OpenID Connect Configuration

[NOTE: This guide is specific to cloud-based (SaaS) Sysdig Monitor environments. If you are configuring an On-Premises Sysdig Monitor environment, refer to this other guide instead.]

Introduction

OpenID Connect support in Sysdig Monitor allows authentication via your choice of OpenID Provider This document describes how to configure and use the feature

Summary of Functionality

Independent of the OpenID Connect feature, Sysdig Monitor ordinarily maintains its own user database to hold a username and password hash. The OpenID Connect feature instead allows for redirection to the customer’s OpenID Provider to validate username/password and other policies necessary to grant access to Sysdig Monitor. Upon successful authentication via OpenID Connect, a corresponding user record in Sysdig Monitor’s user database is automatically created, though the password that was sent to the OpenID Provider is never seen nor stored by Sysdig Monitor.

Once OpenID Connect is enabled, instead of the prior email/password login fields, your users can begin their login procedure at app.sysdigcloud.com by clicking the OpenID button as shown below.

Once clicked, the user will be prompted to enter a Company Name, which is required so Sysdig Monitor can redirect the user's browser to your OpenID Provider for authentication.

As an alternative, users can bypass the steps above if they directly access app.sysdigcloud.com/api/oauth/openid/CompanyName instead of app.sysdigcloud.com.

While you may have set your Company Name value during initial sign-up, Sysdig Support can set/change this for you at the same time other OpenID Connect configuration is being enabled.

Summary of Configuration

To have OpenID Connect enabled for your environment, open a Support Request with Sysdig. In the ticket, provide the following:

  1. Your choice of Company Name (see previous section).
  2. From the configuration you complete with your OpenID Provider (see the OpenID Provider Configuration section below), the following information:
    • Issuer URL
    • Client ID
    • Client Secret

Once Sysdig Support responds that configuration has been completed in the Sysdig Monitor back-end database, your users will be able to login to Sysdig Monitor via OpenID Connect as described above.

OpenID Provider Configuration

The following sections describe the configuration you'll need to complete with your OpenID Provider:

These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed the specifics of what you'll need to do relative to their standard docs. If your OpenID Provider is not listed here (including ones that do not support OpenID Connect Discovery), it will likely still work with Sysdig Monitor as well. If you are using another provider, mention your OpenID Provider in your ticket when you contact Sysdig Support.

OpenID Provider Configuration - Okta

The notes below describe minimal steps to be taken in Okta. You may need to adjust the steps based on the specifics of your environment.

  1. Login to your Okta organization as a user with administrative privileges and click to the Admin page
  2. Click on the Add Applications shortcut, then click the Create New App button
  3. Select Web as the Platform type, then click OpenID Connect as the Sign-on method, then click Create
  4. Create a new application
    • Enter your choice of General Settings
    • Set the Login redirect URIs to https://app.sysdigcloud.com/api/oauth/openid/auth
    • Click the Save button
  5. You should next be placed in a General tab. Take note of the Client ID and Client secret that are shown, as they will need to be sent to Sysdig Support.
  6. Click to the Sign On tab. Take note of the Issuer URL that is shown, as it will need to be sent to Sysdig Support.

Paste the Client ID, Client secret, and Issuer information into your ticket with Sysdig Support, as this will allow them to complete the OpenID Connect configuration.

OpenID Provider Configuration - OneLogin

The notes below describe minimal steps to be taken in OneLogin. You may need to adjust the steps based on the specifics of your environment.

  1. Login to your OneLogin organization as a user with administrative privileges and click to Apps > Custom Connectors, then click the New Connector button.
  2. Create a new Connector
    • Enter your choice of connector name
    • Select a Sign on Method of OpenID Connect
    • Set the Redirect URI to https://app.sysdigcloud.com/api/oauth/openid/auth
    • Click the Save button
  3. From the More Actions pull-down menu, select Add App to Connector
  4. Click Save to add the app to your catalog. Once clicked, additional tabs will appear.
  5. Click to the SSO tab. Take note of the Client ID and Client Secret that are shown (click Show client secret to reveal it), as they will need to be sent to Sysdig Support.
  6. Note that the Issuer URL you will need to provide to Sysdig Support will consist of https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc

Paste the Client IDClient Secret, and Issuer URL into your ticket with Sysdig Support, as this will allow them to complete the OpenID Connect configuration.

OpenID Provider Configuration - Keycloak

The notes below describe minimal steps to be taken in Keycloak. You may need to adjust the steps based on the specifics of your environment.

  1. Login to your Keycloak server's Administrative Console
  2. Select a realm or create a new one
  3. Click Clients, then click the Create button
  4. Enter the Client ID of your choosing (e.g. "SysdigMonitor") and take note of it, as it will need to be sent to Sysdig Support.
  5. Make sure the Client Protocol drop-down has openid-connect selected. Click the Save button.
  6. Configure OpenID Connect client
    • Click the toggle for Authorization Enabled to ON
    • Set the Valid Redirect URIs to https://app.sysdigcloud.com/api/oauth/openid/auth
    • Click the Save button
  7. Click to the Credentials tab. Take note of the Secret that is shown, as it will need to be sent to Sysdig support.
  8. Note that the Issuer URL you will need to provide to Sysdig Support will consist of https://{KEYCLOAK-SERVER-ADDRESS}/auth/realms/{REALM_NAME}, where {KEYCLOAK-SERVER-NAME} and {REALM-NAME}  are derived from your environment where you just created the configuration.

Paste the Client ID, Secret, and Issuer URL into your ticket with Sysdig Support, as this will allow them to complete the OpenID Connect configuration.

Have more questions? Submit a request