Manage users and groups with SCIM in Dynatrace SaaS
System for Cross-domain Identity Management (SCIM) is an open standard for automating the exchange of user identity information between identity domains or IT systems. You can configure Dynatrace SaaS to be provided with user identity information automatically from your organization's identity provider (IdP) through SCIM.
Benefits of using SCIM with Dynatrace SSO
- Users in your IdP will automatically be synchronized with Dynatrace, so there is no need to invite them manually
if a user is disabled or removed from the IdP, it will also disable the user in Dynatrace
- Groups in your IdP will automatically be synchronized with Dynatrace
- All groups created by SCIM will be of type
SCIMin Account Management
- All groups created by SCIM will be of type
Users will be assigned to groups in Dynatrace mirroring the relationship within the IdP
SCIM notice and limitations
SCIM synchronization is one-way from the IdP to Dynatrace. This is because technically the IdP is the owner of both the users and groups and changes in Dynatrace will never transpire to the IdP.
Dynatrace will only accept users with domains, which were verified within the account
- Groups of type
SCIMare managed by SCIM only and cannot be removed or modified through Account Management
- Permissions to SCIM groups still have to be assigned manually in Dynatrace
- It is possible to use Account Management API to manage the permissions programmatically
If your SCIM client does not support dynamic external id changes, email/login change will cause SCIM integration to stop working for such users. Requests will be rejected due to invalid username (in SCIM it is email)
The scope of users and groups synchronized into Dynatrace with SCIM can be narrowed within the SCIM application in your IdP
SCIM requirements and supported features
Dynatrace supports SCIM 2.0 and GET, POST, PATCH, PUT, and DELETE operations for both User and Group resources.
For authentication, SCIM requires Bearer token in Authorization header.
SCIM is configured for the account and domain scopes. At least one domain ownership verification is required for the account.
Only users whose email domains have been verified for ownership can be synchronized with Dynatrace via SCIM.
Required and supported SCIM attributes:
SCIM Attribute Type userName email format name.givenName string name.familyName string active boolean
userName must be persistent. Dynatrace does not support user email change.
Verify your ownership of the domain
Before you can proceed with SCIM configuration, you need to prove ownership of the domain. Verification is based on a DNS TXT Record check.
For the account, it is sufficient to verify the domain once. If a domain has been verified for SAML, it will be valid for SCIM as well.
To verify ownership of a domain
- Open Account Management. If you have more than one account, select the account you want to manage.
- Go to Identity & access management > Domain verification.
- In the Add domain section, enter the domain (for example,
mycompanyname.com) for which you want to set up SCIM and select Add to add it to the Pending domains table.Multiple domains
If users in your organization use more than one domain to sign in (for example,
@uk.mycompanyname.com), you can add additional domains in additional rows and start verifying them all in parallel. Enter each domain in a different row.
- For each domain you are verifying, in the Pending domains table, select Copy (in the Value column) and add the copied TXT resource record to your domain’s DNS configuration.
- For each domain you are verifying, in the Pending domains table, select Actions > Verify so that Dynatrace can verify that the record was added to your domain’s DNS.
It typically takes a few minutes for a record to propagate through the DNS system and the value to become available for Dynatrace to verify. In some cases, it may take up to 24 hours.
- Each verified domain is added to the Verified domains table.
Get Dynatrace SCIM endpoint and create secret token
Use this procedure to get the Dynatrace SCIM Base URL for your account and create a secret token.
The token is revealed only once during generation time. Copy and paste it into a secure location. If you lose it, you have to generate a new one and replace it in your application.
Open Account Management.
To open Account Management through the web UI:
Latest Dynatrace: from the user menu in the lower-left corner (at the bottom of the Docker), select Account Management.
Previous Dynatrace: from the user menu in the upper-right corner, select Account settings.
Go to Identity & access management > SCIM configuration.
In the Generate new token section, optionally enter a token Description (or you can add a description for the token later).
Select Generate token
Next to Token value, select Copy to copy the token to your clipboard, and then paste it into a secure location for later use.
Dynatrace SCIM supports Bearer Token Authentication only. Example:
Header Value Authorization Bearer dt0s01.XFNYASDX.XFJWNDTUXJ6PKHEHDDVKXV2K73ZDGWUFS6GKHGAFKE2DUG3JYCFXJUAGLXTN6ENX
The SCIM endpoint required for SCIM configuration in your application is added to the List of tokens.
Example IdP-specific instructions
To continue integrating Dynatrace SCIM with your IdP, select the procedure appropriate for your IdP:
Frequently asked questions
No, an email address can't be changed by SCIM. Any requests to update an email address are ignored.
You can generate up to 10 SCIM authentication tokens. For security reasons, we strongly recommend that you delete all unused tokens.
Yes, you can provision as many users from different email domains as you need, as long as all of their domains have been verified. You can verify multiple domains for a single account.
No. Some IdPs, like Azure AD, allow multiple groups with the same name in a single account. For Dynatrace SSO, however, each group name in an account must be unique.
Yes, there is a global limit of 10,000 users per domain.