GSuite (Google) SAML configuration for Dynatrace

Follow the examples below to configure GSuite (Google) as the SAML identity provider (IdP) for Dynatrace SSO.

This topic describes the IdP (GSuite) end of your SSO configuration, not the Dynatrace end. Use it as part of the entire SAML configuration procedure for Dynatrace SaaS if you're using GSuite.

While we do our best to provide you with current information, Dynatrace has no control over changes that may be made by third-party providers. Always refer to official third-party documentation as your primary source of information for third-party products.

Configuring GSuite SAML application

  1. Navigate to the GSuite Admin panel and choose Apps > SAML apps from the menu.

  2. Choose to add a new SAML application to open a pop-up configuration wizard.

  3. On the Enable SSO for SAML Application page, select Setup my own custom App.

  4. On the Google IdP Information page, in the IDP metadata section (Option 2), click Download to download the IdP metadata as an XML file. This will be needed when configuring single sign-on in Dynatrace.

  5. On the Basic information for your Custom App page, provide an intuitive Application Name.

  6. On the Service Provider Details page, enter Service Provider (SP) details as follows:


    Entity ID

    Start URL

    Leave this empty for now

    Signed Response

    Select this check box.


    Leave this as is.

    NameID format

    Leave this as is.

    This information can also be found in Dynatrace SSO metadata at

  7. On the Attribute Mapping page, add mappings for FirstName and LastName as shown in the example. (You'll need to add a third mapping later for Groups, which is described in the Preparing group mapping section that follows.)

Preparing group mapping

By default, GSuite doesn't offer a way to send user groups through SAML. This is required for mapping to certain groups/permissions in Dynatrace. The only fields that can be delivered by SAML are as in this example:

This doesn't allow the GSuite administrator to provide a list of groups or permissions that the user should have in Dynatrace.

Google suggests that you add a custom schema to user accounts. This enables you to add multiple group entries that, upon being sent via SAML, are mapped correctly to groups and permissions in Dynatrace.

  1. Navigate to the Google Directory API:

  2. Make the following schema edits.

    • Set customerId to my_customer, which automatically uses this Google account's ID.
    • We suggest the following schema (in JSON) for Dynatrace:
        "schemaName": "DynatraceSSO",  
        "displayName": "DynatraceSSO",  
        "fields": [  
            "fieldType": "STRING",  
            "fieldName": "UserRole",  
            "displayName": "UserRole",  
            "multiValued": true,  
            "readAccessType": "ADMINS_AND_SELF"  
  3. Click Execute to add the new schema for all users.
    The new configuration will now be selectable as a SAML attribute for users.

  4. In the GSuite Admin panel, navigate back to Apps > SAML apps as before.

  5. Click through to Attribute Mapping, where the mappings for FirstName and LastName were added previously.

  6. Set the Role attribute to DynatraceSSO and UserRole.

This will make Google send all of the entries in DynatraceSSO/UserRole for a certain user as an attribute in SAML, which Dynatrace SSO will use to assign permissions upon a federated login. The user roles can be applied to each user separately using the user configuration screen in GSuite.

Assigning user roles

User roles can be applied to every user separately using the User information screen in GSuite.

You can map these roles in Dynatrace account management to certain permissions as needed.

Note that in GSuite, UserRole has to have the same value as the Security group claim name in Dynatrace account management (for example, DynatraceTenantViewer and DynatraceAccountAdmin).


Say you've set up two groups in Dynatrace account management and have a group called Main Account Admin, which is assigned a federated user by the Security group claim name DynatraceAccountAdmin.

If you now attach the DynatraceAccountAdmin UserRole to any user in GSuite, that user will be assigned the permissions of the Main Account Admin group in Dynatrace account management.

Upon setting up the SAML apps configuration in GSuite correctly, the SAML request sent from GSuite should contain the configured groups as SAML attributes.