SAML Connect Configuration

[NOTE: This guide is specific to cloud-based (SaaS) Sysdig Monitor environments. If you are configuring an On-Premises Sysdig Monitor environment, refer to this other guide instead.]

Introduction

SAML support in Sysdig Monitor allows authentication via your choice of Identity Provider (IDP). This document describes how to configure the feature as well as its limitations.

Summary of Functionality

Independent of the SAML feature, Sysdig Monitor ordinarily maintains its own user database to hold a username and password hash. The SAML feature instead allows for redirection to the customer’s IDP to validate username/password and other policies necessary to grant access to Sysdig Monitor. Upon successful authentication via SAML, a corresponding user record in Sysdig Monitor’s user database is automatically created, though the password that was sent to the IDP is never seen nor stored by Sysdig Monitor.

Once SAML is enabled, instead of the prior email/password login fields, your users can begin their login procedure at app.sysdigcloud.com by clicking the SAML button as shown below.

Once clicked, the user will be prompted to enter a Company Name, which is required so Sysdig Monitor can redirect the user's browser to your IDP for authentication.

As an alternative, users can bypass the steps above if they directly access app.sysdigcloud.com/api/saml/CompanyName instead of app.sysdigcloud.com.

While you may have set your Company Name value during initial sign-up, Sysdig Support can set/change this for you at the same time other SAML configuration is being enabled.

Summary of Configuration

To have SAML enabled for your environment, open a Support Request with Sysdig. In the ticket, provide the following:

  1. Your choice of Company Name (see previous section).
  2. A copy of the metadata URL generated after completing configuration of the Sysdig Monitor application in your IDP (see the IDP Configurations section below).

Once Sysdig Support responds that configuration has been completed in the Sysdig Monitor back-end database, your users will be able to login to Sysdig Monitor via SAML as described above.

Limitations

  1. SAML Assertion Encryption/Decryption is not currently supported.
  2. IDP-initiated login is not supported in SaaS-based Sysdig Monitor. Therefore, you should disable the presentation of Sysdig Monitor application icons to users as described in the IDP-specific configurations below.
  3. SAML Single Logout is not supported. Therefore, users should take care to logout directly from Sysdig Monitor.

IDP Configurations

The following sections describe the configuration you'll need to complete with your IDP:

These are the IDPs for which Sysdig has performed detailed interoperability testing and confirmed the specifics of what you'll need to do relative to their standard docs. If your IDP is not listed here, it will likely still work with Sysdig Monitor as well. If you are using another provider, mention your IDP in your ticket when you contact Sysdig Support.

To ensure the metadata URL you copy at the end of the IDP configuration procedure is correct, you can test it by directly accessing it via your browser. When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IDP configuration steps.

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/680358">
  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/680358">
...


IDP Configuration - Okta

Configure Sysdig Monitor as a SAML application using Okta's documentation for Setting Up a SAML Application in Okta. The notes below call out specific steps that require additional action.

  • At step #6, check the box for "Do not display application icon to users", since SaaS-based Sysdig Monitor does not currently support IDP-initiated login.
  • At step #7, enter the values:

Setting

Value

Single sign on URL

https://app.sysdigcloud.com/api/saml/auth

Audience URI (SP Entity ID)

https://app.sysdigcloud.com/api/saml/metadata

 

  • At step #8, instead of those shown in the Okta example, add the values:

Name

Value

email

user.email

first name

user.firstName

last name

user.lastName

Note that the attributes are case sensitive, so use caution when entering them.

Only "email" is required. However, including first/last name is recommended, since these values will now be included in the records created in the Sysdig Monitor database when new users successfully login via SAML for the first time.

  • At step #10, copy the link shown at the "Copy this link" pointer and paste it into your ticket with Sysdig Support. This is the metadata URL that will need to be sent to Sysdig Support for your SAML configuration to be completed.

IDP Configuration - OneLogin

Configure Sysdig Monitor as a SAML application using OneLogin's documentation for How to Use the OneLogin SAML Test Connector. The notes below call out specific steps that require additional action.

  • At the step for "Adding the SAML Test Connector", select SAML Test Connector (IdP w/ attr w/ sign response). Uncheck the slider so it will no longer be "Visible in portal", since Sysdig Monitor does not currently support IDP-initiated login.
  • At the "Test Connector Configuration Page", enter the values:

Field

Value

Recipient

https://app.sysdigcloud.com/api/saml/auth

ACS (Consumer) URL Validator

https://app.sysdigcloud.com

ACS (Consumer) URL

https://app.sysdigcloud.com/api/saml/auth

  • (optional) If you want the user's First Name and Last Name to be included in the records created in the Sysdig Monitor database when new users successfully login via SAML for the first time, click to the "Parameters" tab. Click "Add parameter" and to create each of two New Fields, checking the box each time to "Include in SAML assertion". Then click to Edit each field and select the Value shown from the drop-down menu before clicking Save.

Field Name

Value

first name

First Name

last name

Last Name

Note that the Field Names are case sensitive, so be careful to enter them as all lowercase.

The following shows an example of a correctly-configured field for First Name:

  • Click to the "SSO" tab, copy the Issuer URL, and paste it into your ticket with Sysdig Support. This is the metadata URL that will need to be sent to Sysdig Support for your SAML configuration to be completed.

 

Have more questions? Submit a request