cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to use SAML Federation to set up Single Sign On (SSO) in Dynatrace

MattW
Dynatrace Participant
Dynatrace Participant

Intro

One of the most critical strategies for user management in a modern organization is Single Sign On (SSO); the ability to use a single set of credentials to securely access many different applications and platforms. On-premise SSO solutions, such as Microsoft's Active Directory, can use LDAP (Lightweight Directory Access Protocol) to provide this type of access in your internal network, but what about cloud-based applications that are accessed over the public internet?

Remote, cloud-based applications can be integrated into an SSO solution using the concept of Federated Identity Management (FIM), which leverages SAML (Security Assertion Markup Language) to securely pass identity information between an Identity Provider (IdP) and a Service Provider (SP) that have been Federated (they trust each other).

While the actual functionality of SAML is beyond the scope of this article, we'll be focusing on the different types of Federation that Dynatrace offers for SSO, and specifically, how to use our Account Management portal to successfully configure each one.


Federation Types

In early 2024, Dynatrace rolled out Flexible Identity Federation for SaaS, an expansion of our standard SAML configuration to provide more SSO options for customers with varied use cases and requirements.
https://www.dynatrace.com/news/blog/unlock-seamless-access-the-power-of-flexible-identity-federation...

When adding a SAML configuration for an SSO domain, one of three selectable federations will now determine when and how SSO should apply for users with that domain name when logging into Dynatrace.

  • Global - applies to ALL SSO domain users for ANY Dynatrace account (previously the only federation available)
  • Account-specific - applies to SSO domain users for ALL environments of a SINGLE account
  • Environment-specific - applies to SSO domain users for SELECTED environments within a SINGLE account

A more detailed breakdown of these Federation types can be found in our documentation here:

https://docs.dynatrace.com/docs/manage/access-control/user-management-and-sso/manage-users-and-group...


How to Add a SAML configuration in Dynatrace

In this article, we'll be walking you through how to add a SAML configuration for each of the following:

  • Global Federation
  • Account Federation
  • Environment Federation

Feel free to scroll down to the section of the specific federation you want to set up for step-by-step instructions on how to configure it.

Global Federation

Unlike Account federation, Global federation requires that a domain first be verified before a SAML configuration can be added.

To get started, click Identity & access management and then Domain verification

MattW_50-1713392274356.png

Enter the domain you want to use for SSO and click Add 

MattW_51-1713392274357.png

In the next screen, you'll be provided with the value of a TXT record you'll need to add to the DNS record of the domain you're attempting to verify. Click (1) Copy value and add the site verification string as the data in the TXT record for the domain and then once you have confirmed this record has propagated, click the 3 dots followed by (2) Verify. 

domain verification3.png

Once successful, you will see your domain listed under Verified domains 

MattW_52-1713392274358.png

This domain can now be used for our Global federation. 

To get started, click Identity & access management followed by SAML configuration 

MattW_53-1713392274358.png

 

Click the New configuration button 

SAML config 2.png

 

Select Global federation as federation type

MattW_55-1713392274359.png

 

In the next screen, select the domain that you verified and then click Download XML to get the SP metadata which will be used to configure SSO at your specific IdP. 

MattW_56-1713392274360.png

 

Once this has been done, obtain the resulting IdP metadata from your IdP, return to the SAML configuration page in Dynatrace, and add the metadata either by uploading an XML with Choose file or by copying and pasting the metadata contents into the Identity provider SAML metadata textbox.

MattW_57-1713392274362.png

 

Scroll down to the Attribute mapping section and add the Firstname, Lastname, and Federated attributes based on the settings of your specific IdP

MattW_58-1713392274363.png

 

Click Next to validate your SAML configuration. This validation will attempt to use the settings you have entered by sending a login request to your IdP based on the user you are currently logged into Dynatrace with. Depending on your IdP, you may notice that you are redirected to your SSO login page, in which case you will want to enter your credentials as you normally would. 

Once the request has finished, you will receive a SAML configuration validation complete message and you can close your current browser tab to view the results of the validation.

MattW_59-1713392274364.png

 

If successful, the results should contain the login username, first name, last name, and group(s) that your current user belongs to: 

Account Fed 4.png

The results may also contain warnings, which you can choose to ignore and move on, or errors that will prevent the configuration from being saved and need to be corrected. 

Once the SAML configuration has been validated and you are ready to start using SSO, ensure that Enable SSO is switched on and click the Complete configuration button to save your SAML configuration.

Account Fed 6.png

 

PLEASE NOTE:
If you are not yet ready to fully implement SSO or have not yet 
created your fallback accountDO NOT enable SSO.
You will still be able to save the configuration and can enable it at any time by editing the SAML configuration.
 

 

Account Federation

To start, log into https://myaccount.dynatrace.com and click Identity & access management followed by SAML configuration

MattW_0-1713392066484.png

 

Click the New configuration button

SAML config 2.png

Select Account federation as federation type

MattW_2-1713392066359.png

In the next screen, provide a name for your configuration and click the Generate SP metadata button

MattW_3-1713392066356.png

 

Note that the button changes to Download SP metadata

MattW_4-1713392066422.png

 

Click this button again to get an XML file of the SP metadata which will be used to configure SSO at your specific IdP.

Once this has been done, obtain the resulting IdP metadata from your IdP, return to the SAML configuration page in Dynatrace, and add the metadata either by uploading an XML with Choose file or copying and pasting the metadata contents into the Identity provider SAML metadata textbox.

MattW_5-1713392066370.png

 

Scroll down to the Attribute mapping section and add the Firstname, Lastname, and Federated attributes based on the settings of your specific IdP
MattW_6-1713392066443.png

 

Click Next to validate your SAML configuration. This validation will attempt to use the settings you have entered by sending a login request to your IdP based on the user you are currently logged into Dynatrace with. Depending on your IdP, you may notice that you are redirected to your SSO login page, in which case you will want to enter your credentials as you normally would.

Once the request has finished, you will receive a SAML configuration validation complete message and you can close your current browser tab to view the results of the validation.
MattW_7-1713392066291.png

 

If successful, the results should contain the login username, first name, last name, and group(s) that your current user belongs to:

MattW_8-1713392066451.png

 

The results may also contain warnings, which you can choose to ignore and move on, or errors that will prevent the configuration from being saved and need to be corrected.

However, as long as everything looks correct, you can click next and proceed to the Scope assignment section.

MattW_9-1713392066413.png

 

Account federation allows you to select one of two different domain scopes, which will further determine how SSO will function
  • Option A allows you to select one or more verified domains. This will allow you to set up a standard SSO integration for the selected domain that will be limited to only your Dynatrace account. This is useful for large organizations that share the same domain name, but have separate SSO implementations and Dynatrace accounts. Previously, this functionality was referred to as "non-global federation".
  • Option B allows you to authenticate users with domains that have not been verified in Dynatrace, but exist as users in your IdP. In other words, users belonging to partner organizations or other domains you do not have direct control over that are still part of your SSO and need to access Dynatrace.

Once the scope selection has been made and you are ready to start using SSO, ensure that Enable SSO is switched on and click the Complete configuration button to save your SAML configuration

MattW_36-1713392229338.png

 

PLEASE NOTE:
If you are not yet ready to fully implement SSO or have not yet created your fallback accountDO NOT enable SSO.
You will still be able to save the configuration and can enable it at any time by editing the SAML configuration.
 
 

Environment Federation 

To start, log into https://myaccount.dynatrace.com and click Identity & access management followed by SAML configuration 

MattW_37-1713392229339.png

 

Click the New configuration button 

SAML config 2.png

 

Select Environment federation as federation type 

MattW_39-1713392229340.png

 

In the next screen, provide a name for your configuration and click the Generate SP metadata button 

MattW_40-1713392229340.png

 

Note that the button changes to Download SP metadata 

MattW_41-1713392229341.png

 

Click this button again to get an XML file of the SP metadata which will be used to configure SSO at your specific IdP 

Once this has been done, obtain the resulting IdP metadata from your IdP, return to the SAML configuration page in Dynatrace, and add the metadata either by uploading an XML with Choose file or copying and pasting the metadata contents into the Identity provider SAML metadata textbox  

MattW_42-1713392229341.png

 

Scroll down to the Attribute mapping section and add the Firstname, Lastname, and Federated attributes based on the settings of your specific IdP 

MattW_43-1713392229345.png


Click 
Next to validate your SAML configuration. This validation will attempt to use the settings you have entered by sending a login request to your IdP based on the user you are currently logged into Dynatrace with. Depending on your IdP, you may notice that you are redirected to your SSO login page, in which case you will want to enter your credentials as you normally would. 

Once the request has finished, you will receive a SAML configuration validation complete message and you can close your current browser tab to view the results of the validation 

MattW_44-1713392229346.png

 

If successful, the results should contain the login username, first name, last name, and group(s) that your current user belongs to:

MattW_45-1713392229347.png

 

The results may also contain warnings, which you can choose to ignore and move on, or errors that will prevent the configuration from being saved and need to be corrected.
 
However, as long as everything looks correct, you can click next and proceed to the Scope assignment section where you will see the option to Add federation 

Environment Fed 4.png

 

What federation is referring to here is which environment(s) you will choose to apply SSO to. For example, you may have one production environment and one development environment that each use separate IdPs.
This would allow you to ensure that when a user logs into their environment, they are also routed to their respective IdP.
 

Environment Fed 5.png

  

Each Environment federation that you add requires that you select two options:

  • A - The UUID of the environment you want this federation to apply to 
  • B - The associated verified domain(s) this federation should apply to 

As an example, it should look something similar to this: 

Environment Fed 6.png

 

Once all desired federations have been added and you are ready to start using SSO, ensure that Enable SSO is switched on and click the Complete configuration button to save your SAML configuration 

Account Fed 6.png

 
PLEASE NOTE:
If you are not yet ready to fully implement SSO or have not yet created your fallback accountDO NOT enable SSO.
You will still be able to save the configuration and can enable it at any time by editing the SAML configuration.  

For troubleshooting steps, see the article: Troubleshooting common SAML federation issues with Dynatrace SSO

4 REPLIES 4

AntonPineiro
DynaMight Guru
DynaMight Guru

Thank you! :take_my_money:

❤️ Emacs ❤️ Vim ❤️ Bash ❤️ Perl

DanielS
DynaMight Guru
DynaMight Guru

great post!!!!

The true delight is in the finding out rather than in the knowing.

erh_inetum
Mentor

Hi @MattW ,

Great post. Thanks.

A question: 

The first step of the documentation is creating a fallback user account

My question is: this fallback user account, could it be a user account that belongs to the same organization but is created in a different branch of the Azure SAML that is going to be integrated?

Let me know if my question is not clear.

Thanks in advance.
Regards,
Elena.

MattW
Dynatrace Participant
Dynatrace Participant

Hi @erh_inetum 

For the fallback user account to be effective, it should ideally be a user with admin-level permissions in Dynatrace set up with an email domain that is not connected to your SAML integration in any way. 

The reason for this is that the fallback account needs to be detected as a LOCAL user in order to log into Account Management when there is a problem with SSO/SAML.
Although the scenario you described might work, if the domain is attached to your SAML integration somehow, you risk the chance of this account being detected as a SAML user and redirected back to your IdP, which would prevent you from bypassing SSO and allowing a login as a local user.

The fallback account does not have to be part of Azure or an existing IdP setup in order to work though. For example, you could create a user for your fallback account that uses a gmail address. 

Featured Posts