Okta configuration for Dynatrace SSO

Follow the examples below to configure Dynatrace SSO using Okta as the SAML identity provider (IdP).

Important: Use this IdP-specific help as part of the entire SAML configuration procedure for Dynatrace SaaS.

General

In the General settings, follow this example.

Values in the example are:

Single sign on URL https://sso.dynatrace.com:443/saml2/sp/consumer
  • Use this for Recipient URL and Destination URL is selected.
  • Allow this app to request other SSO URLs is not selected.
Audience URI (SP Entity ID) https://sso.dynatrace.com:443/saml2/login
Name ID format EmailAddress
Application username Email
Update application username on Create and update

Advanced settings

Select Show Advanced Settings for additional configuration settings as shown in the example.

Values in the example include:

Response Signed (required)
Assertion Signature Signed (optional)
Signature Algorithm RSA-SHA256
Digest Algorithm SHA256
Assertion Encryption Unencrypted (required)
Enable Single Logout and Single Logout URL If you want to enable single logout service with Dynatrace SSO:
  • Select Enable Single Logout
  • Enter a Single Logout URL: https://sso.dynatrace.com:443/saml2/sp/logout
SP Issuer https://sso.dynatrace.com:443/saml2/login
Signature Certificate The certificate file required by Okta for SSO application configuration can be converted from an X509Certificate using, for instance, this online tool. The result should be just a X509Certificate wrapped with a header. You can find the Dynatrace SSO metadata for the certificate file at: https://sso.dynatrace.com/sso/metadata

Attribute statements

To enable SAML authorization in Dynatrace SSO

  1. In the Attribute Statements section, add entries for first name and last name.
  2. In the Group Attribute Statements section, add an entry to enable mapping of groups between Okta IdP and Dynatrace SSO.

Values displayed here are only examples.

Attribute names need to match the Dynatrace federated attribute values on the Dynatrace Single sign-on page:

  • First name attribute
  • Last name attribute
  • Security group claim attribute

You can configure Group Attribute Statements filtering using Okta's proprietary expression language. For example, .* means that all groups assigned to the user will be sent with the SAML request.