• Home
  • Manage
  • Access control
  • User management and SSO
  • Manage users and groups with SAML in Dynatrace SaaS
  • Azure SAML configuration for Dynatrace

Azure SAML configuration for Dynatrace

Follow the examples below to configure Azure as the SAML identity provider (IdP) for Dynatrace SSO.

Important

This page describes the IdP (Azure) end of your SAML SSO configuration, not the Dynatrace end. Use it as part of the entire SAML configuration procedure for Dynatrace SaaS if you're using Azure.

While we do our best to provide you with current information, Dynatrace has no control over changes that may be made by third-party providers. Always refer to official third-party documentation as your primary source of information for third-party products.

Configuration

  1. In the Azure portal, choose Enterprise Applications from the Azure Active Directory.

  2. Select New Application and choose Add from the gallery, then type Dynatrace in the search box and then select Dynatrace.

    Example: Search for Dynatrace application

    Search for Dynatrace application

  3. Type the name of the application (for example, Dynatrace) and select Create to add the application. The Overview page of your application will open automatically.

    Example: Create application

    Create Dynatrace application

  4. Choose Single sign-on from the application’s left-hand navigation menu and choose SAML as the single sign-on method.

    Example: Choose SAML

    Azure: single sign-on method

  5. At Save single sign-on setting, select Yes.

    Example: Save default initial configuration

    Save default initial configuration

  6. In Basic SAML Configuration, set Logout Url to https://sso.dynatrace.com:443/saml2/sp/logout and save your changes.

    Example: Enter Logout Url

    Azure: enter Logout Url

  7. In SAML Signing Certificate, download Federation Metadata XML.

    Example: Download Federation Metadata XML

    Download Federation Metadata XML

  8. Choose User and groups from the application’s left-hand navigation to configure user access to the Dynatrace application.

  9. In Dynatrace Account Configuration, provide the metadata you downloaded as Federated Metadata XML and set the following attributes:

    First name attribute

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

    Last name attribute

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

    Security group claim attribute

    http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Note that in the SAML message returned by Azure, groups are identified with an ObjectId, not a group name. When configuring the user group mapping, make sure you use ObjectId in Security group claims (in this example, it's 4569e836...).

Example: Security group claims

SAML: Azure group mapping

Troubleshooting

Why is a link to the Graph API endpoint returned instead of a group list?

The number of user groups that Azure Active Directory adds to a SAML token is limited to 150. If this limit is exceeded, a link to the Graph API endpoint is returned instead of a group list. Dynatrace doesn’t support retrieving user groups this way, because it would require additional authentication between Dynatrace and Azure AD.

If you exceed the 150 limit, consider one of the following options:

  • Limit the number of groups that users are assigned to.
  • Configure Azure AD to send only groups assigned to the application.
How can I resolve Error AADSTS50105 in an Azure configuration?

If Error AADSTS50105 - The signed in user is not assigned to a role for the application occurs during federated authentication with Azure Active Directory (Azure AD), it indicates that the user hasn't been granted access to the application in Azure AD.

For details, see the Microsoft documentation:

  • Error AADSTS50105 - The signed in user is not assigned to a role for the application
  • Quickstart: Create and assign a user account