Hi, now that Single-Sign-On (SSO) is supported in NAM 2018, I wonder if someone can provide a step by step implementation guide to hook up with a SAML (2.0) type of SSO environment.
Including the info back and forth required by/from the SSO team. Who go it working, and how? 🙂
Solved! Go to Solution.
There is a how-to section in NAM documentation, using OpenAM as an example: https://www.dynatrace.com/support/doc/nam/shortli...
It worked for Dynatrace Community team integrating NAM demo with the Community, while the Community team is not associated with the NAM lab - so this is kind of a proof it can be done:-)
We've got SSO configured at my customer, so it definitely can be done. The documentation linked by Kris is good for the general process - though of course it depends on your iDP.
Firstly, make sure that the NAM Console uses SSL certificates that will be accepted by the iDP (i.e. not self-signed certificates).
The main information required by the iDP is the XML service metadata that the NAM Console generates. In return, you'll get some iDP XML metadata that you need to put into the NAM Console SSO configuration screen.
Another thing you need to get right is the user attribute names, so that the user information you get from SAML matches LDAP user and group information.
One problem that we encountered was that the customer's iDP was only signing the SAML response, but not the SAML assertion that's inside the response. In the NAM Console workspace/logs/sso.log, we saw the error message "InvalidSamlDocumentException: Missing assertion signature in SAML message". Once the iDP was reconfigured so that both the response AND assertion were signed, it worked perfectly.
Also, if you've got non-standard users in your system (e.g. service accounts for TV dashboards), you'll need to test that these accounts can use SSO as well as regular users. Unlike Dynatrace Managed (which has an option for username/password OR SSO), NAM login will exclusively be SSO.
Finally, the doco has the link you need if you need to access the NAM Console locally if you've messed up your SSO configuration, or the IDP isn't configured correctly.
Hello - is this documented anywhere?
"One problem that we encountered was that the customer's iDP was only signing the SAML response, but not the SAML assertion that's inside the response "
I can see in the NAM Console service provider metadata: