This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynatrace SAAS SSO with Microsoft Azure - using claims/groups.link

Go to solution
ashish_jamthe1
Newcomer

‎20 Feb 2020 03:12 AM - last edited on ‎15 Jan 2024 02:40 PM by Community Team

Microsoft Azure returns the group claim in the SAML using an attribute

http://schemas.microsoft.com/claims/groups.link 

This happens when the number of groups is very high.

Can Dynatrace handle this scenario.

Eg (with groups.link): - Unable to do SSO with Dyantrace SAAS

<Attribute Name="http://schemas.microsoft.com/claims/groups.link">

<AttributeValue>

https://graph.windows.net/48d6943f-580e-40b1-a0e1-c07fa3707873/users/ba9b7081-e2a8-4427-9cdc-92afd7099833/getMemberObjects 

</AttributeValue>

</Attribute>

I am able to successfully do SSO when the groups are returned as in identity/claims/groups, but not in the above scenario

Eg (with /claims/groups list) - This works for me

<AttributeName="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups ">
<AttributeValue>a8c55d9b-fdc6-4fe3-9d56-af0f87419f2c</AttributeValue>
<AttributeValue>4604c7b6-57ca-4aa8-9a0b-235f4c9a3651</AttributeValue>
<AttributeValue>aa312f9f-c0ab-4e65-9bbb-07503792bdd8</AttributeValue>

 

 

 

Labels:
0 Kudos
Reply
2 REPLIES 2

Go to solution
skrystosik
DynaMight Guru
DynaMight Guru

‎20 Feb 2020 08:51 AM

According to this part of documentation:

this will not work. https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and... You're limited to 150 groups.

Sebastian

Regards, Sebastian
Reply

Go to solution
ashish_jamthe1
Newcomer

‎21 Feb 2020 12:33 AM

Thanks @Sebastian K.

From talking to Dynatrace, I think we have following two solution options. I am yet to try either of them, will share progress with the community.

  1. Configure Azure AD to send only security groups.

https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and...

2. Use application roles rather than groups.

This limits the amount of information that needs to go into the token, is more secure, and separates user assignment from app configuration.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#optio...

Change the Security group claim attribute. Something like this:

Before: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
After: http://schemas.microsoft.com/ws/2008/06/identity/claims/role

0 Kudos
Reply
Ask a question

Featured Posts