Manage users and groups with SAML in Dynatrace Managed updated on Wed, 24 Apr 2019 21:34:37 +0200

Wed, 24 Apr 2019 21:34:37 +0200

Dynatrace Managed supports integration with SAML 2.0 as an SSO IdP (Single Sign-On Identity Provider) for the management of users and groups. SAML can use either HTTP POST (preferred) or HTTP Redirect bindings. When both are present, HTTP POST is used.

Set up SAML 2.0 integration

This procedure requires configuration in Dynatrace Managed and at your IdP.

In Dynatrace Managed

In the Dynatrace Managed Cluster Management Console

Select User authentication > Single sign-on settings.

Example `Single sign-on settings`
Under Select single sign-on technology, select SAML 2.0.
Click Download SP metadata to download (to file sp.xml) the SAML metadata you need to provide to your SP.
The XML metadata of a SAML 2.0 Service Provider box displays the metadata.

On your Identity Provider server (IdP)

Refer to your IdP documentation for details on these steps.

At your IdP server

Use the sp.xml metadata file you downloaded earlier to configure Dynatrace Managed as a Service Provider (SP).
Download the completed configuration metafile from your IdP server.

In Dynatrace Managed

Back in the Dynatrace Managed Cluster Management Console

Return to the Single sign-on settings page to continue where you left off.

Example `Single sign-on settings`
Click the Select file button and upload your IdP configuration metafile to Dynatrace Managed.
The XML metadata of a SAML 2.0 Identity Provider box displays the metadata.
Under User attributes based on SAML 2.0 response attributes, enter the user attributes.
- First name attribute
- Last name attribute
- Email attribute

Group assignment configuration

Each Dynatrace Managed user must be assigned to at least one user group, with at least one associated monitoring environment. Without such a mapping, the user can't sign in to Dynatrace Managed and will instead receive an error message stating that no environment has been found.

The Assign users to groups based on SAML 2.0 response attribute switch determines how you manage user-group assignments:

Manually: Set the switch to the off position if you want to make user-group assignments manually from within Dynatrace Managed. In this case, Dynatrace Managed ignores the list of groups sent in your IdP's authentication response.
Automatically: Turn on the toggle and enter the group name in the User group attribute field if you want to handle user-group assignment automatically. In this case, any assignments made within Dynatrace Managed are overwritten by the list of groups sent in your IdP's authentication response, such as
```
<Attribute Name="gr">  
    <AttributeValue>Admins</AttributeValue>  
    <AttributeValue>Users</AttributeValue>  
</Attribute>  
```
which would assign the user to the Admins and Users groups.
- If the value of the user group attribute in the SAML response contains commas, Dynatrace recognizes it as a comma-separated list of user groups and assigns the user to each group in the list. For example
```
<Attribute Name="gr">
        <AttributeValue>Admins,Users</AttributeValue>
</Attribute>
```
  would assign the user to the Admins and Users groups.
- Make sure group names exactly match existing Dynatrace user group names (case-sensitive, no extra spaces). For example, Admins and admins would be two different groups.

ADFS configuration

If you choose to integrate Dynatrace Managed with Active Directory Federation Services (ADFS), perform the following steps on the ADFS side and then in Dynatrace Managed.

Configuration on the ADFS side

Use the Add Relying Party Trust Wizard to add a new relying party trust using Dynatrace SP metadata configuration.

Add Relying Party Trust Wizard example

On the Advanced tab, set Secure hash algorithm to SHA-1.

Advanced tab example

Add a claim issuance policy to the added relying party trust.

Edit Claim Issuance Policy example

Define a rule to send LDAP attributes as claims.

Example rule: send LDAP attributes as claims

Define rules to transform LDAP attributes to Name ID (create a rule appropriate to your needs).

Example of a rule to transform the LDAP login attribute to Name ID.

Example rule: LDAP `login` attribute to `Name ID`
Example of a rule to transform the LDAP email attribute to Name ID.

Example rule: LDAP `email` attribute to `Name ID`

Configuration on the Dynatrace Managed side

On the Dynatrace Managed Single sign-on settings page, set the User group attribute appropriately.

Manage users and groups with SAML in Dynatrace Managed | Dynatrace help

Manage users and groups with SAML in Dynatrace Managed updated on Wed, 24 Apr 2019 21:34:37 +0200

Set up SAML 2.0 integration

In Dynatrace Managed

On your Identity Provider server (IdP)

In Dynatrace Managed

Group assignment configuration

ADFS configuration

Configuration on the ADFS side

Configuration on the Dynatrace Managed side