processes are the same. |
Administrator Steps
Configure IdP
Select the appropriate IdP from the list below, and follow the instructions:
Enable SAML in Settings
To enable baseline SAML functionality:
Enter SAML Connection Settings
Log in to Sysdig Monitor or Sysdig Secure as administrator and select
Settingsfrom the User Profile button in the left navigation.Select
Authentication.Select the
SAMLtab.Enter the relevant parameters (see table below) and click
Save.Note
It is strongly recommended that "Signed Assertion" and "Validate Signature" are enabled to ensure that the SAML SSO process is as secure as possible.
Connection Setting | Options | Description | Sample Entry |
|---|---|---|---|
Metadata | URL | The URL provided at the end of the IdP configuration steps. | |
XML | An option that can be used for an IdP that doesn't support extracting metadata XML via URL. | ||
Signed Assertion | off/on | Should Sysdig check for assertions signed in responses (to assist in validating correct IdP). | ON |
Email Parameter | Name of parameter in the SAML response for user email ID. Sysdig uses this to extract the user's email from the response. | ||
Validate Signature | off/on | Sysdig backend should verify that the response is signed. | ON |
Verify Destination | off/on | Flag to control whether Sysdig should check the "destination" field in the SAMLResponse. Recommend ON, as a security measure. May be OFF in special cases, such as a proxy in front of the Sysdig back end. | ON |
Create user on login | off/on | Flag to control whether a user record should be created in the Sysdig database after first successful SAML log in. | |
Disable username and password login | off/on | Switch "on" to disallow user name and password log in. (Useful with SAML OpenID.) |
Select SAML for SSO
Select
SAMLfrom theEnabled Single Sign-OndropdownClick
Save Authentication.Repeat entire enablement process for Sysdig Monitor or Sysdig Secure, if you want to enable on both applications.
Configure SAML Single Logout
Sysdig supports SAML Single Logout (SLO).
SLO is a feature in federated authentication where Sysdig users can sign out of both their Sysdig session (Service Provider) and associated IdP (Identity Provider) simultaneously. SLO allows you to terminate all sessions established via SAML SSO by initiating a single logout process. Closing all user sessions prevents unauthorized users from gaining access to Sysdig resources.
SLO Process
When a user initiates a logout, Sysdig sends a digitally-signed logout request to the IdP. The IdP validates the request and terminates the current login session, then redirects the user back to the Sysdig login page.
Caveats
SLO is currently supported only in US-West and EU-Central regions.
Sysdig does not support HTTP Post binding for single logout, and therefore, SLO with Okta is not functional at this point.
Configure IdP
Configure logout URLs:
Monitor:
<base_URL>/api/saml/slo/logoutSecure:
<base_URL>/api/saml/slo/secureLogout
Choose HTTP Redirect as the binding method.
This option is an alternative to the HTTP POST method, which Sysdig does not support currently.
If your IdP mandates, upload the public key for Sysdig.
Contact Sysdig Support to retrieve the public key associated with your deployment.
Certain IDPs, such as Azure, don’t require uploading the public key.
Configure Sysdig
Log in to Sysdig Monitor or Sysdig Secure as an administrator and select Settings.
For on-prem deployments, log in as the super admin.
Navigate to Settings > Authentication, and select SAML under Connection Settings.
Enter the SAML configuration.
Ensure that Enable SAML single logout is toggled on.
Click Save.
Ensure that you select SAML from the Enable Single Sign On drop-down.
User Experience
As noted in the Basic Enablement Workflow above, you can offer users three ways to log in with a SAML configuration:
They can begin at the Sysdig SaaS URL and click the SAML button.
See SaaS Regions and IP Ranges and identify the correct Sysdig SaaS URL associated with your Sysdig application and region. For example, URLs of Monitor and Secure for US East are:
Monitor: app.sysdigcloud.com
Secure: secure.sysdig.com
They will be prompted to enter a Company Name, so the Sysdig platform can redirect the browser to your IdP for authentication.
Note
Contact Sysdig Support to set your company name on the account.
You can provide an alternative URL to avoid the user having to enter a company name, in the format:
Sysdig Monitor: https://app.sysdigcloud.com/api/saml/
COMPANY_NAMESysdig Secure: https://secure.sysdig.com/api/saml/
COMPANY_NAME?product=SDSFor other regions, the format is https://<region>.app.sysdig.com/api/saml/auth. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Secure in the EU, you use https://eu1.app.sysdig.com/api/saml/secureAuth.
You can configure an IdP-initiated login flow when configuring your IdP. The users then select the Sysdig application from your IDP's app directory and do not browse directly to a Sysdig application URL at all.
Note
Users that complete their first successful SAML login to Sysdig Secure may receive the error message "User doesn't have permission to login in Sysdig Secure". This is because only members of the Secure Operations team are permitted access to Sysdig Secure, and newly-created logins are not in this team by default. Such a user should contact an Administrator for the Sysdig environment to be added to the Secure Operations team.
Environments that wish to have all users access Secure by default could use this sample Python script to frequently "sync" the team memberships.
See Developer Documentation for tips on using the sample Python scripts provided by Sysdig.
See also User and Team Administration for information on creating users.
Caveats
SAML Assertion Encryption/Decryption is not currently supported.