cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSO (ADFS/SAML 2.0 with AD Group)

mrc15816
Helper

Hello,

We would like to get some ideas on how you are handling ADFS/SAML 2.0 logout, not authorized user messages.

We are using ADFS with AD groups for permissions. We have a solution in place which is not very friendly and looking into options.

1. When a user signout they will be directed to ADFS landing page with an error, we corrected the logout entry in the IDP by redirecting to our portal, but would love to see if Dynatrace has any logout page that can be used. At this time the Login and Logout pages are the same for Dynatrace Managed.

2. When a User whose AD group doesn’t have access they are redirected to the logout page and it is little confusing to the user, instead we would like to let them know that they don’t have access to the system - working with ADFS engineer we were told to mess with entitlements and I need to look into them.

Has anyone ran into the similar situation if so how did you handle them? We would like to keep the foot print of third party systems to none and use SAML or Dynatrace out of the box solution versus hosting a page for sign out.

Thank you in advance!

4 REPLIES 4

Radoslaw_Szulgo
Dynatrace Leader
Dynatrace Leader

Dynatrace Managed doesn't have a dedicated log-out page. And we don't plan to. Of course feel free to post a product idea for this - we'll confront this with our great community!

I'm a little bit surprised that an unauthorized user is redirected to the logout page. Dynatrace should see that a user doesn't have enough permissions and display a dedicated "Unauthorized" error page. Isn't that the case? Can you clarify that use case?

Technical Product Manager,
Dynatrace Managed expert

@Radoslaw S. thank you for quick response. We have SSO only, but if it is SSO + Standard under user authentication then we were able to see unauthorized message. We understand from the security point of view Dynatrace is keeping the footprint small, hence we are looking into other options by using the entitlements from SAML. example below

1. User access Dynatrace UI

2. User doesn’t have access via AD groups > Dynatrace throws an error message Not Authorized user

3. Can we take that payload and send the User to SSO landing page with predefined message in the entitlements i.e. IDP/SAML.

Wondering how others are handling these situations.

Thank you

OK, I get it know. Seems that Dynatrace would need to support a configuration where you tell what's the "unauthorized" error page URL. By default now it's "You shall not pass" page. But you'd like to change it to a custom page URL redirection. 

 

Please post a product idea for this.

Technical Product Manager,
Dynatrace Managed expert

Thank you, @Radoslaw_Szulgo - Submitted for Product Idea