Dynatrace for Government SAML federation

Follow these steps to configure SAML federation for Dynatrace for Government.

Learn more about Dynatrace for Government

To configure SAML federation for Dynatrace for Government

  1. Get an OAuth2 token
  2. Verify the domain
  3. Configure federation

Be sure to replace all <PLACEHOLDERS> with actual values.

1. Get OAuth2 token

Prerequisite: OAuth2 client.

Request

curl "https://<DYNATRACE_SSO_DOMAIN>/sso/oauth2/token" \
-X POST \
-d "client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&grant_type=client_credentials&scope=sso20-idm-read-write" \
-H "Accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Cache-Control: no-cache" \
-H "resource=urn:dtaccount:<ACCOUNT_UUID>"

where:

  • <DYNATRACE_SSO_DOMAIN> is provided to you by Dynatrace.
  • <CLIENT_ID> is your client ID.
  • <CLIENT_SECRET> is your client secret.
  • <ACCOUNT_UUID> is your account UUID.

Sample response

{
"scope": "sso20-idm-read-write",
"token_type": "Bearer",
"expires_in": 7200,
"access_token": "12345678-90ab-cdef-ghij-klmnopqrstuv"
}

The access_token value is the token that we will use to access IDM endpoints.

2. Verify domain

This section includes:

  • 2a. Generate challenge for the domain
  • 2b. Verify domain challenge

2a. Generate challenge for the domain

This section includes:

  • Request for verifying domain
  • Sample responses

Request

curl "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT_UUID>/saml/domain-challenge/pending" \
  -X POST \
  -d "{ \"domain\": \"<DOMAIN>\", \"type\": \"TXT\"}" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <ACCESS_TOKEN>"

where:

  • <DYNATRACE_SSO_DOMAIN> is provided to you by Dynatrace.
  • <ACCOUNT_UUID> is your account UUID.
  • <DOMAIN> is your domain.
  • <ACCESS_TOKEN> is your access token.

Sample responses

  • verified is true:

    {  
        "challenge": "Dynatrace-site-verification=1a2fbc3d-4e56-7f89-g012-34h56ij78kl9__0mnopq1rstuvwxy2z3ab4cd56e",  
        "type": "TXT",  
        "domain": "test2.com",  
        "verified": true,  
        "createdAt": null,  
        "updatedAt": null  
    }
    
  • verified is false:

    {  
        "challenge": "Dynatrace-site-verification=1a2fbc3d-4e56-7f89-g012-34h56ij78kl9__0mnopq1rstuvwxy2z3ab4cd56e",  
        "type": "TXT",  
        "domain": "test-domain.com",  
        "verified": false,  
        "createdAt": null,  
        "updatedAt": null  
    }
    

2b. Verify domain challenge

You need to verify a domain challenge only where verified is false. If verified is true, skip to Configure federation.

Propagation time

It typically takes a few minutes for a record to propagate through the DNS system and the value to become available for Dynatrace to verify. In some cases, it may take up to 24 hours.

Copy the whole value from the challenge field (including "Dynatrace-site-verification=")

Request

curl -X POST "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT_UUID>/saml/domain-challenge/pending/test-domain.com" -H "accept: application/json" -H "authorization: Bearer <ACCESS_TOKEN>"

where:

  • <DYNATRACE_SSO_DOMAIN> is provided to you by Dynatrace.
  • <ACCOUNT_UUID> is your account UUID.
  • <ACCESS_TOKEN> is your access token.

Sample responses

  • Response code = 200
    DNS domain challenge was not verified correctly.

    {  
        "verifiedCorrectly": false  
    }
    
  • Response code = 200
    DNS domain challenge was verified correctly.

    {  
        "verifiedCorrectly": true  
    }
    
  • Response code = 404
    DNS domain challenge for given account and domain doesn't exist (hasn't been generated or has already been verified).

    {  
        "reason": "The pending challenge of domain test2.com does not exist in the ab01234c-d567-8ef9-012g-h34ijk5lmn67 account."  
    }
    

3. Configure federation

This section includes:

  • 3a. Get Dynatrace SSO IdP metadata
  • 3b. Use createConfigurations endpoint
  • 3c. Test your federation

3a. Get Dynatrace SSO IdP metadata

Get the Dynatrace SSO IdP metadata from https://<DYNATRACE_SSO_DOMAIN>/sso/metadata.

Register the data at your IdP and get the metadata of your IdP in XML format. The activities involved in this step depend on your IdP's interface and requirements. For details, see Manage users and groups with SAML in Dynatrace SaaS.

3b. Use createConfigurations endpoint

Use the https://<DYNATRACE_SSO_DOMAIN>/api/#/FederationRestResource/createConfigurations endpoint.

curl \-X POST "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT>/saml" \
-H "accept: application/json" \
-H "authorization: Bearer <ACCESS_TOKEN>" \
-H "Content-Type: application/json" \
-d "[ { \"domain\": \"<DOMAIN>\", \"metadata\": \"<METADATA>\", \"firstNameAttribute\": \"<FIRST_NAME_ATTR>\", \"lastNameAttribute\": \"<LAST_NAME_ATTR>\", \"federatedAttribute\": \"<FED_ATTR>\"}]"

where:

  • <DYNATRACE_SSO_DOMAIN> is provided to you by Dynatrace.
  • <ACCOUNT> is your account number.
  • <ACCESS_TOKEN> is your access token.
  • <DOMAIN> is your domain.
  • <METADATA> is the metadata from your IdP (not Dynatrace SSO IdP). Remember to escape the quotes in the metadata string.
  • <FIRST_NAME_ATTR> is the attribute that contains the first name of a user.
    For Microsoft Azure, it's http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname.
  • <LAST_NAME_ATTR> is the attribute that contains the last name.
    For Microsoft Azure, it's http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname.
  • <FED_ATTR> is the security group claim attribute containing the groups/roles of a user from your IdP. This field is needed if you want to use SAML authorization.

3c. Test your federation

If the request is successful (response code = 204), you can test your federation.

  1. Go to https://<DYNATRACE_SSO_DOMAIN>/.
  2. Enter the email address of a user from "@<DOMAIN>" and select Next.
    You should be redirected to your IdP site.
  3. Sign in.
    Be sure to use the same user email that you used on the Dynatrace SSO IdP site. (Same address as in step 2.)
    You should be redirected back to Dynatrace (and possibly to your tenant).
  4. Make sure that the user that you use for tests exists in your IdP (and is assigned to the Dynatrace application).

More information

For more information about configuring your IdP to work with Dynatrace, see Manage users and groups with SAML in Dynatrace SaaS and, as needed, any of the following IdP-specific instructions: