Manage users and groups with OpenID

Dynatrace Managed supports integration with OpenID as an SSO IdP (Single Sign-On Identity Provider) for the management of users and groups. We currently support standard claims (email, profile, address) as defined in the OpenID Connect Core 1.0 specification. The redirect_uri used for authentication is set to the Dynatrace Managed Web UI URL that's configured in your Cluster Management Console. Note that this URI must also be configured in your OpenID-provider client.

Set up OpenID integration

  1. From the Cluster Management Console menu, select User authentication > Single sign-on settings.
  2. From the list box, select OpenID Connect.
  3. To change the login page, you must prove that your SSO mechanism is actually working by signing out and logging in using SSO. The standard page will be shown as a fallback if something goes wrong.
  4. Enter the Client ID and Client Secret of the client from the IdP that will be used for authentication.
  5. In the Server discovery endpoint text field, type in the Open ID configuration URL provided by the IdP and click Import Configuration.

Group assignment configuration

Each Dynatrace Managed user must be assigned to at least one user group, with at least one associated monitoring environment. Without such mapping, a user can't login to Dynatrace Managed and will receive an error message stating that no environment has been found.

You can manage user group assignments in the following ways:

  • Manually - From within Dynatrace Managed. For manual user-group assignment, disable Assign users to groups based on UserInfo response attribute. With this approach, the list of groups sent within your IdP's authentication response is ignored by Dynatrace Managed.

  • Automatically - For automatic user-group assignment, enable Assign users to groups based on UserInfo response attribute and type the group name in the User groups attribute field. With this approach, any assignments made within Dynatrace Managed are overwritten by the list of groups sent within your IdP's authentication response. You can add a custom user groups separator to separate user groups.