SAML Connect Configuration

[NOTE: This guide is specific to cloud-based (SaaS) Sysdig Monitor environments. If you are configuring an On-Premises Sysdig Monitor environment, refer to this other guide instead.]

Introduction

SAML support in Sysdig Monitor allows authentication via your choice of Identity Provider (IDP). This document describes how to configure the feature as well as its limitations.

Summary of Functionality

Independent of the SAML feature, Sysdig Monitor ordinarily maintains its own user database to hold a username and password hash. The SAML feature instead allows for redirection to the customer’s IDP to validate username/password and other policies necessary to grant access to Sysdig Monitor. Upon successful authentication via SAML, a corresponding user record in Sysdig Monitor’s user database is automatically created, though the password that was sent to the IDP is never seen nor stored by Sysdig Monitor.

Once SAML is enabled, instead of the prior email/password login fields, your users can begin their login procedure at app.sysdigcloud.com by clicking the SAML button as shown below.

Once clicked, the user will be prompted to enter a Company Name, which is required so Sysdig Monitor can redirect the user's browser to your IDP for authentication.

As an alternative, users can bypass the steps above if they directly access app.sysdigcloud.com/api/saml/CompanyName instead of app.sysdigcloud.com.

While you may have set your Company Name value during initial sign-up, Sysdig Support can set/change this for you at the same time other SAML configuration is being enabled.

Yet another approach would be to leverage the optional steps described below to configure an IDP-initiated login login flow. With such a configuration, your users could select the Sysdig application from your IDP's app directory and not have to browse directly to app.sysdigcloud.com at all.

 

Summary of Configuration

To have SAML enabled for your environment, open a Support Request with Sysdig. In the ticket, provide the following:

  1. Your choice of Company Name (see previous section).
  2. A copy of the metadata URL generated after completing configuration of the Sysdig Monitor application in your IDP (see the IDP Configurations section below).

Once Sysdig Support responds that configuration has been completed in the Sysdig Monitor back-end database, your users will be able to login to Sysdig Monitor via SAML as described above.

Also, if you intend to configure IDP-initiated login flow, before starting your IDP configuration, follow the instructions in this article to retrieve your customer ID number. It will be referenced in later configuration steps as CUSTOMER-ID-NUMBER.

Limitations

  1. SAML Assertion Encryption/Decryption is not currently supported.
  2. SAML Single Logout is not supported. Therefore, users should take care to logout directly from Sysdig Monitor.

IDP Configurations

The following sections describe the configuration you'll need to complete with your IDP:

These are the IDPs for which Sysdig has performed detailed interoperability testing and confirmed the specifics of what you'll need to do relative to their standard docs. If your IDP is not listed here, it will likely still work with Sysdig Monitor as well. If you are using another provider, mention your IDP in your ticket when you contact Sysdig Support.

To ensure the metadata URL you copy at the end of the IDP configuration procedure is correct, you can test it by directly accessing it via your browser. When accessing the URL, your browser should immediately download an XML file that begins similarly to the example shown below. No entry of credentials or other security measures should be required to successfully download it. If this is not the case, revisit the IDP configuration steps.

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/680358">
  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/680358">
...


IDP Configuration - Okta

Configure Sysdig Monitor as a SAML application using Okta's documentation for Setting Up a SAML Application in Okta. The notes below call out specific steps that require additional action.

  • At step #6, if you don't intend to configure IDP-initiated login flow, check the box for "Do not display application icon to users"
  • At step #7, enter the values shown in the table below. If you wish to configure IDP-initiated login flow, use the CUSTOMER-ID-NUMBER retrieved as described in this article.

Setting

Value

Single sign on URL

https://app.sysdigcloud.com/api/saml/auth

Audience URI (SP Entity ID)

https://app.sysdigcloud.com/api/saml/metadata

Default RelayState
(optional - only configure if you intend to use IDP-initiated login flow)

#/&customer=CUSTOMER-ID-NUMBER

 

  • At step #8, instead of those shown in the Okta example, add the values:

Name

Value

email

user.email

first name

user.firstName

last name

user.lastName

Note that the attributes are case sensitive, so use caution when entering them.

Only "email" is required. However, including first/last name is recommended, since these values will now be included in the records created in the Sysdig Monitor database when new users successfully login via SAML for the first time.

  • At step #10, copy the contents of the Identity Provider metadata link and paste it into your ticket with Sysdig Support. This is the metadata URL that will need to be sent to Sysdig Support for your SAML configuration to be completed.

IDP Configuration - OneLogin

Configure Sysdig Monitor as a SAML application using OneLogin's documentation for How to Use the OneLogin SAML Test Connector. The notes below call out specific steps that require additional action.

  • At the step for "Adding the SAML Test Connector", select SAML Test Connector (IdP w/ attr w/ sign response). If you don't intend to configure IDP-initiated login flow, uncheck the slider so it will no longer be "Visible in portal".
  • At the "Test Connector Configuration Page", enter the values shown in the table below. If you wish to configure IDP-initiated login flow, use the CUSTOMER-ID-NUMBER retrieved as described in this article.

Field

Value

RelayState
(optional - only configure if you intend to use IDP-initiated login flow)

#/&customer=CUSTOMER-ID-NUMBER

Recipient

https://app.sysdigcloud.com/api/saml/auth

ACS (Consumer) URL Validator

https://app.sysdigcloud.com

ACS (Consumer) URL

https://app.sysdigcloud.com/api/saml/auth

  • (optional) If you want the user's First Name and Last Name to be included in the records created in the Sysdig Monitor database when new users successfully login via SAML for the first time, click to the "Parameters" tab. Click "Add parameter" and to create each of two New Fields, checking the box each time to "Include in SAML assertion". Then click to Edit each field and select the Value shown from the drop-down menu before clicking Save.

Field Name

Value

first name

First Name

last name

Last Name

Note that the Field Names are case sensitive, so be careful to enter them as all lowercase.

The following shows an example of a correctly-configured field for First Name:

  • Click to the "SSO" tab, copy the Issuer URL, and paste it into your ticket with Sysdig Support. This is the metadata URL that will need to be sent to Sysdig Support for your SAML configuration to be completed.

IDP Configuration - ADFS

These instructions assume you already have a working, Internet-accessible ADFS server. Interoperability testing has been performed specifically with ADFS on Windows Server 2012 R2.

The steps below to configure the ADFS side all take place in the AD FS Management tool in the Windows Server Manager.

  1. Right-click to Service > Edit Federation Service Properties. Note the hostname in the Federation Service Identifier, as this will be used in the metadata URL that will need to be sent to Sysdig Support for your SAML configuration to be completed. Specifically, the metadata URL will be of the format  https://HOSTNAME/FederationMetadata/2007-06/FederationMetadata.xml. Also, so that Sysdig Monitor can access this URL directly, this host must resolve in DNS and have a valid (not self-signed) SSL certificate.





  2. Add a Relying Party Trust configuration for Sysdig Monitor

    1. Right-click to Relying Party Trusts > Add Relying Party Trust and click Start to begin the wizard.



    2. In the Select Data Source step, click the button to Enter data about the relying party manually, then click Next



    3. Enter a Display name of your choosing, then click Next



    4. Click Next to accept the default option to use AD FS profile



    5. Click Next to skip the selection of an optional token encryption certificate (Sysdig does not support this option)



    6. Check the box to Enable support for the SAML 2.0 Web SSO protocol. We will also set the following URL for the Relying party SAML 2.0 SSO service URL and click Next:
      • Sysdig Monitorhttps://app.sysdigcloud.com/api/saml/auth
      • Sysdig Secure:  https://secure.sysdig.com/api/saml/secureAuth



    7. For the Relying party trust identifier, enter the appropriate URL shown below, then click Add, then click Next.
      • Sysdig Monitor: https://app.sysdigcloud.com
      • Sysdig Secure: https://secure.sysdig.com




         
    8. Click Next to skip configuration of multi-factor authentication



    9. Choose a policy for whether users will be permitted to login to Sysdig Monitor. The default to Permit all users to access the relying party will typically be acceptable. Click Next.



    10. Review the summary and click Next to complete the configuration of the Relying Party Trust



    11. The next step will involve adding Claim Rules, so you can leave the box checked to Open the Edit Claim Rules dialog and click the Close button to be brought immediately into the Claim Rules editor



  3. Next we'll use Claim Rules to ensure that login data is sent as needed to Sysdig Monitor. A user's login to Sysdig Monitor is based on an email address, and a default ADFS configuration would not send the email address as required. The following configuration ensures the correct field from Active Directory is delivered in the claim.

    1. If not already in the Claim Rules editor from the previous step, navigate to it by right-clicking on the Relying Party Trust that was just created and selecting Edit Claim Rules





    2. Click Add Rule. At the following screen, accept the default rule template to Send LDAP Attributes as Claims and click Next.



    3. Enter a name for the rule, select Active Directory as the Attribute store, then use the pull-down selectors to pick E-Mail Address as both the LDAP Attribute and Outgoing Claim Type, then similarly make pull-down selections for Given Name and Surname. Once these selections are made, click Finish.



    4. Now click Add Rule again, this time selecting the template for Transform an incoming claim



    5. Enter a name for the rule, then use the pull-downs to select an Incoming claim type of E-Mail Address, an Outgoing claim type of Name ID, and an Outgoing name ID format of Email, then click Finish.



    6. (Optional)  If you want the user's First Name and Last Name to be included in the records created in the Sysdig Monitor database when new users successfully login via SAML for the first time, additional Transform rules must also be created. Only the email-based username is strictly required and we already created a rule for this, so this step is optional.

      If you wish to do this, click Add Rule and once again select the template for Transform an incoming claim. Enter a name for the rule, then use the pull-down to select an Incoming claim type of Given Name, and for the Outgoing claim type, directly type first name into the field. After clicking Finish, click Add Rule and create a similar rule to transform the Incoming claim type of Surname to the Outgoing claim type of last name.





    7. Having clicked Finish after creating your last rule, you will see all rules now in the editor. You can click Ok, and your ADFS configuration for Sysdig Monitor is complete. It can be tested once Sysdig Support has completed their side of the configuration using the metadata URL you send in your Support request.



  4. (Optional) The steps above represent a Service Provider Initiated SAML configuration. If you would prefer an IDP-initiated SAML configuration, this is also possible with ADFS, but requires the additional steps described below.

    1. Sysdig Monitor requires a specific setting of RelayState in order to accept IDP-initiated login flows. On the ADFS versions tested, we've found this use of RelayState is disabled by default, and a Microsoft article describes the topic in detail. To enable it, as described in a Microsoft forum thread, on your ADFS host, edit %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config and add  <useRelayStateForIdpInitiatedSignOn enabled="true" /> to the <microsoft.identityserver.web> section. Once the modification is saved, restart ADFS services for the change to take effect.

    2. You will need to retrieve your Sysdig Monitor customer number as described in this article.

    3. You will then need to generate an IDP-initiated login URL. In addition to having the correct settings, it must be properly URL encoded. To ease this configuration, download this HTML tool that's linked from the Microsoft article above. When launched, enter the values below, then hit the Generate URL button.
      • For the IDP URL String, enter https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx
      • For the Relying Party Identifier, enter https://app.sysdigcloud.com
      • For the Relay State/Target App, enter #/&customer=CUSTOMER-ID-NUMBER, substituting the CUSTOMER-ID-NUMBER you retrieved in the previous step



    4. Use the Results URL from the tool to test your IDP-initiated login. Note that per this Microsoft forum thread, it is apparently not possible to configure ADFS to use such a URL when your users select the application from the pull-down menu at https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx. However, you may embed the URL into a custom portal or bookmarks list.

  5. Once Sysdig Support confirms they've completed their side of the configuration, you can test login using an Active Directory user that has an Email address configured.

Have more questions? Submit a request