Dynatrace for Government SAML federation
Follow these steps to configure SAML federation for Dynatrace for Government.
- For an overview of Dynatrace for Government, see Federal Government - Modernize your agency with automatic and intelligent observability.
- To review Dynatrace FedRAMP authorization information, see Dynatrace FedRAMP profile.
To configure SAML federation for Dynatrace for Government
Get an OAuth2 token
Verify the domain
Configure federation
Be sure to replace all <PLACEHOLDERS>
with actual values.
Get OAuth2 token
Prerequisite: OAuth2 client.
Request
curl "https://<DYNATRACE_SSO_DOMAIN>/sso/oauth2/token" \
-X POST \
-d "client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&grant_type=client_credentials&scope=sso20-idm-read-write&resource=urn:dtaccount:<ACCOUNT_UUID>" \
-H "Accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Cache-Control: no-cache"
where:
<DYNATRACE_SSO_DOMAIN>
is a domain provided to you by Dynatrace.<CLIENT_ID>
is your client ID provided to you by Dynatrace.<CLIENT_SECRET>
is your client secret provided to you by Dynatrace.<ACCOUNT_UUID>
is your account UUID provided to you by Dynatrace.
Sample response
{
"scope": "sso20-idm-read-write",
"token_type": "Bearer",
"expires_in": 7200,
"access_token": "12345678-90ab-cdef-ghij-klmnopqrstuv"
}
The access_token
value is the token that we will use to access IDM endpoints.
Verify domain
This section includes:
.
Generate challenge for the domain
This section includes:
- Request for verifying domain
- Sample responses
Request
curl "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT_UUID>/saml/domain-challenge/pending" \
-X POST \
-d "{ \"domain\": \"<DOMAIN>\", \"type\": \"TXT\"}" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <ACCESS_TOKEN>"
where:
<DYNATRACE_SSO_DOMAIN>
is a domain provided to you by Dynatrace.<ACCOUNT_UUID>
is your account UUID provided to you by Dynatrace.<DOMAIN>
is your domain.<ACCESS_TOKEN>
is your access token.
Sample responses
-
verified
is true:{ "challenge": "Dynatrace-site-verification=1a2fbc3d-4e56-7f89-g012-34h56ij78kl9__0mnopq1rstuvwxy2z3ab4cd56e", "type": "TXT", "domain": "test2.com", "verified": true, "createdAt": null, "updatedAt": null }
-
verified
is false:{ "challenge": "Dynatrace-site-verification=1a2fbc3d-4e56-7f89-g012-34h56ij78kl9__0mnopq1rstuvwxy2z3ab4cd56e", "type": "TXT", "domain": "test-domain.com", "verified": false, "createdAt": null, "updatedAt": null }
.
Verify domain challenge
You need to verify a domain challenge only where verified
is false. If verified
is true, skip to Configure federation.
It typically takes a few minutes for a record to propagate through the DNS system and the value to become available for Dynatrace to verify. In some cases, it may take up to 24 hours.
Copy the whole value from the challenge
field (including "Dynatrace-site-verification=
")
Request
curl -X POST "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT_UUID>/saml/domain-challenge/pending/test-domain.com" -H "accept: application/json" -H "authorization: Bearer <ACCESS_TOKEN>"
where:
<DYNATRACE_SSO_DOMAIN>
is a domain provided to you by Dynatrace.<ACCOUNT_UUID>
is your account UUID provided to you by Dynatrace.<ACCESS_TOKEN>
is your access token.
Sample responses
-
Response code = 200
DNS domain challenge was not verified correctly.{ "verifiedCorrectly": false }
-
Response code = 200
DNS domain challenge was verified correctly.{ "verifiedCorrectly": true }
-
Response code = 404
DNS domain challenge for given account and domain doesn't exist (hasn't been generated or has already been verified).{ "reason": "The pending challenge of domain test2.com does not exist in the ab01234c-d567-8ef9-012g-h34ijk5lmn67 account." }
Configure federation
This section includes:
- Get Dynatrace SSO IdP metadata
- Create federation configuration
- Review IdP configuration for Dynatrace
- Test your federation
.
Get Dynatrace SSO IdP metadata
Get the Dynatrace SSO IdP metadata from https://<DYNATRACE_SSO_DOMAIN>/sso/metadata
.
Register the data at your IdP and get the metadata of your IdP in XML format. The activities involved in this step depend on your IdP's interface and requirements. For details, see Manage users and groups with SAML in Dynatrace SaaS.
.
Create federation configuration
Use the https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT>/saml
endpoint.
curl \-X POST "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT>/saml" \
-H "accept: application/json" \
-H "authorization: Bearer <ACCESS_TOKEN>" \
-H "Content-Type: application/json" \
-d "[ { \"domain\": \"<DOMAIN>\", \"metadata\": \"<METADATA>\", \"firstNameAttribute\": \"<FIRST_NAME_ATTR>\", \"lastNameAttribute\": \"<LAST_NAME_ATTR>\", \"federatedAttribute\": \"<FED_ATTR>\"}]"
where:
<DYNATRACE_SSO_DOMAIN>
is a domain provided to you by Dynatrace.<ACCOUNT>
is your account number.<ACCESS_TOKEN>
is your access token.<DOMAIN>
is your domain.<METADATA>
is the metadata from your IdP (not Dynatrace SSO IdP). Remember to escape the quotes in the metadata string.<FIRST_NAME_ATTR>
is the attribute that contains the first name of a user.
For Microsoft Azure, it'shttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
.<LAST_NAME_ATTR>
is the attribute that contains the last name.
For Microsoft Azure, it'shttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
.<FED_ATTR>
is the security group claim attribute containing the groups/roles of a user from your IdP. This field is needed if you want to use SAML authorization.
.
Review IdP configuration for Dynatrace
Review your IdP configuration for Dynatrace:
- Make sure that the SAML message will be signed
- Make sure that the system clock's skew won't affect SAML request validation
.
Test your federation
If the request is successful (response code = 204), you can test your federation.
- Go to
https://<DYNATRACE_SSO_DOMAIN>/
. - Enter the email address of a user from "
@<DOMAIN>
" and select Next.
You should be redirected to your IdP site. - Sign in.
Be sure to use the same user email that you used on the Dynatrace SSO IdP site. (Same address as in step 2.)
You should be redirected back to Dynatrace (and possibly to your tenant). - Make sure that the user that you use for tests exists in your IdP (and is assigned to the Dynatrace application).
More information
For more information about configuring your IdP to work with Dynatrace, see Manage users and groups with SAML in Dynatrace SaaS and, as needed, any of the following IdP-specific instructions: