AD FS SAML configuration for Dynatrace

Follow the examples below to configure Active Directory Federation Services (AD FS) as the SAML identity provider (IdP) for Dynatrace SSO.

This page describes the IdP (AD FS) end of your SAML SSO configuration, not the Dynatrace end. Use it as part of the entire SAML configuration procedure for Dynatrace SaaS if you're using AD FS.

While we do our best to provide you with current information, Dynatrace has no control over changes that may be made by third-party providers. Always refer to official third-party documentation from your IdP as your primary source of information for third-party products.

Specify the metadata

On the Monitoring tab, specify the monitoring settings for the relying party trust.
- Relying party's federation metadata URL - We recommend that you specify the SSO Dynatrace federation metadata URL: https://sso.dynatrace.com/sso/metadata
- Monitor relying party - Selected.
- Automatically update relying party - Selected.
Alternative
If you can't do the above (perhaps due to corporate policy), you need to download the metadata manually:
Run the following command in PowerShell:
wget -Outfile dynatrace_sso_metadata.xml https://sso.dynatrace.com/sso/metadata
Update it for Dynatrace SSO RelyingPartyTrust:
Update-AdfsRelyingPartyTrust -TargetIdentifier "<DYNATRACE_SSO_IDENTIFIER>" -MetadataFile 'dynatrace_sso_metadata.xml'
On the Advanced tab, make sure the Secure hash algorithm is SHA-256.

Configure claims mapping

To configure claims mapping

Right-click Sso Dynatrace Relying Party Trust under Trust Relationship.
Select Edit Claims Rules.

Create Active Directory transformations

To create Active Directory transformations

Click Add Rule....
Select Send LDAP Attributes as Claims (the default option) and set values according to the following example values.
Edit Rule - Email Attribute Claim:
- Claim rule name: Email Attribute Claim
- Attribute store: Active Directory
- Mapping of LDAP attributes to outgoing claim types:
  - LDAP Attribute = E-Mail-Addresses, Outgoing Claim Type = E-Mail Address
Edit Rule - First and Last Name:
- Claim rule name: First and Last Name
- Attribute store: Active Directory
- Mapping of LDAP attributes to outgoing claim types:
  - LDAP Attribute = Given-Name, Outgoing Claim Type = givenName
  - LDAP Attribute = Surname, Outgoing Claim Type = sn
Edit Rule - roles:
Token-Groups as SIDs is an example LDAP attribute that can be used for group mapping. Depending on your corporate LDAP, select the one that contains the LDAP user groups.
- Claim rule name: Group Mapping
- Attribute store: Active Directory
- Mapping of LDAP attributes to outgoing claim types:
  - LDAP Attribute = Token-Groups as SIDs, Outgoing Claim Type = Group

Create Email to NameID transformation

To create an Email Address to NameID transformation

Click Add Rule.
Select Transform an Incoming Claim.
Set the values according to this example.
- Claim rule name: Email to Name ID
- Incoming claim type: E-Mail Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Pass through all claim values: selected

Final steps

Ensure that the SAML message will be signed:

Set-ADFSRelyingPartyTrust -TargetIdentifier "<DYNATRACE_SSO_IDENTIFIER>" -SamlResponseSignature "MessageAndAssertion"
Ensure that the system clock's skew won't affect SAML request validation:

Set-ADFSRelyingPartyTrust -TargetIdentifier "<DYNATRACE_SSO_IDENTIFIER>" -NotBeforeSkew 2

Establish SAML authorization in Dynatrace SSO.

You need to specify First name attribute, Last name attribute, and the Security group claim attribute.
Usually these attributes for AD FS will be as follows, but this may vary depending on the AD FS version and settings.

`First name attribute`	`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`
`Last name attribute`	`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`
`Security group claim attribute`	`http://schemas.xmlsoap.org/claims/Group`