Dynatrace.com Homelink
Free trial

Manage users and groups with OpenID

Dynatrace Managed supports integration with OpenID as an SSO IdP (Single Sign-On Identity Provider) for the management of users and groups. We currently support standard claims (email, profile, address) as defined in the OpenID Connect Core 1.0 specification. The redirect_uri used for authentication is set to the Dynatrace Managed Web UI URL that's configured in your Cluster Management Console. Note that this URI must also be configured in your OpenID-provider client.

Set up OpenID integration

  1. From the Cluster Management Console menu, select User authentication > Single sign-on settings.
  2. From the list, select OpenID Connect.
  3. To change the login page, you must prove that your SSO mechanism is actually working by signing out and logging in using SSO. The standard page will be shown as a fallback if something goes wrong.
  4. Enter the Client ID and Client Secret of the client from the IdP that will be used for authentication.
  5. In the Server discovery endpoint text field, type in the Open ID configuration URL provided by the IdP and click Import Configuration.

Group assignment configuration

Each Dynatrace Managed user must be assigned to at least one user group, with at least one associated monitoring environment. Without such a mapping, the user can't sign in to Dynatrace Managed and will receive an error message stating that no environment has been found.

The Assign users to groups based on UserInfo response attribute switch determines how you manage user-group assignments:

  • Manually: Set the switch to the off position if you want to make user-group assignments manually from within Dynatrace Managed. In this case, Dynatrace Managed ignores the list of groups sent in your IdP's authentication response.

  • Automatically: Set the switch to the on position and enter the group name in the User groups attribute field if you want to handle user-group assignment automatically. In this case, any assignments made within Dynatrace Managed are overwritten by the list of groups sent in your IdP's authentication response. You can add a custom user groups separator to separate user groups.