SAML/SSO configuration

Availability
  • AppMon 2017 May Beta feature. Beta features are publicly available in the release and supported by Dynatrace technical support team. Please keep in mind though, that it is limited and not tested extensively in real world scenarios. Please verify in your test or staging environment, whether it works as expected and fit your needs.

  • AppMon 2018 April GA feature.

Prerequisites and limitations

  • AppMon 2017 May GUI for SSO configuration is not available.
  • AppMon 2017 May SSO works only in Windows-based AppMon Clients and the AppMon Web.
  • AppMon 2017 May On Mac, SSO might work but there may be some problems with certificate management and request redirection.
  • AppMon 2018 April and later The AppMon Server checks the full certificate chain on import and on every SSO use. If any certificate, involved in SSO/SAML is revoked or expired, single sign on will fail.
  • The group name, sent by identification provider, must exactly match a group defined on AppMon Server. See the LDAP group processing section below for details.

LDAP group processing

AppMon Server login is based on matching groups; so during the SSO the identification provider must send a group name which has an exact matching group on the AppMon Server side. The user permissions are then based on that AppMon group. The AppMon Server can't handle LDAP groups, if the identity provider is not sending the exact group name.

For example, if the AppMon has the Operations user group, and the identity provider sends some distinguished name, like cn=Operations,dc=my-domain,dc=com, it won't match the AppMon's group, and the SSO login will fail.

AppMon 2018 April User interface configuration

This description applies to UI-driven configuration for AppMon 2018 April. In AppMon 2017 May only manual configuration is possible. See the description in the expandable section below.

In AppMon 2018 April SSO configuration consist general steps:

  1. Generate service provider metadata file. You can do it in the AppMon Client.
  2. Import generated metadata to your identity provider, so it could exchange data with the AppMon Frontend Server, acting as a service provider.
SSO configuration user interface
SSO configuration user interface

To generate service provider metadata:

  1. Click Settings > Dynatrace Server > Users > Single sign-on to access the user interface.
  2. Select the Enable user authentication via SAMLv2 identity provider, to activate single sign-on.
  3. Import the identity provider metadata and certificate chain:
    1. In the Identity provider pane, click Import.
    2. In the Import identity provider metadata dialog box, provide metadata file. Do one of the following:
      • Paste the URL of the file to the from URL field, and click Download.
      • Click Import, and select file from your computer.
    3. Click Import certificate chain.
    4. Select the certificate file and open it.
    5. In the Check Certificate Trust dialog box, review the certificate chain details.
    6. Select the certificate to be imported, and click Import.
  4. Specify identity provider attribute names. Start typing to view suggestions.
  5. In the Service Provider pane, configure service provider parameters:
    • If needed, select the Strong authentication checkbox, to make login more secure.
    • Specify the authentication timeout.
    • Select the SAML login/logout binding.
  6. Click Create Service Provider XML to generate the service provider metadata file.

Identity provider attribute names

The identity provider sends information about the authenticated user to the service provider. The info may be stored in attributes of various names. For example, one identity provider could send the authenticated user name using the attribute called userId, and another provider could use uid instead. To be able to read these values the service provider (AppMon Frontend Server) has to know the attributes naming.

Attribute Description
User name The name of the attribute which holds the authenticated user name.
Group assignment The name of the attribute which holds the authenticated user's group assignments. At least one of the group assignments must exist in AppMon, because the AppMon user permissions are based on such a group. The user name sent by the identification provider is meaningless for AppMon.
Full name The name of the attribute which holds the authenticated user's full name. If it's empty, the name is not retrieved.
Email The name of the attribute which holds the authenticated user's email address. If it's empty, the email address is not retrieved.

Manual configuration