Manage users and groups with SAML in Dynatrace SaaS

Dynatrace SaaS enables authentication through your organization's identity provider (IdP). If you want to use your organization's corporate credentials for authentication in Dynatrace, you can set up SAML to delegate authentication to your IdP.

SAML 2.0 is used for authentication. Based on the domain part of your corporate email address, Dynatrace can determine if SAML was configured for that domain and redirect to your company’s IdP for authentication. Be aware that the configuration affects all other accounts and users that share the same domain name.

IdP requirements

Your IdP needs to follow some basic SAML specification and security requirements to be compliant with Dynatrace SSO:

  • The entire SAML message must be signed (signing only SAML assertions is insufficient and generates a 400 Bad Request response).
  • The SAML protocol version is urn:oasis:names:tc:SAML:2.0:protocol.
  • The NameID format is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  • IdP response NotBefore and NotOnOrAfter assertion timestamps must consider system clock skew and must be set to at least 1 minute before and 1 minute after the current time (this particularly concerns AD FS default settings).
  • The IdP response status code must be urn:oasis:names:tc:SAML:2.0:status:Success.
  • The SignatureMethod algorithm is
  • The DigestMethod algorithm is
  • No assertion encryption.

Dynatrace SSO SP metadata is provided at If your IdP requires manual configuration and you don't have any XML parser extensions installed in your Chrome browser, we recommend that you view the metadata in Firefox.

Depending on the IdP type, these endpoints need to be configured as follows:

  • for Entity ID / Audience Restriction
  • for Single Sign On URL / Destination URL / Recipient URL
  • for Single Logout Service URL

If your IdP configuration screen contains the option to set SAML bindings for sign-in or sign-out, set it to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.

SAML federated IdP configuration

To set up SAML for your domain

  1. Create a fallback user account
  2. Verify your ownership of the domain
  3. Configure metadata
  4. Test your configuration

1. Create a fallback user account

When a user signs in, Dynatrace checks the domain part of your corporate email address to determine whether SAML was configured for that domain. If there's a match, the sign-in is redirected to your company’s IdP for authentication. For a fallback, you need an email address that won't be redirected like this.


You need to create a fallback user account so you don't get locked out if you have configuration troubles.

Your fallback account must be a non-federated user account that has the Manage users and Manage groups permissions and isn't covered by the federated sign-in.

  1. Invite a user with a non-federated email address (an email address with a different domain from the one for which you are setting up SAML).
  2. Specify the Manage users and Manage groups permissions in the invitation (users can be invited via the User management page).

2. Verify your ownership of the domain

Before you can configure the domain for which you want to set up SAML, you need to prove ownership of the domain.

  1. Select Account settings from the user menu on the right side of the menu bar.

  2. Select Single sign-on from the navigation menu on the left.

  3. In the Verify domain section, enter the domain (for example, for which you want to set up SAML.
    Dynatrace SaaS: verify domain

  4. Select Copy and add the TXT resource record to your domain’s DNS configuration.

  5. Select Verify so that Dynatrace can verify that the record was added to your domain’s DNS.
    It might take a few minutes for the record to be propagated in the DNS system and the value to become available for Dynatrace to verify.

  6. After successful verification, the domain is listed in Verified domains.
    Dynatrace SaaS: verified domains

    If people in your organization use more than one domain to sign in (for example, and, you can add additional domains using the same procedure: enter and verify the additional domains to add them to the Verified domains list.

3. Configure metadata

After you create a fallback user account and verify your ownership of the domain, you can configure metadata.

  1. Select Add to start configuring metadata.
    Dynatrace SaaS: download XML

  2. Select Download XML to download the service provider (SP) metadata displayed in Service provider SAML 2.0 XML metadata.

    • Alternative: If you prefer, you can select the data in the Service provider SAML 2.0 XML metadata text box and copy it to your clipboard instead of downloading a file.
  3. Register the data at your IdP and get the metadata of your IdP in XML format. The activities involved in this step depend on your IdP's interface and requirements.

    Example IdP-specific instructions for registering the SP data at your IdP and getting the IdP metadata:

    These examples were correct at the time of writing, but Dynatrace has no control over changes that may be made by your IdP.

  4. Select Choose file to upload the file containing the metadata of your IdP in XML format.

    • Alternative: If you prefer, you can paste the IdP metadata text directly into the Identity provider SAML 2.0 XML metadata box instead of uploading a file.
      Dynatrace SaaS: upload XML
  5. In the Attribute mapping section, specify the following:

    • First name attribute is the attribute that contains the first name of a user.
      For Microsoft Azure, it's
    • Last name attribute is the attribute that contains the last name.
      For Microsoft Azure, it's
    • Security group claim attribute contains the groups/roles of a user from your IdP. This field is needed if you want to use SAML authorization.

    Dynatrace SaaS: attribute mapping

  6. Select Validate configuration to verify your settings. You might need to sign in to your SSO.
    If validation is successful, Dynatrace displays a confirmation message:
    SAML: validation successful

    Close the message to return to the Add configuration page and then select Continue to display a summary of the validated configuration.

    If there's an error in the Results list, as in this example, select Edit configuration to fix it before continuing.
    Dynatrace SaaS: configuration validation

  7. On the Enable SSO page, select Enable if you are ready to enable your configuration.
    Note: Don't sign out of Dynatrace yet in case any SSO issues occur.
    Dynatrace SaaS: enable SAML

  8. Select Save & continue to save your configuration.


    These configuration changes affect accounts and users that share the same domain name. For example:

    • If you've already configured SAML for a trial account using domain "" and now you are configuring a production account that also uses domain "". In this case, the changes you submit now will apply to both accounts (you will overwrite the SAML configuration for the trial account when you save changes for the production account).
    • If you have users on another account whose email addresses also use the "" domain. In this case, those users (all users whose email address ends with "") will have to sign in using the new IdP configuration.

4. Test your configuration

To test your configuration

  1. Open a new browser instance and a new incognito window.
  2. Navigate to and enter your email address on the sign-in page.
  3. Select Next.
    You should be redirected to your company’s IdP.
  4. Provide your domain password.
    After successful authentication, you should be redirected to your Dynatrace environment's home page.


  • If you experience trouble, use the non-federated user (the fallback user account you created earlier) to sign in and change the configuration or disable federation.
  • See Frequently asked questions below for answers to common questions.

SAML authorization

You can use SAML authorization to manage permissions in Dynatrace. To do so, you need to map groups from your IdP to groups in Dynatrace.

  1. Select Group management and add a new group or find an existing group you want to map. You can filter the list by name and permissions.


    • We strongly recommend that you first create a new group (select Create new group) to test whether SAML authorization works for that group.
    • Make sure you have a non-federated user with manage groups permission as discussed earlier.
  2. Expand the Edit pane of the group to set up a mapping.

    • Group name—Make sure it matches the group you intend to edit.

    • Security group claims—A list of one or more federated group names returned by your IdP and mapped to this Dynatrace group.
      Select Add claim if you need to add a claim.
      This typically isn't a group display name. It can be, for example, an LDAP ID.

      When you specify security group claim for a group and select Save:

      • All existing users from that group are removed.
      • The group becomes a federated group. Assignment of users to that group is then controlled via the Security group claim attribute that you specified on the Single-sign on page.
    • Account permissions—Account-related permissions for members of this group.

    • Environment permissions—Environment-related permissions for members of this group.

  3. Select Save.
    Note: Don't sign out of Dynatrace yet.

  4. Open a new browser instance and a new incognito window and sign in.

  5. Navigate to account settings (select Account settings in the user menu) and verify that you can still see the User management and Group management tabs on the left.
    If you can't see them, you've lost your Dynatrace admin permissions. Use the non-federated user account to change the configuration if you've run into any issues.

  6. Dynatrace checks Security group claims of each user following successful sign-in. If a matching Dynatrace group is found, the user is added to the Dynatrace group and inherits all permissions of that group.


  • When using SAML authorization, it isn't required that you invite users to Dynatrace. If a user doesn't yet exist in Dynatrace, but during sign-in one or more matching Dynatrace groups are found (via the security group claim name), the user is created automatically.
  • Upon each sign-in, the Dynatrace group assignment is updated based on the values specified by the Security group claim attribute.

SAML IdP configuration

Follow the examples linked here to configure any of these SAML identity providers (IdPs) to work with Dynatrace SSO.

Frequently asked questions (FAQ)