on
25 Jun 2024
08:44 AM
- edited on
04 Jul 2024
07:37 AM
by
Francis_Bateman
One of the most critical strategies for user management in a modern organization is Single Sign On (SSO); the ability to use a single set of credentials to securely access many different applications and platforms. On-premise SSO solutions, such as Microsoft's Active Directory, can use LDAP (Lightweight Directory Access Protocol) to provide this type of access in your internal network, but what about cloud-based applications that are accessed over the public internet?
Remote, cloud-based applications can be integrated into an SSO solution using the concept of Federated Identity Management (FIM), which leverages SAML (Security Assertion Markup Language) to securely pass identity information between an Identity Provider (IdP) and a Service Provider (SP) that have been Federated (they trust each other).
While the actual functionality of SAML is beyond the scope of this article, we'll be focusing on the different types of Federation that Dynatrace offers for SSO, and specifically, how use our Account Management portal to successfully configure each one.
In early 2024, Dynatrace rolled out Flexible Identity Federation for SaaS, an expansion of our standard SAML configuration to provide more SSO options for customers with varied use cases and requirements.
https://www.dynatrace.com/news/blog/unlock-seamless-access-the-power-of-flexible-identity-federation...
When adding a SAML configuration for an SSO domain, one of three selectable federations will now determine when and how SSO should apply for users with that domain name when logging into Dynatrace.
A more detailed breakdown of these Federation types can be found in our documentation here:
In this article, we'll be walking you through how to add a SAML configuration for each of the following:
Global Federation
Unlike Account federation, Global federation requires that a domain first be verified before a SAML configuration can be added
To get started click Identity & access management and then Domain verification
Enter the domain you want to use for SSO and click Add
In the next screen, you'll be provided with the value of a TXT record you'll need to add to the DNS record of the domain you're attempting to verify. Click (1) Copy value and add the site verification string as the data in the TXT record for the domain and then once you have confirmed this record has propagated, click the 3 dots followed by (2) Verify.
Once successful, you will see your domain listed under Verified domains
This domain can now be used for our Global federation.
To get started, click Identity & access management followed by SAML configuration
Click the New configuration button
Select Global federation as federation type
In the next screen, select the domain that you verified and then click Download XML to get the SP metadata which will be used to configure SSO at your specific IdP
Once this has been done, obtain the resulting IdP metadata from your IdP, return to the SAML configuration page in Dynatrace, and add the metadata either by uploading an XML with Choose file or copying and pasting the metadata contents into the Identity provider SAML metadata textbox
Scroll down to the Attribute mapping section and add the Firstname, Lastname, and Federated attributes based on the settings of your specific IdP
Click Next to validate your SAML configuration. This will attempt to use the settings you have entered by sending a login request to your IdP based off of the user you are currently logged into Dynatrace with. Depending on your IdP, you may notice that you are redirected to your SSO login page, in which case you will want to enter your credentials as you normally would.
Once the request has finished, you will receive a SAML configuration validation complete message and you can close your current browser tab to view the results of the validation
If successful, the results should contain the login username, first name, last name, and group(s) that your current user belongs to
The results may also contain warnings, which you can choose to ignore and move on, or errors, which will prevent the configuration from being saved and need to be fixed.
Note: If you are unsure of how to proceed with your validation results, please contact Support with a screenshot of them, if possible.
Once the SAML configuration has been validated and you are ready to start using SSO, ensure that Enable SSO is switched on and click the Complete configuration button to save your SAML configuration
If you are not yet ready to fully implement SSO or have not yet created your fallback account, DO NOT enable SSO. You will still be able to save the configuration and can enable it at any time by editing the SAML configuration.
To start, log into https://myaccount.dynatrace.com and click Identity & access management followed by SAML configuration
Click the New configuration button
Select Account federation as federation type
In the next screen, provide a name for your configuration and click the Generate SP metadata button
Note that the button changes to Download SP metadata
Click this button again to get an XML file of the SP metadata which will be used to configure SSO at your specific IdP
Once this has been done, obtain the resulting IdP metadata from your IdP, return to the SAML configuration page in Dynatrace, and add the metadata either by uploading an XML with Choose file or copying and pasting the metadata contents into the Identity provider SAML metadata textbox
Scroll down to the Attribute mapping section and add the Firstname, Lastname, and Federated attributes based on the settings of your specific IdP
Click Next to validate your SAML configuration. This will attempt to use the settings you have entered by sending a login request to your IdP based off of the user you are currently logged into Dynatrace with. Depending on your IdP, you may notice that you are redirected to your SSO login page, in which case you will want to enter your credentials as you normally would.
If successful, the results should contain the login username, first name, last name, and group(s) that your current user belongs to
The results may also contain warnings, which you can choose to ignore and move on, or errors, which will prevent the configuration from being saved and need to be fixed.
Account federation allows you to select one of two different domain scopes, which will further determine how SSO will function
Once the scope selection has been made and you are ready to start using SSO, ensure that Enable SSO is switched on and click the Complete configuration button to save your SAML configuration
If you are not yet ready to fully implement SSO or have not yet created your fallback account, DO NOT enable SSO. You will still be able to save the configuration and can enable it at any time by editing the SAML configuration.
Environment Federation
To start, log into https://myaccount.dynatrace.com and click Identity & access management followed by SAML configuration
Click the New configuration button
Select Environment federation as federation type
In the next screen, provide a name for your configuration and click the Generate SP metadata button
Note that the button changes to Download SP metadata
Click this button again to get an XML file of the SP metadata which will be used to configure SSO at your specific IdP
Once this has been done, obtain the resulting IdP metadata from your IdP, return to the SAML configuration page in Dynatrace, and add the metadata either by uploading an XML with Choose file or copying and pasting the metadata contents into the Identity provider SAML metadata textbox
Scroll down to the Attribute mapping section and add the Firstname, Lastname, and Federated attributes based on the settings of your specific IdP
Click Next to validate your SAML configuration. This will attempt to use the settings you have entered by sending a login request to your IdP based off of the user you are currently logged into Dynatrace with. Depending on your IdP, you may notice that you are redirected to your SSO login page, in which case you will want to enter your credentials as you normally would.
Once the request has finished, you will receive a SAML configuration validation complete message and you can close your current browser tab to view the results of the validation
If successful, the results should contain the login username, first name, last name, and group(s) that your current user belongs to
The results may also contain warnings, which you can choose to ignore and move on, or errors, which will prevent the configuration from being saved and need to be fixed.
Note: If you are unsure of how to proceed with your validation results, please contact Support with a screenshot of them, if possible.
However, as long as everything looks correct, you can click next and proceed to the Scope assignment section where you will see the option to Add federation
What federation is referring to here is which environment(s) you will choose SSO to apply to. For example, you may have one production environment and one development environment that each use separate IdPs.
This would allow you to ensure that when a user logs into their environment that they are also routed to their respective IdP.
Each Environment federation that you add requires that you select two options
As an example, it should look something similar to this:
Once all desired federations have been added and you are ready to start using SSO, ensure that Enable SSO is switched on and click the Complete configuration button to save your SAML configuration
If you are not yet ready to fully implement SSO or have not yet created your fallback account, DO NOT enable SSO. You will still be able to save the configuration and can enable it at any time by editing the SAML configuration.