SAML certificate migration
On March 31st, 2024, the old certificate will be deleted from the SSO SAML metadata and all federations still using it will be automatically switched to the new certificate.
If your IdP configuration doesn't use the Dynatrace certificate to validate SAML request signatures or this option is disabled, just open Account Management, enable the new certificate in your Account Management, and complete your configuration test. No additional changes on your IdP side are required.
Your Identity Provider (IdP) may validate certificates in SAML messages signed by Dynatrace. Validation can include also verification of the certificate expiry date.
To avoid any interruption in SAML authentication to Dynatrace, we strongly recommend obtaining the new Dynatrace SAML certificate (available below or extractable from publicly available Dynatrace SAML metadata) and adding it to your Identity Provider within the enterprise application used to provide SAML authentication to Dynatrace.
Since these changes need to be applied within the Identity Provider itself, we would like to clarify that with this migration, there is:
NO need to upload XML Metadata in Dynatrace Account Management
NO need to generate any new certificates within the Identity Provider
The process of changing Dynatrace SAML certificates depends on how your company IdP handles SAML certificates and their validation.
What if my IdP doesn't validate the signature or the option is disabled?
If your IdP configuration doesn't use the Dynatrace certificate to validate SAML request signatures or this option is disabled, just open Account Management, enable the new certificate in your Account Management, and complete your configuration test. No additional changes on your IdP side are required.
-
Go to Account Management and, if you have more than one account, select the account.
-
Select Identity & access management > SAML configuration.
A message box will tell you which configuration needs a certificate update.
-
In the Configurations table, select Actions > Edit configuration for the configuration that needs a certificate update.
-
In the Accounts using expired SAML certificate message, select Continue.
-
Make sure the checkbox for I'm ready to use the new Dynatrace SAML metadata is selected.
-
Don't change any other options. Just step through the rest of the verification process.
For security reasons, switching back to the old certificate is not supported.
How to get the new Dynatrace SAML certificate
You can copy the certificate from the expandable section below and paste it directly into the file.
-----BEGIN CERTIFICATE-----MIIFhzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADB2MQwwCgYDVQQLEwNTU08xFjAUBgNVBAoTDUR5bmF0cmFjZSBMTEMxEDAOBgNVBAcTB1dhbHRoYW0xFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxCzAJBgNVBAYTAlVTMRcwFQYDVQQDEw5TU08gSURQIGFuZCBTUDAeFw0yMzEwMTMwOTMyMzFaFw0yODEwMTYwOTMyMzFaMHYxDDAKBgNVBAsTA1NTTzEWMBQGA1UEChMNRHluYXRyYWNlIExMQzEQMA4GA1UEBxMHV2FsdGhhbTEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMxFzAVBgNVBAMTDlNTTyBJRFAgYW5kIFNQMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAle7i0A7yVl+TmeXviTI3P4WYYuY+jOkwnijGaO1lpSaypG0mr+SaAWHswh4cpXwAXgZYcPdMh2fVsbqQoI/C7q1yi90rq+HmyfCDxMrip1meZAnb2UO2XYizJZVVAr5omNS/3ZruUQlgwMQ8j7tU7tPnFGlso5kEO81GCQazIrp0qTNyuBOnmJ4xp7BXXgHUGLUPKF0G1bK3IKbVoKVH73xf1fuHURyvdro2g8X8T9zGFfWs8beqTj/xPb936jFEXQBaDR+JIU0bGouWgX8U96+YvkfaRehKO420N4E7vcv+mBfIugZjLXtoOu+r90PXhScC1P1gYZXhMej5scWAY4C93kQHYiuwZSyw9YOIfjRcNxZjqLV3KIh3YxXKgHg7csI8VWHSdPcgUSFgwrtvBZ+WRYtZmtwNpDO4JPz/zl6P9kLpiWd51EeqNlNftdQNLnV6UqH9i6Pvo8BKEoGU8NHYoH4zWqtpD9/gD1B8iwceS82rOkPQm8+MFysJW/XhdmMqYOkjR8m7Oy7cINBJIUaRW20AitmEcu9wQfWOshweyW4/4Aj+nwT20K1ogFHshrh6JiMsrCQ5WKYiuzFc84H++UskmqziVRFjl3yeU9QeDlRstqs1Jtw24J4dtlS73blOzIM0tiDBaCXpwKt84MawcAfsuJsMqWQoR+8fmqMCAwEAAaMgMB4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggIBACPRpn5y/bFd9ZdHfBw4Yb9o9Kip3eBee8nc9SkG3iaNnJi0D2KisMB6IkfMNJFFcntwEuB7Mp1wE1nrfZ2LKiYOli+J1hxr+XHdsntaBwIrIcYwkp9FQu1RwXM5F+W/sHnKtlMf8NMhJMsQU+btDLzZOcLk9XvlNCDBGZ63pXYOyv+uPDyG7rZtAy4IhVBR3XoCDBKUc7ShIB3wlPzd6+fIZMOLWvm5PWlWN+MEoX5EAGKVx052+QPz+jD+pu73wRb6iMg+sN/fx9LZWJxNGMx/VH3jxbgVuYU7RaDcyRCkXfq1sXKsahN8x5GHS6pMJOgGuX3/KsPElFMt+22bgxQj8glz4bOxi4wFVlJSDWygE3HsoGOc/irLw5BtEsD4G+Ac923F5VmjEcklHza+mNRPQOL11WeT5No4LRnHbQ1WY/n0V2CgtFQaMtiISfr5Vlr2hxiuWdkBuCL8bw8ak9C1QWU148JfPTakqxu7g8mcVtyIseSkAD81ckPnatBBdGTRosvC5ztiS15tGOf/5qG7z7h58f5Vkn3hGsPJYgyGnOakxIYGoZL8FxaKqTjbtCAwgS/HtY0rZTRS0n9y/ZCLwFgCSLi+eXUQCTLpYUDCPo7ljlF5mmuWuzTDXfUfdXX1fyoZxbUgGFOOFZHEmulg4+8IvfI1PrHEtWoHXU71-----END CERTIFICATE-----
You can verify the above certificate with publicly available Dynatrace SAML metadata. The new certificate can be distinguished by the <ds:KeyName>
attribute value of Dynatrace Certificate 2023
within the <KeyDescriptor use="signing"> (...) </KeyDescriptor>
attribute.
Multiple certificates are supported (for example, Microsoft Azure, Ping Federated)
If done properly, the transition should be transparent to all users and allow uninterrupted login flow to Dynatrace, because both certificates can be used in the SAML signature verification process.
If multiple certificates are supported
-
Add the saved Dynatrace SAML certificate to your company IdP Dynatrace application.
Do not enable signature verification on the IdP without reading our suggestions first!
Additional documentation:
- Microsoft: How to add a certificate in Microsoft Azure
- PingIdentity: How to add a certificate in PingFederate
-
In Dynatrace, go to Account Management > Identity & access management > SAML configuration.
-
In the Configuration section, select I'm ready to use new Dynatrace SAML metadata.
-
Only after the federation verification is successful, will you be prompted to save the configuration and only then would Dynatrace SSO start using the new certificate to sign SAML messages.
-
optional To double-check your configuration, sign out and in again.
Important note on "Require Verification Certificates" in Azure
SAML Signature verification is disabled in Azure by default, and no signing certificates may be present. If that is your case, please follow our proposed options:
Leave "Require Verification Certificates" disabled
Provided your organization understands the risks, and this has been your mode of operation so far, you may decide not to enable the signature verification. In that case, switching to the new Dynatrace SSO SAML signing certificate should be transparent and not impact the federated log in to Dynatrace.
If you are using IdP-initiated login with Azure, then you should not enable this option at all as explained in our FAQ
Add both the old and new SAML signing certificate before migrating
Dynatrace SSO will use the old certificate when signing SAML messages until you perform the migration described in this document. In such cases, adding the new certificate and enabling the "Require Verification Certificates" option will break the federation because Azure would attempt to verify the signature using the new certificate. In contrast, SSO would still use the same one. To transparently switch the signing certificate while retaining the signature verification, please add both certificates - the old one (down below) and the new one (provided above). Having both certificates in place, Azure would choose the right one, regardless of which SSO used one to sign the SAML message.
-----BEGIN CERTIFICATE-----MIIFhzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADB2MQwwCgYDVQQLEwNTU08xFjAUBgNVBAoTDUR5bmF0cmFjZSBMTEMxEDAOBgNVBAcTB1dhbHRoYW0xFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxCzAJBgNVBAYTAlVTMRcwFQYDVQQDEw5TU08gSURQIGFuZCBTUDAeFw0xOTAyMjUxNTEzMzBaFw0yNDAyMjkxNTEzMzBaMHYxDDAKBgNVBAsTA1NTTzEWMBQGA1UEChMNRHluYXRyYWNlIExMQzEQMA4GA1UEBxMHV2FsdGhhbTEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMxFzAVBgNVBAMTDlNTTyBJRFAgYW5kIFNQMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyT6z+w/vVQGKISKOowI4EoLl/nu/UV3zn/mEVrlCeZVk7t4x++lrlK+2gYF//3fyuslG0GBd0CLfyvy2LRU+UWA3LJN3sKz2AmJAIHDBGZr9c9z7QS6xxH0DnmRvZ5DQNv+WQbUQX2HgEl6Yg9wViOXIzWYBZ2Awh2+hNRFvveb9RacHPXW4RxdS5YETOubIbSYWiWPGKjx4sGw2UKkuCzafEXdcqOlb9nlzcb89ESyiPJkKyZObR0K6P1VCaadkLvrceXtXJZNXC4yrrzQBqlpnlEoh3Ojo4kbzFgceQpX0LWPYpQFYnz7aPZRl+dhItQ+400/9Sd6WbiyGRxUvWIFsRGR3ITvWeiKXlVMr2TMm9ZqAfqBrBsPZoIY+HIarSE+EkZM7L64ZEn7cQ69hdfpsWWN6DbAJ02bz3+mKdwRintpWarHLn3G8GQxYo5LuRLLiDgiObS5+paQMu7XbGrnAqIuRrEUOUcKod/keaFixFSMEPIBSKQTQHcHcit/VZoZGhLrkLAiHd69hvOwWzdKy07+DACz+r3AsgaaCS+d+2u9CeRAX20FV1OJy7Aj2fgCL+hjW9zwHjcvZGasI6zGIeItzq0LX2V0xLYZKV+oerTd5m+hUTlQJtxPlOoFuUKbBxzSqEdcM3eXSSFoy8Zu1wmU3eQtA/3PiqFJClPECAwEAAaMgMB4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggIBAB856IQdsgZi8Y+q5AROSH6Yk0K+T2FfqhuGKeBvgRH7v/0FiY1NSc4LUFQEQ4D/Lvuj/0C2rFY75WKD39UW5IJM2KG5njbvQNAdRkgERslthbKktJHF+4DUTQ+4JG5cf2LDo80of9NJPMztB/aHEOtaqevCgCKVfn00n1LP+mxlQ8OG0CG7tapEBQuTCfqzKYv0yEHM+UyFGTMb0xM222uQJLTvDTYd5b0S7653LUDgj0JLeqNEqPIudYeC526h2pCs1/E9VXOOvVcr6Hcticm3Y2OTz5mJ+AjYzfVDgPyi1cmMrrVqAb3dE54ub6gI0yzeqknh2keTs7M1vdsxNb4zSW44v8119VOlFc7a2ZO0SrOn38e6y9KBF4aGFs2e43NW0agPcfjGO7Xq53joY3nO6zDGF35HZxNmDJkNm5LONlhInt/U2DBPhjKRY3NPpgydr/bCuyjI8kz7UJZHk5QgW5hh1RzHDtiNn6D/RwDaXjSjp5nEW4onyfHB0knmgUPmnp9/SnBlJupWUDCG1hqw4XsFJakF5Z8psx0ZlRQYSVhXac8iyRf9Ey1p49/RO6tfuXqAFcexMSkTmN+wsQzwvRnS2Gl7IHN1ZSSPWlJKLLSJ4E9Zpt5RD9fg91jnvUIDXAiZYYr/QO/lpfBZu8voS2oQGcyDRBAMnWof7Ls/-----END CERTIFICATE-----
Enable "Require Verification Certificates" later
It's also possible to add the new Dynatrace SAML Signing Certificate, but without enabling signature validation. In such a case, the change should again be transparent to your federated users. Once you enabled the usage of the new certificate in Dynatrace SSO, you can decide to enable signature verification. In such cases, you would have to verify on your own that the federated login still works after enabling this option. Yet, having matching certificates on both ends, you should not encounter any issues.
Only one certificate can be used in your IdP at a time
Some IdPs allow disabling SAML signature validation. This allows the integration to continue working seamlessly even if the expired SP certificate is used, which allows for more comfortable planning of the transition to the new certificate without running the risk of the integration suddenly being broken. Follow the approach based on whether your IdP supports this feature.
Your IdP supports disabling SAML signature validation (for example, Okta)
To avoid downtime during the certificate switch, we recommend that you temporarily disable SAML signature validation.
In Okta, you need to clear the Signed Requests checkbox under Advanced Settings in SAML Settings.
If only one certificate can be used at a time
To avoid downtime during the certificate switch, make sure SAML signature validation is turned off.
- Upload the previously saved Dynatrace SAML certificate to your company IdP Dynatrace application.
- In Dynatrace, go to Account Management > Identity & access management > SAML configuration.
- In the Configuration section, select I'm ready to use new Dynatrace SAML metadata.
- Test your configuration.
In your IdP, turn on SAML certificate validation.
Sign out and in again to verify that the new signature certificate was successfully validated by your IdP.
If you experience an issue, disable certificate verification and then configure the new certificate in your IdP once again.
Your IdP doesn't support disabling SAML signature validation
In this case, if your IdP doesn't allow you to disable validation of a SAML signature, the certificate update can temporarily affect the availability of authentication to Dynatrace.
You need to synchronize the certificate update on your IdP side and the certificate switch on the Dynatrace side to limit the period where SAML authentication would fail due to an invalid signature.
If your IdP doesn't support disabling SAML signature validation
- Make sure that you have a fallback user account.
- Log in to Dynatrace Account Management with the user who will perform the federated configuration update or use the fallback account. Once you change the certificate in your company IdP, new logging in with federated user may fail.
- Download the Dynatrace SAML metadata.
Upload the previously saved Dynatrace SAML certificate to your company IdP Dynatrace application.
- In Dynatrace, go to Account Management > Identity & access management > SAML configuration.
- In the Configuration section, select
I'm ready to use new Dynatrace SAML metadata
. - Test your configuration.
- optional To double-check your configuration, sign out and in again.
Troubleshooting
For troubleshooting information, see Manage users and groups with SAML in Dynatrace SaaS and Certificate Migration Community FAQ.