Manage users and groups with OpenID in Dynatrace Managed

Dynatrace Managed supports integration with OpenID as an SSO IdP (Single Sign-On Identity Provider) for the management of users and groups. We support standard claims (email, profile, address) as defined in the OpenID Connect Core 1.0 specification.

Configure redirect_uri

The redirect_uri used for authentication is set to:

  • https://{dynatrace-server}/
    when you open Cluster Management Console.

  • https://{dynatrace-server}/e/{environment-uuid}
    when you open an environment.

You need to configure these URIs in your OpenID provider's client:

  • Configure one URI for Cluster Management Console.
  • Configure one URI per environment or use a wildcard (https://{dynatrace-server}/e/*) to match all environment URIs.

Set up OpenID integration

  1. From the Cluster Management Console user menu, select User authentication > Single sign-on settings.

  2. In Select single sign-on technology, select OpenID Connect.

  3. From Select login page, select the login options you want to offer users:

    • Standard + SSO displays the standard Dynatrace login page, where the user has the choice to sign in using a local user account (as configured through User authentication > User accounts) or to select the Log in using SSO link and use SSO authentication.
    • SSO skips the Dynatrace login page, so the user cannot sign in using a local user account, and redirects to the IdP login page for SSO authentication only.
  4. Enter the Client ID and Client Secret of the client from the IdP that will be used for authentication.

  5. In Server discovery endpoint, enter the OpenID configuration URL provided by the IdP and select Import Configuration.
    If the import is successful, the Save changes button is enabled. Save the configuration.

    If the import is unsuccessful, the Save changes button remains disabled.

    • Verify your configuration settings.
    • If your Server discovery endpoint URL must be reached through a proxy, see the workaround procedure.

Group assignment configuration

Each Dynatrace Managed user must be assigned to at least one user group, with at least one associated monitoring environment. Without such a mapping, the user can't sign in to Dynatrace Managed and will receive an error message stating that no environment has been found.

The Assign users to groups based on UserInfo response attribute switch determines how you manage user-group assignments:

  • Manually: Turn the switch off if you want to make user-group assignments manually from within Dynatrace Managed. In this case, Dynatrace Managed ignores the list of groups sent in your IdP's authentication response.
  • Automatically: Turn the switch on and enter the group name in the User groups attribute field if you want to handle user-group assignment automatically. In this case, any assignments made within Dynatrace Managed are overwritten by the list of groups sent in your IdP's authentication response. You can add a custom user groups separator to separate user groups.

Workaround for server discovery endpoint proxy

If Import Configuration fails and your Server discovery endpoint URL must be reached through a proxy, you need to add your proxy settings to your configuration properties.

To add proxy settings

  1. Verify that the Server discovery endpoint URL can be reached through your proxy.

    curl -U USER[:PASSWORD] -x [PROTOCOL://]HOST[:PORT] server_discovery_endpoint_url  
    
  2. Open your custom.settings file to edit configuration properties.

    Instead of editing /server/conf/config.properties directly, always make your edits in the custom.settings file located in the /opt/dynatrace-managed/installer directory of each cluster node. You can create the file if it doesn't already exist.

    During an upgrade, and with each restart of the Dynatrace service, the settings in custom.settings are used to modify config.properties.

    See Configurable properties of Dynatrace Managed for general instructions on editing configuration properties.

  3. In the [http.client.internal] section, add the following properties (with, of course, the actual values for your proxy-server, proxy-port, proxy-user, and proxy-password):

    proxy-scheme=http  
    proxy-server=  
    proxy-port=  
    proxy-user=  
    proxy-password=  
    
  4. Save your changes and restart the server.
    You can restart through the UI or with the /opt/dynatrace-managed/launcher/server.sh restart command.

  5. On the User authentication > Single sign-on settings page, try Import Configuration again.

  6. If configuration import is successful, try to sign in through OpenID Connect.

    If configuration import is successful using the proxy settings but you cannot subsequently sign in through OpenID Connect, you may need to add the proxy settings and import the configuration (as described above), and then remove the proxy settings before you can sign in.

To remove proxy settings

  1. Open your custom.settings file again to edit configuration properties.
  2. Remove the proxy settings that you added to the [http.client.internal] section in the previous procedure.
  3. Save your changes and restart the server.
  4. Try to sign in through OpenID Connect.