https://www.dynatrace.com/support/help/ Fri, 18 Oct 2019 07:17:18 +0200 Mon, 08 Apr 2019 13:05:46 +0200 Metalsmith v2.3.0 <p>Dynatrace Managed supports integration with <a href="http://openid.net/what-is-openid/">OpenID</a> as an SSO IdP (Single Sign-On Identity Provider) for the management of users and groups. We currently support standard claims (email, profile, address) as defined in the <a href="https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims">OpenID Connect Core 1.0 specification</a>. The <code>redirect_uri</code> used for authentication is set to the Dynatrace Managed Web UI URL that&apos;s configured in your Cluster Management Console. Note that this URI must also be configured in your OpenID-provider client.</p> <h2 id="set-up-openid-integration">Set up OpenID integration <span class="shortlink-copy shortlink-copy-js" data-clipboard-text="https://www.dynatrace.com/support/help/shortlink/managed-openid#set-up-openid-integration"> </span></h2> <ol> <li>From the Cluster Management Console menu, select <strong>User authentication</strong> &gt; <strong>Single sign-on settings</strong>.</li> <li>From the list, select <strong>OpenID Connect</strong>.</li> <li>To change the login page, you must prove that your SSO mechanism is actually working by signing out and logging in using SSO. The standard page will be shown as a fallback if something goes wrong.</li> <li>Enter the <strong>Client ID</strong> and <strong>Client Secret</strong> of the client from the IdP that will be used for authentication.</li> <li>In the <strong>Server discovery endpoint</strong> text field, type in the Open ID configuration URL provided by the IdP and click <strong>Import Configuration</strong>.</li> </ol> <h2 id="group-assignment-configuration">Group assignment configuration <span class="shortlink-copy shortlink-copy-js" data-clipboard-text="https://www.dynatrace.com/support/help/shortlink/managed-openid#group-assignment-configuration"> </span></h2> <p>Each Dynatrace Managed user must be assigned to at least one user group, with at least one associated <a href="https://www.dynatrace.com/support/help/reference/dynatrace-concepts/what-is-a-monitoring-environment/">monitoring environment</a>. Without such a mapping, the user can&apos;t sign in to Dynatrace Managed and will receive an error message stating that no environment has been found.</p> <p>The <strong>Assign users to groups based on UserInfo response attribute</strong> switch determines how you manage user-group assignments:</p> <ul> <li> <p>Manually: Set the switch to the <strong>off</strong> position if you want to make user-group assignments manually from within Dynatrace Managed. In this case, Dynatrace Managed ignores the list of groups sent in your IdP&apos;s authentication response.</p> </li> <li> <p>Automatically: Set the switch to the <strong>on</strong> position and enter the group name in the <strong>User groups</strong> attribute field if you want to handle user-group assignment automatically. In this case, any assignments made within Dynatrace Managed are overwritten by the list of groups sent in your IdP&apos;s authentication response. You can add a custom user groups separator to separate user groups.</p> <p> </p> </li> </ul> Mon, 08 Apr 2019 13:05:46 +0200 https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-managed/users-and-groups-setup/manage-users-and-groups-with-openid/?updated=mon-08-apr-2019-13-05-46-0200 https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-managed/users-and-groups-setup/manage-users-and-groups-with-openid/