• Home
  • Manage
  • Access control
  • User management and SSO
  • Manage users and groups with SAML in Dynatrace SaaS
  • Okta SAML configuration for Dynatrace

Okta SAML configuration for Dynatrace

Follow the examples below to configure Okta as the SAML identity provider (IdP) for Dynatrace SSO. You can use Okta's pre-built configuration or configure it manually.

  • Okta Network Integration configuration
  • Okta manual configuration
Important

This page describes the IdP (Okta) end of your SAML SSO configuration, not the Dynatrace end. Use it as part of the entire SAML configuration procedure for Dynatrace SaaS if you're using Okta.

While we do our best to provide you with current information, Dynatrace has no control over changes that may be made by third-party providers. Always refer to official third-party documentation as your primary source of information for third-party products.

Okta Network Integration configuration

Through the Okta Integration Network, you can use an Okta-verified, pre-built configuration to integrate Dynatrace with your Okta IdP for SSO.

  1. In the Okta interface, select Application from the main menu and click Add Application.

    'Add Application' example screen

    Okta - Add Application

  2. Search for Dynatrace and select Add.

    'Add' example screen

    Okta - find and add Dynatrace

  3. Click Next.

    'Next' example screen

    Okta - select Next

  4. In Sign On Methods, select SAML 2.0.

    'Sign On Methods' example screen

    Okta - select SAML 2.0

  5. optional Set Default Relay State to your default tenant URL or to other Dynatrace services from the *.dynatrace.com realm. If this is not defined, users after signing in will be redirected to the last accessed tenant or account/user profile.

  6. optional Set role as a Security group claim attribute. If configured, Okta will send assigned groups within the SAML Request.

    To manage group membership in Okta with SAML Authorization in Dynatrace, this must be configured.

    Setting 'role' example screen

    Okta configure Security Group Claim attribute

    • For more about SAML metadata configuration, see Configure metadata.
    • You can configure Security Group Claim attribute filtering using Okta's proprietary expression language. For example, set role to Matches regex and enter .* as the value to have all groups assigned to the user sent with the SAML request.
  7. optional Select Enable Single Logout and upload a certificate (Browse and Upload) to enable global single logout. The certificate is provided in Okta's Dynatrace configuration. You need to be signed into the Okta Admin Dashboard.

    'Enable Single Logout' example screen

    Okta optional Global Logout configuration

Okta manual configuration

Use this procedure if you choose to manually integrate Dynatrace with your Okta IdP (rather than using an Okta Network Integration configuration as described above).

  1. In General settings, follow this example.

    'General' - example screen

    Okta: General settings example

    'General' - example values

    Values in the example screen are:

    Single sign on URL

    https://sso.dynatrace.com:443/saml2/sp/consumer

    • Use this for Recipient URL and Destination URL is selected.
    • Allow this app to request other SSO URLs is not selected.

    Audience URI (SP Entity ID)

    https://sso.dynatrace.com:443/saml2/login

    Name ID format

    EmailAddress

    Application username

    Email

    Update application username on

    Create and update

  2. Select Show Advanced Settings for additional configuration settings as shown in the example.

    'Advanced settings' - example screen

    Okta: Advanced settings example

    'Advanced settings' - example values

    Values in the example screen include:

    Response

    Signed (required)

    Assertion Signature

    Signed (optional)

    Signature Algorithm

    RSA-SHA256

    Digest Algorithm

    SHA256

    Assertion Encryption

    Unencrypted (required)

    Enable Single Logout and Single Logout URL

    If you want to enable single logout service with Dynatrace SSO:

    • Select Enable Single Logout
    • Enter a Single Logout URL: https://sso.dynatrace.com:443/saml2/sp/logout

    SP Issuer

    https://sso.dynatrace.com:443/saml2/login

    Signature Certificate

    The certificate file required by Okta for SSO application configuration can be converted from an X509Certificate using, for instance, this online tool. The result should be just a X509Certificate wrapped with a header. You can find the Dynatrace SSO metadata for the certificate file at: https://sso.dynatrace.com/sso/metadata

  3. Configure attribute statements to enable SAML authorization in Dynatrace SSO.

    • In the Attribute Statements section, add entries for first name and last name.
    • In the Group Attribute Statements section, add an entry to enable mapping of groups between the Okta IdP and Dynatrace SSO.

    Values displayed here are only examples.

    Okta: Attribute Statements and Group Attribute Statements - example screen

    Okta: Attribute Statements and Group Attribute Statements example

    Attribute names need to match the Dynatrace federated attribute values on the Dynatrace Single sign-on page:

    • First name attribute
    • Last name attribute
    • Security group claim attribute

    You can configure Group Attribute Statements filtering using Okta's proprietary expression language. For example, .* means that all groups assigned to the user will be sent with the SAML request.