I am trying to set up single sign on (SAML) for dynatrace SAAS with Azure AD. After verifying the domain and applying both metadata (SP and IDP) in dynatrace and Azure, I am validating the configuration which is showing the below message on the browser.
You may close this window and return to the configuration page to view the validation results.
But when I checked the validation configuration results it is showing: "Saml Message has not been signed. Entire SAML Message needs to be signed."
I checked with the AD admin and on the SAML Signing certificate, the status is active with the Thumbprint and the Signing option is "Sign SAML response and assertion " with "SHA-256" as the Signing Algorithm.
Any idea what might be the issue? How can I fix it?
Solved! Go to Solution.
Have you went carefully through https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and... ?
particularly have you re-uploaded Federated Metadata XML file after configuration changes in AD?
Thank you Radoslaw. I have followed the instructions from the link for the configuration. I have now open a ticket with the support team.
would be cool if you share the root cause and a solution if possible. Other community members might benefit when landing here.
Yes please share the root cause. We just has an issue with SSO as well. Ticket with Support now
The issue is fixed. It was on Azure AD side, as I mentioned earlier the Signing option I selected was "Sign SAML response and assertion " and it was showing on the Azure portal as well but when I sent the trace to the support they saw that the SAML responses coming from AD were not fully signed (only assertions were signed). Below is what they asked to do:
• change Signing Option to Sign SAML response,
• change Signing Option to Sign SAML response and assertion again,
• validate configuration again (maybe after some time needed for Azure AD to be reconfigured).