cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynatrace Managed, how to assign user to multiple groups via SAML/SSO

mikko_satama
Inactive

How to pass multiple user group names inside SAML 2.0 response attribute?

Could not find inside this documentation:

https://www.dynatrace.com/news/blog/servicenow-and...

7 REPLIES 7

Radoslaw_Szulgo
Dynatrace Leader
Dynatrace Leader

Just configure your idP to return multiple groups for a user in a SAML 2.0 response. Then setup the groups attribute in the configuration screen :

and it should work. More in our help page:

https://www.dynatrace.com/support/help/get-started...

If that does not answer your question, please provide more details.

Technical Product Manager,
Dynatrace Managed expert

mikko_satama
Inactive

Thanks Radoslaw, but that did not answer my question, which was probably not well formatted, but I just fiqured out it by testing.

The answer I was looking for:

You can pass multiple group names inside one attribute value (User group attribute) by separating them with comma-sign (,).

For example Group name 1,Group name 2,Group name 3

And of course group names should match exactly (case sensitive, no extra spacing) with Dynatrace User Group names.

mikko_satama
Inactive

And please, add this information to your documentation:

https://www.dynatrace.com/support/help/get-started/managed-users-and-permissions/can-i-manage-users-and-groups-with-saml

tarjei
Organizer

I second that. Please update documentation to explain how it accepts multiple groups.

I’ll follow up with the team and we will improve that. Thanks!


Technical Product Manager,
Dynatrace Managed expert

qmt
Newcomer

Let me add this info here because I had a rough time configuring the group attribute, and my discovery wasn't documented :

I did create the Dynatrace groups with the exact same name as my Active Directory Groups, and it was still not working (using ADFS for the SSO)

In fact the name of the "user group attribute" in the SAML response was not "gr" nor "group" (as I configured it in ADFS), but it was "http://schemas.xmlsoap.org/claims/group" (yes, the whole url)

So I don't know who is responsible for this behavior, if it's Dynatrace or Microsoft, but at least now it works 🙂


where did you actually specify the url, "http://schemas.xmlsoap.org/claims/group"?