SAML/SSO configuration

Important

This is a beta feature in the AppMon 2017 May. Beta features are publicly available in the release and supported by Dynatrace technical support team. Please keep in mind though, that it is limited and not tested extensively in real world scenarios. Please verify in your test or staging environment, whether it works as expected and fit your needs.

Prerequisites and limitations

  • GUI for SSO configuration is not available.
  • SSO works only in Windows-based AppMon Clients and the WebUI.
  • On Mac, SSO might work but there may be some problems with certificate management and request redirection.
  • No certificate verification implemented. The AppMon Server does not check whether certificates were revoked, certificate chains are not checked (WIP).
  • AppMon Server login is based on matching groups; so during the SSO the identification provider must send a group name which has a matching group on the AppMon Server side. The user permissions are then based on that matching group.

Configuration

To activate the SAML/SSO feature you have to create two files in the <DT_HOME>/server/conf directory:

  • sso.config.xml for the SAML/SSO configuration
  • idp.xml for the identity provider configuration metadata

The frontend server reads these files during the startup phase. If the ssoEnabled attribute is set to true in the sso.config.xml file, SAML/SSO is active. If you change these files while server is running, you have to restart the server. You can find two zipped sample files attached to this page.

The sample sso.config.xml file contains the following settings:

  • Identity provider attributes
  • Identity provider attribute names
  • SAML service provider attributes
  • SAML general attributes

SAML identity provider attributes

Attribute Description Default value
idpEntityId The SAML entity ID of the identity provider. It is recommended that a system entity use a URL containing its own domain name to identify itself. If the identification provider exposes meta data, the entity ID is used as a well known URL for the meta data of the entity. For example: https://my.idp.my.domain/simplesamlphp/saml2/idp/metadata.php.
idpMetadataFilename The name of the file with the identity provider metadata. This file contains the identity provider configuration information which is the basis for sending SAML requests to the service provider. The file is located in the <DT_HOME>/server/conf directory. idp.xml

Identity provider attribute names

The identity provider sends information about the authenticated user to the service provider. The info may be stored in attributes of various names. For example, one identity provider could send the authenticated user name using the attribute called userId, and another provider could use uid instead. To be able to read these values the AppMon Server has to know the attributes naming.

Attribute Description Default value
userIdAttributeName The name of the attribute which holds the authenticated user name. uid
groupsAttributeName The name of the attribute which holds the authenticated user’s group assignments. At least one of the group assignments must exist in AppMon, because the AppMon user permissions are based on such a group. The user name sent by the identification provider is meaningless for AppMon. eduPersonAffiliation
fullNameAttributeName The name of the attribute which holds the authenticated user’s full name. If it’s empty, the name is not retrieved. fullName
emailAddressAttributeName The name of the attribute which holds the authenticated user’s email address. If it’s empty, the email address is not retrieved. emailAddress

SAML Service Provider Attributes

Attribute Description Default value
spEntityId The entity ID of the service provider. The SAML service provider is part of the AppMon Frontend Server and it uses the WebUI port 9911 for communication. https://<AppMonServer>:9911
spLoginPath The path to the AppMon server’s login servlet. The fully qualified URL looks like this: https://<AppMonServer>:9911/sso/login sso/login
spLoginBinding The SAML login binding. It specifies the kind of HTTP messages (GET or POST) which can be handled by the service provider.
Possible values are HTTP_POST for POST messages, and HTTP_REDIRECT for GET messages.
HTTP_REDIRECT
spLogoutPath The path to the AppMon server’s logout servlet. The fully qualified URL looks like this: https://<AppMonServer>:9911/sso/logout. sso/logout
spLogoutBinding The SAML logout binding. It specifies the kind of HTTP messages (GET or POST) which can be handled by the service provider.
Possible values are HTTP_POST for POST messages, and HTTP_REDIRECT for GET messages. The default is HTTP_REDIRECT.
HTTP_REDIRECT
spCertificateFingerprint The fingerprint (or “thumb print”) of the service provider certificate. Currently, this certificate has to be located in the AppMon Server keystore. The fingerprint should look like this: 3a:43:a3:db:b6:e9:e2:af:b7:4c:5f:29:b7 Both colons (:) and spaces are allowed as separators. The SHA-256 algorithm is used for creating that fingerprint. Without fingerprint, the service provider does not sign or encrypt its messages.
spMetadataValidityPeriodInDays The default validity of service provider metadata in days. 180

SAML General Attributes

Attribute Description Default value
ssoEnabled Determines whether the SAML/SSO feature is turned on. Possible values are true and false. false
allowWeakAuthnResponses The SAML responses sent to the AppMon Server are verified against the SAML specification. If the response does not comply the check fails and authentication fails on the AppMon Server. Some additional checks are made which should prevent some injection attacks. If set to true this attribute disables those additional checks. false
ssoRequestCacheTimeout AppMon Server side timeout for the authentication and logout request sent to the identity provider in seconds. 300

Downloads