SAML/SSO configuration

Availability
  • AppMon 2017 May Beta feature. Beta features are publicly available in the release and supported by Dynatrace technical support team. Please keep in mind though, that it is limited and not tested extensively in real world scenarios. Please verify in your test or staging environment, whether it works as expected and fit your needs.

  • AppMon 2018 February GA feature.

Prerequisites and limitations

  • AppMon 2017 May GUI for SSO configuration is not available.
  • SSO works only in Windows-based AppMon Clients and the AppMon Web.
  • On Mac, SSO might work but there may be some problems with certificate management and request redirection.
  • No certificate verification implemented. The AppMon Server does not check whether certificates were revoked, certificate chains are not checked (WIP).
  • AppMon Server login is based on matching groups; so during the SSO the identification provider must send a group name which has a matching group on the AppMon Server side. The user permissions are then based on that matching group.

AppMon 2018 February User interface configuration

This description applies to UI-driven configuration for AppMon 2018 February. In AppMon 2017 May only manual configuration is possible. See the description in the expandable section below.

In AppMon 2018 February SSO configuration consist general steps:

  1. Generate service provider metadata file. You can do it in the AppMon Client.
  2. Import generated metadata to your identity provider, so it could exchange data with the AppMon Frontend Server, acting as a service provider.
SSO configuration user interface
SSO configuration user interface

To generate service provider metadata:

  1. Click Settings > Dynatrace Server > Users > Single sign-on to access the user interface.
  2. Select the Enable user authentication via SAMLv2 identity provider, to activate single sign-on.
  3. Import the identity provider metadata and certificate chain:
    1. In the Identity provider pane, click Import.
    2. In the Import identity provider metadata dialog box, provide metadata file. Do one of the following:
      • Paste the URL of the file to the from URL field, and click Download.
      • Click Import, and select file from your computer.
    3. Click Import certificate chain.
    4. Select the certificate file and open it.
    5. In the Check Certificate Trust dialog box, review the certificate chain details.
    6. Select the certificate to be imported, and click Import.
  4. Specify identity provider attribute names.
  5. In the Service Provider pane, configure service provider parameters:
    • If needed, select the Strong authentication checkbox, to make login more secure.
    • Specify the authentication timeout.
    • Select the SAML login/logout binding.
  6. Click Create Service Provider XML to generate the service provider metadata file.

Identity provider attribute names

The identity provider sends information about the authenticated user to the service provider. The info may be stored in attributes of various names. For example, one identity provider could send the authenticated user name using the attribute called userId, and another provider could use uid instead. To be able to read these values the service provider (AppMon Frontend Server) has to know the attributes naming.

Attribute Description
User name The name of the attribute which holds the authenticated user name.
Group assignment The name of the attribute which holds the authenticated user's group assignments. At least one of the group assignments must exist in AppMon, because the AppMon user permissions are based on such a group. The user name sent by the identification provider is meaningless for AppMon.
Full name The name of the attribute which holds the authenticated user's full name. If it's empty, the name is not retrieved.
Email The name of the attribute which holds the authenticated user's email address. If it's empty, the email address is not retrieved.

Manual configuration