AD FS configuration for Dynatrace SSO

Follow the examples below to configure Dynatrace SSO using Active Directory Federation Services (AD FS) as the SAML identity provider (IdP).

Important: Use this IdP-specific help as part of the entire SAML configuration procedure for Dynatrace SaaS.

Specify the metadata

  1. On the Monitoring tab, specify the monitoring settings for the relying party trust.

    • Relying party's federation metadata URL - We recommend that you specify the SSO Dynatrace federation metadata URL: https://sso.dynatrace.com/sso/metadata
    • Monitor relying party - Selected.
    • Automatically update relying party - Selected.
    Alternative

    If you can't do the above (perhaps due to corporate policy), you need to download the metadata manually:

    1. Run the following command in PowerShell:
      wget -Outfile dynatrace_sso_metadata.xml https://sso.dynatrace.com/sso/metadata
    2. Update it for Dynatrace SSO RelyingPartyTrust:
      Update-AdfsRelyingPartyTrust -TargetIdentifier "<DYNATRACE_SSO_IDENTIFIER>" -MetadataFile 'dynatrace_sso_metadata.xml'
  2. On the Advanced tab, make sure the Secure hash algorithm is SHA-256.

Configure claims mapping

To configure claims mapping

  1. Right-click Sso Dynatrace Relying Party Trust under Trust Relationship.
  2. Select Edit Claims Rules....

Create Active Directory transformations

To create Active Directory transformations

  1. Click Add Rule....

  2. Select Send LDAP Attributes as Claims (the default option) and set values according to the following example values.

  3. Edit Rule - Email Attribute Claim:

    • Claim rule name: Email Attribute Claim
    • Attribute store: Active Directory
    • Mapping of LDAP attributes to outgoing claim types:
      • LDAP Attribute = E-Mail-Addresses, Outgoing Claim Type = E-Mail Address
  4. Edit Rule - First and Last Name:

    • Claim rule name: First and Last Name
    • Attribute store: Active Directory
    • Mapping of LDAP attributes to outgoing claim types:
      • LDAP Attribute = Given-Name, Outgoing Claim Type = givenName
      • LDAP Attribute = Surname, Outgoing Claim Type = sn
  5. Edit Rule - roles:
    Token-Groups as SIDs is an example LDAP attribute that can be used for group mapping. Depending on your corporate LDAP, select the one that contains the LDAP user groups.

    • Claim rule name: Group Mapping
    • Attribute store: Active Directory
    • Mapping of LDAP attributes to outgoing claim types:
      • LDAP Attribute = Token-Groups as SIDs, Outgoing Claim Type = Group

Create Email to NameID transformation

To create an Email Address to NameID transformation

  1. Click Add Rule....

  2. Select Transform an Incoming Claim.

  3. Set the values according to this example.

    • Claim rule name: Email to Name ID
    • Incoming claim type: E-Mail Address
    • Outgoing claim type: Name ID
    • Outgoing name ID format: Email
    • Pass through all claim values: selected

Final steps

  1. Ensure that the SAML message will be signed:

    Set-ADFSRelyingPartyTrust -TargetIdentifier "<DYNATRACE_SSO_IDENTIFIER>" -SamlResponseSignature "MessageAndAssertion"

  2. Ensure that the system clock's skew won't affect SAML request validation:

    Set-ADFSRelyingPartyTrust -TargetIdentifier "<DYNATRACE_SSO_IDENTIFIER>" -NotBeforeSkew 2

  3. Establish SAML authorization in Dynatrace SSO.

    You need to specify First name attribute, Last name attribute, and the Security group claim attribute.
    Usually these attributes for AD FS will be as follows, but this may vary depending on the AD FS version and settings.

    First name attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    Last name attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    Security group claim attribute http://schemas.xmlsoap.org/claims/group