Azure SCIM configuration for Dynatrace
Early Adopter
This page describes the IdP (Azure) end of your SCIM SSO configuration, not the Dynatrace end. Use it as part of the entire SCIM configuration procedure for Dynatrace SaaS if you're using Azure.
While we do our best to provide you with current information, Dynatrace has no control over changes that may be made by third-party providers. Always refer to official third-party documentation as your primary source of information for third-party products.
To set up SCIM for your domain
Create SCIM application in Azure
Configure provisioning
Configure group mappings
Configure user mappings
Assign users and groups
Enable SCIM
Create SCIM application in Azure
In Azure Active Directory
- Select Enterprise applications from the Manage section of the menu.
- Select New application.
- Select Non-gallery application, enter a Name for the new application, and then select Add to start configuring the application in Azure.
Configure provisioning
To configure provisioning in Azure, you will need the Dynatrace SCIM Base URL and a secret token you got in the Get Dynatrace SCIM endpoint and create secret token procedure.
In Azure Active Directory with your application selected
-
Select Provisioning from the Manage section of the menu.
-
In Provisioning Mode, select Automatic.
-
Expand Admin Credentials.
-
Enter your admin credentials:
- Tenant URL
Example:https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
- Secret Token
You got this token from Dynatrace.
- Tenant URL
-
Select Test Connection to validate the endpoint and credentials.
-
If the test succeeds, select Save at the top of the page to generate mappings.
If the test fails, verify your settings:
- Tenant URL
Example:https://api.sso.dynatrace.com/idm/public/scim/<YOUR_ACCOUNT_ID>/v2
- Secret Token
You created this earlier in the Get a secret token procedure.
- Tenant URL
Configure group mappings optional
Do this if you need to provision only certain groups in Dynatrace.
In Azure Active Directory with your application selected
-
On the Provisioning page, expand Mappings.
-
Select Synchronize Azure Active Directory Groups to customappsso.
-
Select Source Object Scope.
-
Select Add scoping filter.
-
Select Add New Scoping Clause if needed.
For instance, to filter only groups with names starting with a given prefix: -
Select OK on the Add Scoping Filter screen.
-
Select OK on the Source Object Scope screen.
-
You can leave all Target Object Actions selected.
Dynatrace SCIM supports all of these actions. -
Set Attribute Mappings as follows:
Azure Active Directory Attribute customappsso Attribute displayName
displayName
objectId
externalId
members
members
-
Select Save on the Attribute Mapping screen.
Configure user mappings
We require that you limit the scope of users that are provisioned by SCIM to those with matching email domains to prevent your SCIM requests from being rejected.
To create a filtering rule for users
-
On the Provisioning page, expand Mappings.
-
Select Synchronize Azure Active Directory Users to customappsso.
-
Select Source Object Scope.
-
Select Add scoping filter.
-
Select Add New Scoping Clause:
- Target Attribute:
mail
- Operator:
ENDS_WITH
- Value:
@<YOUR_DOMAIN>
(for example,@example.com
)
Please keep in mind that subdomains should be verified for the account separately. Therefore, the
@
in the domain string is required and will guarantee that your requests won't be rejected due to an invalid user domain. - Target Attribute:
-
Select OK on the Add Scoping Filter screen.
-
Select OK on the Source Object Scope screen.
-
You can leave all Target Object Actions selected.
Dynatrace SCIM supports all of these actions. -
Limit Attribute Mappings to the following:
Azure Active Directory Attribute customappsso Attribute userPrincipalName
userName
Switch([IsSoftDeleted],,"False","True","True","False")
active
displayName
displayName
givenName
name.givenName
surname
name.familyName
-
Select Show advanced options check box in Attribute Mappings and click on Edit attribute list for customappsso.
-
If not selected, select Primary Key and Required for id and select Required for userName.
-
Select Save on the Edit Attribute List.
-
Select Save on the Attribute Mapping screen.
Assign users and groups
To assign users or groups to your application and send them via SCIM to Dynatrace
- In the Manage section on the left, select Users and groups and then select Add user.
- Select Users and groups in the next window and select groups or users you want to sync.
Enable SCIM
To enable SCIM provisioning
- Go to the Settings section at the bottom of Provisioning screen.
- In Scope, select Sync only assigned users and groups.
- Turn Provisioning Status on.
In Azure, the initial sync takes longer than subsequent syncs, which occur approximately every 40 minutes as long as the service is running.