• Home
  • Manage
  • Access control
  • User management and SSO
  • Manage users and groups with SCIM in Dynatrace SaaS

Manage users and groups with SCIM in Dynatrace SaaS

System for Cross-domain Identity Management (SCIM) is an open standard for automating the exchange of user identity information between identity domains or IT systems. You can configure Dynatrace SaaS to be provided with user identity information automatically from your organization's identity provider (IdP) through SCIM.

SCIM requirements and supported features

  • Dynatrace supports SCIM 2.0 and GET, POST, PATCH, PUT, and DELETE operations for both User and Group resources.

  • For authentication, SCIM requires Bearer token in Authorization header.

  • SCIM is configured for the account and domain scopes. At least one domain ownership verification is required for the account.

  • Only users whose email domains have been verified for ownership can be synchronized with Dynatrace via SCIM.

  • Required and supported SCIM attributes:

    SCIM AttributeType
    userNameemail format
    name.givenNamestring
    name.familyNamestring
    activeboolean
  • userName must be persistent. Dynatrace does not support user email change.

Verify your ownership of the domain

Before you can proceed with SCIM configuration, you need to prove ownership of the domain. Verification is based on a DNS TXT Record check.

For the account, it is sufficient to verify the domain once. If a domain has been verified for SAML, it will be valid for SCIM as well.

To verify ownership of a domain

  1. From the User menu, select Account settings.
  2. Select Identity management > SCIM configuration.
  3. In the Verify domain section, enter the domain (for example, mycompanyname.com) for which you want to set up SCIM.
    Multiple domains

    If users in your organization use more than one domain to sign in (for example, @mycompanyname.com and @uk.mycompanyname.com), you can add additional domains in additional rows and start verifying them all in parallel. Enter each domain in a different row.

  4. For each domain you are verifying, select Copy and add the copied TXT resource record to your domain’s DNS configuration.
  5. For each domain you are verifying, select Verify so that Dynatrace can verify that the record was added to your domain’s DNS.
    Propagation time

    It typically takes a few minutes for a record to propagate through the DNS system and the value to become available for Dynatrace to verify. In some cases, it may take up to 24 hours.

  6. Each verified domain is added to the Verified domains list.

Get Dynatrace SCIM endpoint and create secret token

Use this procedure to get the Dynatrace SCIM Base URL for your account and create a secret token.

Important: The token is revealed only once during generation time. Copy and paste it into a secure location. If you lose it, you have to generate a new one and replace it in your application.

  1. From the User menu, select Account settings.

  2. Select Identity management > SCIM configuration.

    Example: Select 'SCIM configuration'

    SCIM configuration

  3. Click Generate token with an optional Description (or you can add a description for the token later on).

    Example: Generate token

    SCIM configuration

  4. Under Generate token, click Copy to copy the token to your clipboard, and then paste it into a secure location for later use.

    Example: Copy token

    SCIM configuration

    Dynatrace SCIM supports Bearer Token Authentication only. Example:

    HeaderValue
    AuthorizationBearer dt0s01.XFNYASDX.XFJWNDTUXJ6PKHEHDDVKXV2K73ZDGWUFS6GKHGAFKE2DUG3JYCFXJUAGLXTN6ENX

The SCIM endpoint required for SCIM configuration in your application is added to the List of tokens.

Example: Copy SCIM endpoint

SCIM configuration

Example IdP-specific instructions

To continue integrating Dynatrace SCIM with your IdP, select the procedure appropriate for your IdP:

  • Azure
  • Okta

Frequently asked questions (FAQ)

Is a change of email address supported?

No, an email address can't be changed by SCIM. Any requests to update an email address are ignored.

How many SCIM authentication tokens can I generate?

You can generate up to 10 SCIM authentication tokens. For security reasons, we strongly recommend that you delete all unused tokens.

Can I provision users from different email domains?

Yes, you can provision as many users from different email domains as you need, as long as all of their domains have been verified. You can verify multiple domains for a single account.

It is possible to create more than one group with the same name?

No. Some IdPs, like Azure AD, allow multiple groups with the same name in a single account. For Dynatrace SSO, however, each group name in an account must be unique.

Is there any limit to the number of users per domain?

Yes, there is global limit of 10,000 users per domain.