How user authentication has evolved in NAM

Applies to NAM 2018

NAM 2018 introduces single sign-on (SSO) for all Dynatrace NAM users.

  • Before NAM 2018, you had to sign on to the NAM Console (formerly RUM Console) and then separately to each NAM Server (formerly CAS).
  • Now you sign on just once to any of these NAM components and you are transparently granted access to the other components in your deployment.

Read below to understand how we arrived at this design.

Product and component name changes

If you are coming to NAM 2018 from earlier releases (DC RUM), this is how product and component naming has also changed:

DC RUM 2017 May release Dynatrace NAM 2018 release
RUM Console NAM Console
Central Analysis Server (CAS) NAM Server
Advanced Diagnostic Server (ADS) Advanced Diagnostics on Demand feature of NAM Server
Agentless Monitoring Device (AMD) NAM Probe

We retain the old names in some graphics and descriptions below to help you orient yourself, but be aware that the new names are in effect starting with NAM 2018.

DC RUM user authentication prior to release 2017

Prior to release 2017, DC RUM used the Central Security Server (CSS) to manage user credentials and play the central part in the authorization process.

Each DC RUM component — Central Analysis Server (CAS) or RUM Console — provided a local login form that enabled users to authenticate at that particular component. The process used the CSS as a backend service where hashed authentication information was verified.

DC RUM pre-2017 authentication

DC RUM 2017 user authentication

With DC RUM 2017, we integrated CSS functionality with the RUM Console to prepare the ground for introducing single sign-on (SSO). CSS is (literally) no longer in the picture.

DC RUM 2017 authentication

NAM Console 2018 user authentication: SSO

With NAM 2018, you now have two flavors of SSO to choose from:

  • In the simplest configuration, authentication is managed solely by your NAM Console (formerly RUM Console), which handles all sign-on activity from each NAM Server in your deployment. Each NAM Server (formerly CAS) operates together in SSO federation with the NAM Console. The NAM Console is then the only place where user credentials are entered and shared.

    Console sign-on without external IdP:
    NAM Console authentication: internal

    Server sign-on without external IdP:
    NAM Server authentication: internal

  • If you prefer to rely on your enterprise SSO, you can integrate NAM with an external SSO provider (for example, OpenAM). In this configuration, all authentication traffic still goes first through your NAM Console and then to the external provider. Your users authenticate only against the external IdP, and their credentials are never shared with any Dynatrace NAM component.

    Console sign-on with external IdP:
    NAM Console authentication: external

    Server sign-on with external IdP:
    NAM Server authentication: external

In either configuration:

  • When you sign on to one component (NAM Console or NAM Server), you are also signed on to other NAM components in the deployment (providing you have the appropriate user role). That’s the essence of single sign-on.
  • User rights are still controlled in NAM with fine granularity to guarantee appropriate levels of user access to reports and configuration screens.
  • All users must have web access to the NAM Console. Whether you choose to use the external SSO federation services or not, the NAM Console always plays an essential part in every user’s authentication.

Benefits of SSO-based user authentication

With the new approach to the NAM user authentication based on SSO, you gain the following benefits:

  • Fewer infrastructure components have access to authentication information when only one component asks users for their authentication credentials.
  • Users need to remember fewer login credentials, which is a big gain for the end user as well as for adherence to corporate security policies.
  • With GDPR now affecting all companies doing business in the EU, organizations need to take extra care to limit access to private data such as authentication credentials. By enabling SSO, Dynatrace NAM takes a significant step forward in answering the growing need of IT departments to manage user credentials in a more secure way.