Applies to NAM 2018
NAM 2018 introduces single sign-on (SSO) for all Dynatrace NAM users.
- Before NAM 2018, you had to sign on to the NAM Console (formerly RUM Console) and then separately to each NAM Server (formerly CAS).
- Now you sign on just once to any of these NAM components and you are transparently granted access to the other components in your deployment.
Read below to understand how we arrived at this design.
If you are coming to NAM 2018 from earlier releases (DC RUM), this is how product and component naming has also changed:
|DC RUM 2017 and older||NAM 2018, NAM 2019|
|RUM Console||NAM Console|
|Central Analysis Server (CAS)||NAM Server|
|Advanced Diagnostic Server (ADS)||Advanced Diagnostics on Demand feature of NAM Server|
|Agentless Monitoring Device (AMD)||NAM Probe|
We retain the old names in some graphics and descriptions below to help you orient yourself, but be aware that the new names are in effect starting with NAM 2018.
DC RUM user authentication prior to release 2017
Prior to release 2017, DC RUM used the Central Security Server (CSS) to manage user credentials and play the central part in the authorization process.
Each DC RUM component — Central Analysis Server (CAS) or RUM Console — provided a local login form that enabled users to authenticate at that particular component. The process used the CSS as a backend service where hashed authentication information was verified.
DC RUM 2017 user authentication
With DC RUM 2017, we integrated CSS functionality with the RUM Console to prepare the ground for introducing single sign-on (SSO). CSS is (literally) no longer in the picture.
NAM Console 2018 user authentication: SSO
With NAM 2018, you now have two flavors of SSO to choose from:
In the simplest configuration, authentication is managed solely by your NAM Console (formerly RUM Console), which handles all sign-on activity from each NAM Server in your deployment. Each NAM Server (formerly CAS) operates together in SSO federation with the NAM Console. The NAM Console is then the only place where user credentials are entered and shared.
Console sign-on without external IdP:
Server sign-on without external IdP:
If you prefer to rely on your enterprise SSO, you can integrate NAM with an external SSO provider (for example, OpenAM). In this configuration, all authentication traffic still goes first through your NAM Console and then to the external provider. Your users authenticate only against the external IdP, and their credentials are never shared with any Dynatrace NAM component.
Console sign-on with external IdP:
Server sign-on with external IdP:
In either configuration:
- When you sign on to one component (NAM Console or NAM Server), you are also signed on to other NAM components in the deployment (providing you have the appropriate user role). That’s the essence of single sign-on.
- User rights are still controlled in NAM with fine granularity to guarantee appropriate levels of user access to reports and configuration screens.
- All users must have web access to the NAM Console. Whether you choose to use the external SSO federation services or not, the NAM Console always plays an essential part in every user’s authentication.
Benefits of SSO-based user authentication
With the new approach to the NAM user authentication based on SSO, you gain the following benefits:
- Fewer infrastructure components have access to authentication information when only one component asks users for their authentication credentials.
- Users need to remember fewer login credentials, which is a big gain for the end user as well as for adherence to corporate security policies.
- With GDPR now affecting all companies doing business in the EU, organizations need to take extra care to limit access to private data such as authentication credentials. By enabling SSO, Dynatrace NAM takes a significant step forward in answering the growing need of IT departments to manage user credentials in a more secure way.