OpenID Connect Configuration (on-premises)

[NOTE: This guide is specific to a On-Premises Sysdig Monitor environments. If you are using cloud-based (SaaS) Sysdig Monitor, refer to this other guide instead.]

Introduction

OpenID Connect support in Sysdig Monitor allows authentication via your choice of OpenID Provider This document describes how to configure and use the feature

Summary of Functionality

Independent of the OpenID Connect feature, Sysdig Monitor ordinarily maintains its own user database to hold a username and password hash. The OpenID Connect feature instead allows for redirection to the customer’s OpenID Provider to validate username/password and other policies necessary to grant access to Sysdig Monitor. Upon successful authentication via OpenID Connect, a corresponding user record in Sysdig Monitor’s user database is automatically created, though the password that was sent to the OpenID Provider is never seen nor stored by Sysdig Monitor.

Once OpenID Connect is enabled, users can access your Sysdig Monitor app via https://HOSTNAME/api/oauth/openid (instead of https://HOSTNAME) and they will be redirected immediately to your OpenID Provider for authentication.

For those users that still try to access Sysdig Monitor at https://HOSTNAME, instead of their prior email/password login fields, they should begin their login procedure by clicking the OpenID button as shown below.

Once clicked, the user's browser will be redirected to your OpenID Provider for authentication.

Summary of Configuration

To have OpenID Connect enabled for your environment, you will need to complete two steps:

  1. Configure the Sysdig Monitor application in your OpenID Provider (see the OpenID Provider Configuration section below).
  2. Apply the OpenID Connect configuration to Sysdig Monitor, which can be done via a script (see the Configuring Sysdig Monitor section below).

Once these steps are completed, your users will be able to login to Sysdig Monitor via OpenID Connect as described above.

OpenID Provider Configuration

The following sections describe the configuration you'll need to complete with your OpenID Provider:

These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed the specifics of what you'll need to do relative to their standard docs. If your OpenID Provider is not listed here (including ones that do not support OpenID Connect Discovery), it will likely still work with Sysdig Monitor as well. If you are using another provider, contact Sysdig Support and mention what OpenID Provider you are using.

OpenID Provider Configuration - Okta

The notes below describe minimal steps to be taken in Okta. You may need to adjust the steps based on the specifics of your environment.

  1. Login to your Okta organization as a user with administrative privileges and click to the Admin page
  2. Click on the Add Applications shortcut, then click the Create New App button
  3. Select Web as the Platform type, then click OpenID Connect as the Sign-on method, then click Create
  4. Create a new application
    • Enter your choice of General Settings
    • Set the Login redirect URIs to https://HOSTNAME:PORT/api/oauth/openid/auth, replacing "HOSTNAME" with the hostname through which your users access the Sysdig Monitor application and "PORT" with the TCP port # (typically 443)
    • Click the Save button
  5. You should next be placed in a General tab. Take note of the Client ID and Client secret that are shown, as you will need them later to complete the Sysdig Monitor configuration.
  6. Click to the Sign On tab. Take note of the Issuer URL that is shown, as you will need it later to complete the Sysdig Monitor configuration.

OpenID Provider Configuration - OneLogin

The notes below describe minimal steps to be taken in OneLogin. You may need to adjust the steps based on the specifics of your environment.

  1. Login to your OneLogin organization as a user with administrative privileges and click to Apps > Custom Connectors, then click the New Connector button.
  2. Create a new Connector
    • Enter your choice of connector name
    • Select a Sign on Method of OpenID Connect
    • Set the Redirect URI to https://HOSTNAME:PORT/api/oauth/openid/auth, replacing "HOSTNAME" with the hostname through which your users access the Sysdig Monitor application and "PORT" with the TCP port # (typically 443)
    • Click the Save button
  3. From the More Actions pull-down menu, select Add App to Connector
  4. Click Save to add the app to your catalog. Once clicked, additional tabs will appear.
  5. Click to the SSO tab. Take note of the Client ID and Client Secret that are shown (click Show client secret to reveal it), as you will need them later to complete the Sysdig Monitor configuration.
  6. Note that the Issuer URL you will need later to complete the Sysdig Monitor configuration will consist of https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc

OpenID Provider Configuration - Keycloak

The notes below describe minimal steps to be taken in Keycloak. You may need to adjust the steps based on the specifics of your environment.

  1. Login to your Keycloak server's Administrative Console
  2. Select a realm or create a new one
  3. Click Clients, then click the Create button
  4. Enter the Client ID of your choosing (e.g. "SysdigMonitor") and take note of it, as you will need it later to complete the Sysdig Monitor configuration.
  5. Make sure the Client Protocol drop-down has openid-connect selected. Click the Save button.
  6. Configure OpenID Connect client
    • Click the toggle for Authorization Enabled to ON
    • Set the Valid Redirect URIs to https://HOSTNAME:PORT/api/oauth/openid/auth, replacing "HOSTNAME" with the hostname through which your users access the Sysdig Monitor application and "PORT" with the TCP port # (typically 443)
    • Click the Save button
  7. Click to the Credentials tab. Take note of the Secret that is shown, as you will need it later to complete the Sysdig Monitor configuration.
  8. Note that the Issuer URL you will need to provide to Sysdig Support will consist of https://{KEYCLOAK-SERVER-ADDRESS}/auth/realms/{REALM_NAME}, where {KEYCLOAK-SERVER-NAME} and {REALM-NAME}  are derived from your environment where you just created the configuration.

Configuring Sysdig Monitor

The OpenID Connect configuration in Sysdig Monitor can now be completed via the Administrative API using the set_oidc_config.sh script  (which can be downloaded from the sysdig-cloud-scripts repository on GitHub.) The following table describes the values you'll be prompted for:

Setting

Description

API URL

The URL through which your users access the Sysdig Monitor application. Unlike the OpenID Provider configuration, there's no need to include the port if it's standard https:// access via port 443.

Admin API Token

The Sysdig Monitor API Token for the "Super" Admin user (see this article for info on locating this user) as copied from the Settings page of the Sysdig Monitor application. This is required in order to apply the configuration via the API.

Issuer URL

The Issuer URL you copied down during the applicable "OpenID Provider Configuration" steps above.

Client ID

The Client ID you copied down during the applicable "OpenID Provider Configuration" steps above.

Client Secret

The Client Secret you copied down during the applicable "OpenID Provider Configuration" steps above.

Customer ID #

As an on-premises customer, you will enter the value "1".


The script will then show a curl command-line executed against the Sysdig Monitor API. If successful, you will see an HTTP/1.1 200 OK response code and a JSON object will be shown that reflects the modified OpenID Connect configuration.

Example script run:

$ ./set_oidc_config.sh
Enter API URL [https://app.sysdigcloud.com]: https://example.com
Enter Admin API Token (required): xxxxxxxx-yyyy-zzzz-aaaa-bbbbbbbbbbbb
Enter Issuer URL from OpenID Provider (required): https://dev-824158.oktapreview.com
Enter Client ID from OpenID Provider (required): xxxxxxxxxxxxxxxxxxxx
Enter Client Secret from OpenID Provider (required): yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Enter Customer ID # (required): 1
+ curl -XPOST -v -k https://example.com/api/admin/customer/1/openid/ -H Content-Type: application/json; charset=UTF-8 -H Accept: application/json, text/javascript, */*; q=0.01 -H Authorization: Bearer xxxxxxxx-yyyy-zzzz-aaaa-bbbbbbbbbbbb --data-binary {"issuer":"https://dev-824158.oktapreview.com","clientId":"xxxxxxxxxxxxxxxxxxxx","clientSecret":"yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy","metadataDiscovery":true} --compressed
[...verbose output...]
< HTTP/1.1 200 OK
[...verbose output...] {"openid":{"issuer":"https://dev-824158.oktapreview.com","clientId":"xxxxxxxxxxxxxxxxxxxx","clientSecret":"yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy","metadataDiscovery":true}}


A get_oidc_config.sh script is also available that can be used to view the current JSON config object.

Have more questions? Submit a request