GSuite (Google) configuration for Dynatrace SSO

Follow the examples below to configure Dynatrace SSO using GSuite (Google) as the SAML identity provider (IdP).

Important: Use this IdP-specific help as part of the entire SAML configuration procedure for Dynatrace SaaS.

Configuring GSuite SAML application

  1. Navigate to the GSuite Admin panel and choose Apps > SAML apps from the menu.

  2. Choose to add a new SAML application to open a pop-up configuration wizard.

  3. On the Enable SSO for SAML Application page, select Setup my own custom App.

  4. On the Google IdP Information page, in the IDP metadata section (Option 2), click Download to download the IdP metadata as an XML file. This will be needed when configuring single sign-on in Dynatrace.

  5. On the Basic information for your Custom App page, provide an intuitive Application Name.

  6. On the Service Provider Details page, enter Service Provider (SP) details as follows:

    ACS URL https://sso.dynatrace.com:443/saml2/sp/consumer
    Entity ID https://sso.dynatrace.com:443/saml2/login
    Start URL Leave this empty for now
    Signed Response Select this checkbox.
    NameID Leave this as is.
    NameID format Leave this as is.

    This information can also be found in Dynatrace SSO metadata at https://sso.dynatrace.com/sso/metadata.

  7. On the Attribute Mapping page, add mappings for FirstName and LastName as shown in the example. (You'll need to add a third mapping later for Groups, which is described in the Preparing group mapping section that follows.)

Preparing group mapping

By default, GSuite doesn't offer a way to send user groups through SAML. This is required for mapping to certain groups/permissions in Dynatrace. The only fields that can be delivered by SAML are as in this example:

This doesn't allow the GSuite administrator to provide a list of groups or permissions that the user should have in Dynatrace.

Google suggests that you add a custom schema to user accounts. This enables you to add multiple group entries that, upon being sent via SAML, are mapped correctly to groups and permissions in Dynatrace.

  1. Navigate to the Google Directory API:
    https://developers.google.com/admin-sdk/directory/v1/reference/schemas/insert?authuser=1

  2. Make the following schema edits.

    • Set customerId to my_customer, which automatically uses this Google account's ID.
    • We suggest the following schema (in JSON) for Dynatrace:
      {  
        "schemaName": "DynatraceSSO",  
        "displayName": "DynatraceSSO",  
        "fields": [  
          {  
            "fieldType": "STRING",  
            "fieldName": "UserRole",  
            "displayName": "UserRole",  
            "multiValued": true,  
            "readAccessType": "ADMINS_AND_SELF"  
          }  
        ]
      }
      
  3. Click Execute to add the new schema for all users.
    The new configuration will now be selectable as a SAML attribute for users.

  4. In the GSuite Admin panel, navigate back to Apps > SAML apps as before.

  5. Click through to Attribute Mapping, where the mappings for FirstName and LastName were added previously.

  6. Set the Role attribute to DynatraceSSO and UserRole.

This will make Google send all of the entries in DynatraceSSO/UserRole for a certain user as an attribute in SAML, which Dynatrace SSO will use to assign permissions upon a federated login. The user roles can be applied to each user separately using the user configuration screen in GSuite.

Assigning user roles

User roles can be applied to every user separately using the User information screen in GSuite.

You can map these roles in Dynatrace BAS to certain permissions as needed.

Note that in GSuite, UserRole has to have the same value as the Security group claim name in BAS (for example, DynatraceTenantViewer and DynatraceAccountAdmin).

Example

Say you've set up two groups in BAS and have a group called Main Account Admin, which is assigned a federated user by the Security group claim name DynatraceAccountAdmin.

If you now attach the DynatraceAccountAdmin UserRole to any user in GSuite, that user will be assigned the permissions of the Main Account Admin group in BAS.

Upon setting up the SAML apps configuration in GSuite correctly, the SAML request sent from GSuite should contain the configured groups as SAML attributes.