• Home
  • Manage
  • Access control
  • User management and SSO
  • Dynatrace for Government SAML federation

Dynatrace for Government SAML federation

Follow these steps to configure SAML federation for Dynatrace for Government.

Learn more about Dynatrace for Government
  • For an overview of Dynatrace for Government, see Federal Government - Modernize your agency with automatic and intelligent observability.
  • To review Dynatrace FedRAMP authorization information, see Dynatrace FedRAMP profile.

To configure SAML federation for Dynatrace for Government

Get an OAuth2 token

Verify the domain

Configure federation

Be sure to replace all <PLACEHOLDERS> with actual values.

Get OAuth2 token

Prerequisite: OAuth2 client.

Request

plaintext
curl "https://<DYNATRACE_SSO_DOMAIN>/sso/oauth2/token" \
-X POST \
-d "client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&grant_type=client_credentials&scope=sso20-idm-read-write&resource=urn:dtaccount:<ACCOUNT_UUID>" \
-H "Accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Cache-Control: no-cache"

where:

  • <DYNATRACE_SSO_DOMAIN> is a domain provided to you by Dynatrace.
  • <CLIENT_ID> is your client ID provided to you by Dynatrace.
  • <CLIENT_SECRET> is your client secret provided to you by Dynatrace.
  • <ACCOUNT_UUID> is your account UUID provided to you by Dynatrace.

Sample response

plaintext
{
"scope": "sso20-idm-read-write",
"token_type": "Bearer",
"expires_in": 7200,
"access_token": "12345678-90ab-cdef-ghij-klmnopqrstuv"
}

The access_token value is the token that we will use to access IDM endpoints.

Verify domain

This section includes:

  1. Generate challenge for the domain
  2. Verify domain challenge

. Generate challenge for the domain

This section includes:

  • Request for verifying domain
  • Sample responses

Request

plaintext
curl "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT_UUID>/saml/domain-challenge/pending" \
  -X POST \
  -d "{ \"domain\": \"<DOMAIN>\", \"type\": \"TXT\"}" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <ACCESS_TOKEN>"

where:

  • <DYNATRACE_SSO_DOMAIN> is a domain provided to you by Dynatrace.
  • <ACCOUNT_UUID> is your account UUID provided to you by Dynatrace.
  • <DOMAIN> is your domain.
  • <ACCESS_TOKEN> is your access token.

Sample responses

  • verified is true:

    plaintext
    {
    "challenge": "Dynatrace-site-verification=1a2fbc3d-4e56-7f89-g012-34h56ij78kl9__0mnopq1rstuvwxy2z3ab4cd56e",
    "type": "TXT",
    "domain": "test2.com",
    "verified": true,
    "createdAt": null,
    "updatedAt": null
}

  • verified is false:

    plaintext
    {
    "challenge": "Dynatrace-site-verification=1a2fbc3d-4e56-7f89-g012-34h56ij78kl9__0mnopq1rstuvwxy2z3ab4cd56e",
    "type": "TXT",
    "domain": "test-domain.com",
    "verified": false,
    "createdAt": null,
    "updatedAt": null
}

. Verify domain challenge

You need to verify a domain challenge only where verified is false. If verified is true, skip to Configure federation.

Propagation time

It typically takes a few minutes for a record to propagate through the DNS system and the value to become available for Dynatrace to verify. In some cases, it may take up to 24 hours.

Copy the whole value from the challenge field (including "Dynatrace-site-verification=")

Request

plaintext
curl -X POST "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT_UUID>/saml/domain-challenge/pending/test-domain.com" -H "accept: application/json" -H "authorization: Bearer <ACCESS_TOKEN>"

where:

  • <DYNATRACE_SSO_DOMAIN> is a domain provided to you by Dynatrace.
  • <ACCOUNT_UUID> is your account UUID provided to you by Dynatrace.
  • <ACCESS_TOKEN> is your access token.

Sample responses

  • Response code = 200
    DNS domain challenge was not verified correctly.

    plaintext
    {
    "verifiedCorrectly": false
}

  • Response code = 200
    DNS domain challenge was verified correctly.

    plaintext
    {
    "verifiedCorrectly": true
}

  • Response code = 404
    DNS domain challenge for given account and domain doesn't exist (hasn't been generated or has already been verified).

    plaintext
    {
    "reason": "The pending challenge of domain test2.com does not exist in the ab01234c-d567-8ef9-012g-h34ijk5lmn67 account."
}

Configure federation

This section includes:

  1. Get Dynatrace SSO IdP metadata
  2. Create federation configuration
  3. Review IdP configuration for Dynatrace
  4. Test your federation

. Get Dynatrace SSO IdP metadata

Get the Dynatrace SSO IdP metadata from https://<DYNATRACE_SSO_DOMAIN>/sso/metadata.

Register the data at your IdP and get the metadata of your IdP in XML format. The activities involved in this step depend on your IdP's interface and requirements. For details, see Manage users and groups with SAML in Dynatrace SaaS.

. Create federation configuration

Use the https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT>/saml endpoint.

plaintext
curl \-X POST "https://<DYNATRACE_SSO_DOMAIN>/idm/v1/accounts/<ACCOUNT>/saml" \
-H "accept: application/json" \
-H "authorization: Bearer <ACCESS_TOKEN>" \
-H "Content-Type: application/json" \
-d "[ { \"domain\": \"<DOMAIN>\", \"metadata\": \"<METADATA>\", \"firstNameAttribute\": \"<FIRST_NAME_ATTR>\", \"lastNameAttribute\": \"<LAST_NAME_ATTR>\", \"federatedAttribute\": \"<FED_ATTR>\"}]"

where:

  • <DYNATRACE_SSO_DOMAIN> is a domain provided to you by Dynatrace.
  • <ACCOUNT> is your account number.
  • <ACCESS_TOKEN> is your access token.
  • <DOMAIN> is your domain.
  • <METADATA> is the metadata from your IdP (not Dynatrace SSO IdP). Remember to escape the quotes in the metadata string.
  • <FIRST_NAME_ATTR> is the attribute that contains the first name of a user.
    For Microsoft Azure, it's http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname.
  • <LAST_NAME_ATTR> is the attribute that contains the last name.
    For Microsoft Azure, it's http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname.
  • <FED_ATTR> is the security group claim attribute containing the groups/roles of a user from your IdP. This field is needed if you want to use SAML authorization.

. Review IdP configuration for Dynatrace

Review your IdP configuration for Dynatrace:

  • Make sure that the SAML message will be signed
  • Make sure that the system clock's skew won't affect SAML request validation

. Test your federation

If the request is successful (response code = 204), you can test your federation.

  1. Go to https://<DYNATRACE_SSO_DOMAIN>/.
  2. Enter the email address of a user from "@<DOMAIN>" and select Next.
    You should be redirected to your IdP site.
  3. Sign in.
    Be sure to use the same user email that you used on the Dynatrace SSO IdP site. (Same address as in step 2.)
    You should be redirected back to Dynatrace (and possibly to your tenant).
  4. Make sure that the user that you use for tests exists in your IdP (and is assigned to the Dynatrace application).

More information

For more information about configuring your IdP to work with Dynatrace, see Manage users and groups with SAML in Dynatrace SaaS and, as needed, any of the following IdP-specific instructions:

  • AD FS SAML configuration for Dynatrace
  • Azure SAML configuration for Dynatrace
  • Google Workspaces SAML configuration for Dynatrace
  • Okta SAML configuration for Dynatrace