Manage users and groups with SAML in Dynatrace Managed

Dynatrace Managed supports integration with SAML 2.0 as an SSO IdP (Single Sign-On Identity Provider) for the management of users and groups. SAML can use either HTTP POST (preferred) or HTTP Redirect bindings. When both are present, HTTP POST is used.

Set up SAML 2.0 integration

This procedure requires configuration in Dynatrace Managed and at your IdP.

In Dynatrace Managed

In the Dynatrace Managed Cluster Management Console

1. Select User authentication > Single sign-on settings.

   Example `Single sign-on settings`

   

2. Under Select single sign-on technology, select SAML 2.0.

3. Click Download SP metadata to download (to file sp.xml) the SAML metadata you need to provide to your SP.
   The XML metadata of a SAML 2.0 Service Provider box displays the metadata.

On your Identity Provider server (IdP)

At your IdP server

1. Use the sp.xml metadata file you downloaded earlier to configure Dynatrace Managed as a Service Provider (SP).
2. Download the completed configuration metafile from your IdP server.

In Dynatrace Managed

Back in the Dynatrace Managed Cluster Management Console

1. Return to the Single sign-on settings page to continue where you left off.

   Example `Single sign-on settings`

   

2. Click the Select file button and upload your IdP configuration metafile to Dynatrace Managed.
   The XML metadata of a SAML 2.0 Identity Provider box displays the metadata.

3. Under User attributes based on SAML 2.0 response attributes, enter the user attributes.

   • First name attribute
   • Last name attribute
   • Email attribute

Group assignment configuration

Each Dynatrace Managed user must be assigned to at least one user group, with at least one associated monitoring environment. Without such a mapping, the user can't sign in to Dynatrace Managed and will instead receive an error message stating that no environment has been found.

The Assign users to groups based on SAML 2.0 response attribute switch determines how you manage user-group assignments:

• Manually: Set the switch to the off position if you want to make user-group assignments manually from within Dynatrace Managed. In this case, Dynatrace Managed ignores the list of groups sent in your IdP's authentication response.

• Automatically: Turn on the toggle and enter the group name in the User group attribute field if you want to handle user-group assignment automatically. In this case, any assignments made within Dynatrace Managed are overwritten by the list of groups sent in your IdP's authentication response, such as

  <Attribute Name="gr">  
      <AttributeValue>Admins</AttributeValue>  
      <AttributeValue>Users</AttributeValue>  
  </Attribute>  
  

  which would assign the user to the Admins and Users groups.

  • If the value of the user group attribute in the SAML response contains commas, Dynatrace recognizes it as a comma-separated list of user groups and assigns the user to each group in the list. For example

    <Attribute Name="gr">
            <AttributeValue>Admins,Users</AttributeValue>
    </Attribute>
    

    would assign the user to the Admins and Users groups.
  • Make sure group names exactly match existing Dynatrace user group names (case-sensitive, no extra spaces). For example, Admins and admins would be two different groups.

ADFS configuration

If you choose to integrate Dynatrace Managed with Active Directory Federation Services (ADFS), perform the following steps on the ADFS side and then in Dynatrace Managed.

Configuration on the ADFS side

Configuration on the Dynatrace Managed side

On the Dynatrace Managed Single sign-on settings page, set the User group attribute appropriately.