Can I manage users and groups with SAML?

This topic applies to Dynatrace Managed installations only.

Does your organization use LDAP for login?

Dynatrace Managed supports the integration of SAML 2.0 as an SSO IdP (Single Sign-On Identify Provider) for the management of users and groups. SAML can use either HTTP POST (preferred) or HTTP Redirect bindings—when both are present, HTTP POST is used.

Set up SAML 2.0 integration

  1. From the Dynatrace Managed navigation menu, select User authentication > Single sign-on settings.
  2. From drop list, select SAML 2.0.
  3. Click the Download SP metadata button to download the SAML Service Provider metadata file.
  4. Use the SP metadata file to configure Dynatrace Managed to serve as a Service Provider on your Identity Provider server (IdP). Refer to your IdP documentation for details on this.
  5. Download the completed configuration metafile from your IdP server. Refer to your IdP documentation for details.
  6. Back within Dynatrace Managed, click the Select file button and upload your IdP configuration metafile to Dynatrace Managed.

SAMl 2.0

Group assignment configuration

Each Dynatrace Managed user must be assigned to at least one user group, with at least one associated monitoring environment. Without such mapping, a user can’t login to Dynatrace Managed. Users will instead receive an error message stating that no environment has been found.

You can manage user group assignments in one of two ways:

  • Manually, from within Dynatrace Managed. For manual user-group assignment, set the Assign users to groups based on SAML 2.0 response attribute switch to the off position. With this approach, the list of groups sent within your IdP’s authentication response is ignored by Dynatrace Managed.

  • Automatically For automatic user-group assignment, set the Assign users to groups based on SAML 2.0 response attribute switch to the on position and type the group name in the User group attribute field. With this approach, any assignments made within Dynatrace Managed are overwritten by the list of groups sent within your IdP’s authentication response.