This is a beta feature in the AppMon 2017 May. Beta features are publicly available in the release and supported by Dynatrace technical support team. Please keep in mind though, that it is limited and not tested extensively in real world scenarios. Please verify in your test or staging environment, whether it works as expected and fit your needs.
Prerequisites and limitations
- GUI for SSO configuration is not available.
- SSO works only in Windows-based AppMon Clients and the WebUI.
- On Mac, SSO might work but there may be some problems with certificate management and request redirection.
- No certificate verification implemented. The AppMon Server does not check whether certificates were revoked, certificate chains are not checked (WIP).
- AppMon Server login is based on matching groups; so during the SSO the identification provider must send a group name which has a matching group on the AppMon Server side. The user permissions are then based on that matching group.
To activate the SAML/SSO feature you have to create two files in the
sso.config.xmlfor the SAML/SSO configuration
idp.xmlfor the identity provider configuration metadata
The frontend server reads these files during the startup phase. If the
ssoEnabled attribute is set to
true in the
sso.config.xml file, SAML/SSO is active. If you change these files while server is running, you have to restart the server. You can find two zipped sample files attached to this page.
sso.config.xml file contains the following settings:
- Identity provider attributes
- Identity provider attribute names
- SAML service provider attributes
- SAML general attributes
SAML identity provider attributes
The SAML entity ID of the identity provider. It is recommended that a system entity use a URL containing its own domain name to identify itself. If the identification provider exposes meta data, the entity ID is used as a well known URL for the meta data of the entity. For example: |
The name of the file with the identity provider metadata. This file contains the identity provider configuration information which is the basis for sending SAML requests to the service provider. The file is located in the ||
Identity provider attribute names
The identity provider sends information about the authenticated user to the service provider. The info may be stored in attributes of various names. For example, one identity provider could send the authenticated user name using the attribute called
userId, and another provider could use
uid instead. To be able to read these values the AppMon Server has to know the attributes naming.
|userIdAttributeName||The name of the attribute which holds the authenticated user name.||
|groupsAttributeName||The name of the attribute which holds the authenticated user’s group assignments. At least one of the group assignments must exist in AppMon, because the AppMon user permissions are based on such a group. The user name sent by the identification provider is meaningless for AppMon.||
|fullNameAttributeName||The name of the attribute which holds the authenticated user’s full name. If it’s empty, the name is not retrieved.||
|emailAddressAttributeName||The name of the attribute which holds the authenticated user’s email address. If it’s empty, the email address is not retrieved.||
SAML Service Provider Attributes
|spEntityId||The entity ID of the service provider. The SAML service provider is part of the AppMon Frontend Server and it uses the WebUI port 9911 for communication.||
The path to the AppMon server’s login servlet. The fully qualified URL looks like this: ||
The SAML login binding. It specifies the kind of HTTP messages (GET or POST) which can be handled by the service provider.|
Possible values are
The path to the AppMon server’s logout servlet. The fully qualified URL looks like this: ||
The SAML logout binding. It specifies the kind of HTTP messages (GET or POST) which can be handled by the service provider.|
Possible values are
The fingerprint (or “thumb print”) of the service provider certificate. Currently, this certificate has to be located in the AppMon Server keystore. The fingerprint should look like this: |
|spMetadataValidityPeriodInDays||The default validity of service provider metadata in days.||180|
SAML General Attributes
Determines whether the SAML/SSO feature is turned on. Possible values are ||
The SAML responses sent to the AppMon Server are verified against the SAML specification. If the response does not comply the check fails and authentication fails on the AppMon Server. Some additional checks are made which should prevent some injection attacks. If set to ||
|ssoRequestCacheTimeout||AppMon Server side timeout for the authentication and logout request sent to the identity provider in seconds.||