This page provides guidelines for configuring basic SAML authentication.

Configure SAML Authentication for the Identity Provider

You can configure an identity provider to enable single sign-on access to the Cisco AppDynamics Controller Tenant using the SAML 2.0 protocol. Refer to your identity provider documentation for detailed configuration instructions.

SAML Settings for the Identity Provider

Your identity provider requires the following information about your Cisco AppDynamics Controller Tenant for the SAML settings. The <controller_domain> can be the domain of one of the Cisco AppDynamics SaaS Controller Tenants.

SettingDescription
Audience URI (Service Provider Entity ID)

The unique identifier for use in the SAML assertion. In most cases, it is the Service Provider Entity ID, unless the Service Provider decides to use a different identifier.

  • Syntax: http://<controller_domain>/controller
  • Example: http://yourcompany.saas.appdynamics.com/controller
Single Sign-On URL (Assertion Consumer URL)

The Cisco AppDynamics endpoint to service SAML Authentication. You must specify your Cisco AppDynamicsaccount name with the query string parameter accountName as shown:

  • Syntax: http://<controller_domain>/controller/saml-auth?accountName=<account_name>
  • Example: http://yourcompany.saas.appdynamics.com/controller/saml-auth?accountName=myaccount

SAML Attributes for the Identity Provider (Recommended)

You set the attributes with your identity provider that map to SAML users in your Cisco AppDynamics account. When the attributes are set, the user information displays on the Controller Tenant UI, such as the username and email. Changes to these attributes on the IdP will update the mapped SAML attributes on the Cisco AppDynamics Controller Tenant when the user successfully logs in.

This table shows how IdP example attributes map to the Username AttributeDisplay Name Attribute, and the Email Attribute settings of the Controller Tenant:

Example Attribute NameExample Attribute ValuesDescription
Username AttributeUser.loginName

Unique identifier for the user in the SAML response. This value corresponds to the Cisco AppDynamics username field. The value must be unique among all SAML users in the Cisco AppDynamics account.

If you do not map a username, Cisco AppDynamics obtains the username from the NameId containing the emailaddress field.

Display Name AttributeUser.fullName

Informal name for the user corresponding to the Cisco AppDynamics Name field. 

Email AttributeUser.email

User's email address, corresponding to Cisco AppDynamics email field. 

 

Configure SAML Authentication from the Controller Tenant

To configure SAML authentication from the Controller Tenant:

Configure SAML Authentication

You must have the role of Account Owner to configure SAML. See Who Can Configure SAML.

  1. Navigate to your Controller Tenant.

  2. Click Settings Settings > Administration

  3. Click the Authentication Provider tab and select SAML.

  4. From Authentication Provider > SAML, enter these SAML configuration settings:

    • Login URL: The SAML Login URL where the Controller Tenant routes Service Provider (SP)-initiated login requests. This login URL is required.

    • Logout URL: The URL where the Controller Tenant redirects users after they log out. If you do not specify a logout URL, users will get the Cisco AppDynamics login screen when they log out. 

    • Certificate: The X.509 certificate from your identity provider configuration. Paste the certificate between the BEGIN CERTIFICATE and END CERTIFICATE delimiters. Avoid duplicating BEGIN CERTIFICATE and END CERTIFICATE delimiters from the source certificate itself.  

Configure SAML Attribute Mapping (Optional)

From SAML Attribute Mappings, you can specify how the Cisco AppDynamics Controller Tenant identifies SAML-authenticated users:

  • Username Attribute: Unique identifier for the user in the SAML response. This value corresponds to the Cisco AppDynamics username field, so the value must be unique among all SAML users in the Controller Tenant account. Given the sample response below, the value for this setting would be User.OpenIDName.
  • Display Name Attribute: The informal name for the user corresponding to the Cisco AppDynamics Name field. Given the sample response, this value would be User.fullName.
  • Email Attribute: The user email address corresponding to the Cisco AppDynamics email field. Given the sample response, this value would be User.email.

Map SAML-Authenticated Users to Cisco AppDynamics Roles

From SAML Group Mappings, you can map SAML-authenticated users to one of the Controller Tenant roles:

  • Default Role: If a user identity assertion has no SAML group attribute, the SAML default role applies to the authenticated user upon the first login. As you cannot remove the default role, recommendations are to provide minimum permissions. An Cisco AppDynamics administrator can verify and adjust the roles for users manually in Cisco AppDynamics once those users have accounts. 
  • SAML Group: You can map SAML group membership attributes to roles in Cisco AppDynamics. Using this method, each time the user authenticates, the Controller Tenant checks the SAML assertion and updates the role assignment as necessary.
  • Internal Group: If a SAML-authenticated user has the same username as an Cisco AppDynamics internal user account and the SAML assertion does not contain mapped SAML group attributes, the Controller Tenant gives the user the roles for the internal Cisco AppDynamics account. 

Configure Default Permissions

Instead of mapping SAML attributes to roles, you can also assign users to a default role with the permissions you specify:

  1. To use default permissions, edit the Default Permissions settings in the SAML Group Mappings list.
  2. In the Default Group Mapping dialog, choose the Cisco AppDynamics roles to apply to all authenticated users. 

Verify the SAML Authentication Configuration

The best way to verify that you have configured SAML authentication correctly is to log in to your Cisco AppDynamics Controller Tenant.

This procedure shows the SAML flow from the service provider (your Controller Tenant) and describes the SAML requests and responses. You can also start the SAML flow from the IdP.

  1. Navigate to your Cisco AppDynamics Controller Tenant. The Login dialog for your 3rd-party IdP service appears.
  2. Click Login. The system redirects you to your IdP.

  3. Enter and submit your credentials. The IdP redirects you to your Cisco AppDynamics Controller Tenant. 

If you set SAML attributes to map to the user account, you can view the user information in Settings Settings > My Preferences.

If you set default permissions so the default role applies to the user, you can view the information in Settings Settings > Administration.