Azure configuration for Dynatrace SSO

Follow the examples below to configure Dynatrace SSO using Azure as the SAML identity provider (IdP).

Important: Use this IdP-specific help as part of the entire SAML configuration procedure for Dynatrace SaaS.

  1. In the Azure portal, choose Enterprise Applications from the Azure Active Directory.

  2. Click the New Application button and choose Non-gallery application.

  3. Type the name of the application (for example, Dynatrace) and click Add to add the application.

  4. Choose Single sign-on from the application’s left-hand navigation menu and choose SAML as the single sign-on method.

  5. Click Upload metadata file and choose the Dynatrace metadata file.
    Dynatrace SSO SP metadata is provided at https://sso.dynatrace.com/sso/metadata.

  6. In Basic SAML Configuration, set Logout Url to https://sso.dynatrace.com:443/saml2/sp/logout and save your changes.

  7. Return to the Single sign-on preview.

  8. To enable SAML authorization in Dynatrace SSO, you need to add the group attribute to SAML. Edit User Attributes & Claims and Groups returned in claim.

    The number of user groups that Azure Active Directory adds to a SAML token is limited to 150. If this limit is exceeded, a link to the Graph API endpoint is returned instead of a group list. Dynatrace doesn’t support retrieving user groups this way, because it would require additional authentication between Dynatrace and Azure AD.

    If you exceed the 150 limit, consider one of the following options:

    • Limit the number of groups that users are assigned to.
    • Configure Azure AD to send only security groups. In the example screen above, see the options under "Which groups associated with the user should be returned in the claim?"
  9. Return to the Single sign-on preview and edit SAML Signing Certificate.

  10. In Signing Option, select Sign SAML response and assertion.

  11. Return to the Single sign-on preview and download Federated Metadata XML.

  12. Choose User and groups from the application’s left-hand navigation to configure user access to the Dynatrace application.

  13. In Dynatrace Account Configuration, provide the metadata you downloaded as Federated Metadata XML and set the following attributes:

    First name attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    Last name attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    Security group claim attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Note that in the SAML message returned by Azure, groups are identified with an ObjectId, not a group name. When configuring the user group mapping, make sure you use ObjectId in Security group claims (in this example, it's 4569e836...).