Follow the examples below to configure Dynatrace SSO using Azure as the SAML identity provider (IdP).
Important: Use this IdP-specific help as part of the entire SAML configuration procedure for Dynatrace SaaS.
In the Azure portal, choose
Enterprise Applicationsfrom the Azure Active Directory.
Click the New Application button and choose
Choose Non-gallery application
Type the name of the application (for example,
Dynatrace) and click Add to add the application.
Choose Single sign-on from the application’s left-hand navigation menu and choose
SAMLas the single sign-on method.
Click Upload metadata file and choose the Dynatrace metadata file.
Dynatrace SSO SP metadata is provided at https://sso.dynatrace.com/sso/metadata.
Click Upload metadata file
In Basic SAML Configuration, set Logout Url to
https://sso.dynatrace.com:443/saml2/sp/logoutand save your changes.
Enter Logout Url
Return to the Single sign-on preview.
To enable SAML authorization in Dynatrace SSO, you need to add the group attribute to SAML. Edit
User Attributes & Claimsand
Groups returned in claim.
Add group attribute to SAML
Return to the Single sign-on preview and edit SAML Signing Certificate.
In Signing Option, select
Sign SAML response and assertion.
Select Sign SAML response and assertion
Return to the Single sign-on preview and download Federated Metadata XML.
Choose User and groups from the application’s left-hand navigation to configure user access to the Dynatrace application.
In Dynatrace Account Configuration, provide the metadata you downloaded as Federated Metadata XML and set the following attributes:
First name attribute
Last name attribute
Security group claim attribute
Note that in the SAML message returned by Azure, groups are identified with an
ObjectId, not a group name. When configuring the user group mapping, make sure you use
ObjectId in Security group claims (in this example, it's