Manage users and groups with OpenID in Dynatrace Managed

Dynatrace Managed supports integration with OpenID as an SSO IdP (Single Sign-On Identity Provider) for the management of users and groups. We support standard claims (email, profile, address) as defined in the OpenID Connect Core 1.0 specification.

Configure redirect_uri

The redirect_uri used for authentication is set to:

  • https://{dynatrace-server}/
    when you open Cluster Management Console.

  • https://{dynatrace-server}/e/{environment-uuid}
    when you open an environment.

You need to configure these URIs in your OpenID provider's client:

  • Configure one URI for Cluster Management Console.
  • Configure one URI per environment or use a wildcard (https://{dynatrace-server}/e/*) to match all environment URIs.

Set up OpenID integration

  1. From the Cluster Management Console user menu, select User authentication > Single sign-on settings.
  2. In Select single sign-on technology, select OpenID Connect.
  3. From Select login page, select the login options you want to offer users:
    • Standard + SSO displays the standard Dynatrace login page, where the user has the choice to sign in using a local user account (as configured through User authentication > User accounts) or to select the Log in using SSO link and use SSO authentication.
    • SSO skips the Dynatrace login page, so the user cannot sign in using a local user account, and redirects to the IdP login page for SSO authentication only.
  4. Enter the Client ID and Client Secret of the client from the IdP that will be used for authentication.
  5. In Server discovery endpoint, enter the OpenID configuration URL provided by the IdP and click Import Configuration.

Group assignment configuration

Each Dynatrace Managed user must be assigned to at least one user group, with at least one associated monitoring environment. Without such a mapping, the user can't sign in to Dynatrace Managed and will receive an error message stating that no environment has been found.

The Assign users to groups based on UserInfo response attribute switch determines how you manage user-group assignments:

  • Manually: Turn the switch off if you want to make user-group assignments manually from within Dynatrace Managed. In this case, Dynatrace Managed ignores the list of groups sent in your IdP's authentication response.
  • Automatically: Turn the switch on and enter the group name in the User groups attribute field if you want to handle user-group assignment automatically. In this case, any assignments made within Dynatrace Managed are overwritten by the list of groups sent in your IdP's authentication response. You can add a custom user groups separator to separate user groups.