This page provides guidelines for configuring basic SAML authentication.

AppDynamics refers to a Tenant as the Controller in some portions of the UI and code. They are considered one and the same.

Configure SAML Authentication for the Identity Provider

You can configure an identity provider to enable single sign-on access to the AppDynamics SaaS Tenant using the SAML 2.0 protocol. Refer to the documentation of your identity provider for detailed configuration instructions.

SAML Settings for the Identity Provider

Your identity provider requires the following information about your AppDynamics Tenant for the SAML settings. The <controller_domain> is the domain of one of the AppDynamics SaaS Tenants.

SettingDescription
Audience URI (Service Provider Entity ID)

The unique identifier intended for the SAML assertion. In most cases, it is the Service Provider Entity ID, unless the Service Provider decides to use a different identifier.

  • Syntax: http://<controller_domain>/controller
  • Example: http://yourcompany.saas.appdynamics.com/controller
Single Sign-On URL (Assertion Consumer URL)

The AppDynamics endpoint to service SAML Authentication. You need to specify your AppDynamics account name with the query string parameter accountName as shown below.

  • Syntax: http://<controller_domain>/controller/saml-auth?accountName=<account_name>
  • Example: http://yourcompany.saas.appdynamics.com/controller/saml-auth?accountName=myaccount

SAML Attributes for the Identity Provider (Recommended)

You set attributes with your identity provider that map to SAML users in your AppDynamics account. Once set, the user's information displays in the Tenant UI. Changes to these attributes on the IdP will update the mapped SAML attributes on AppDynamics Tenant when the user successfully logs in.

The table shows how IdP example attributes map to the Username AttributeDisplay Name Attribute, and the Email Attribute settings of the Tenant.

Example Attribute NameExample Attribute ValuesDescription
Username AttributeUser.loginName

Unique identifier for the user in the SAML response. This value corresponds to the AppDynamics username field, so the value must be unique among all SAML users in the AppDynamics account.

If no username is mapped, AppDynamics obtains the username from the NameId containing the emailaddress field.

Display Name AttributeUser.fullNameInformal name for the user corresponding to the AppDynamics Name field. 
Email AttributeUser.emailUser's email address, corresponding to AppDynamics email field. 

Configure SAML Authentication 

You can configure SAML through the Accounts Management Portal or through the Tenant.

You must have the Company Administrator role to configure SAML.

  1. Navigate to your Tenant.

  2. Log in as the Account Owner. See Who Can Configure SAML.  

  3. Click SettingsSettings> Administration

  4. From Authentication Provider > SAML, enter the SAML configuration settings:

    • Login URL: The SAML Login URL where the Tenant routes login requests initiated by your Service Provider (SP). This login URL is required.

    • Logout URL: The URL where the Tenant redirects users after they log out. If you do not specify a logout URL, users will get the AppDynamics login screen when they log out. 

    • Certificate: The X.509 certificate from your identity provider configuration. Paste the certificate between the BEGIN CERTIFICATE and END CERTIFICATE delimiters. Avoid duplicating BEGIN CERTIFICATE and END CERTIFICATE delimiters from the source certificate itself.  

Configure SAML Attribute Mapping (Optional)

From SAML Attribute Mappings, you can specify how SAML-authenticated users are identified in the AppDynamics Tenant with the following:

  • Username Attribute: Unique identifier for the user in the SAML response. This value corresponds to the AppDynamics username field, so the value must be unique among all SAML users in the Tenant account. Given the sample response below, the value for this setting would be User.OpenIDName.
  • Display Name Attribute: The informal name for the user corresponding to the AppDynamics Name field. Given the sample response, this value would be User.fullName.
  • Email Attribute: The user's email address corresponding to the AppDynamics email field. Given the sample response, this value would be User.email.

Map SAML-Authenticated Users to AppDynamics Roles

From SAML Group Mappings, you can map SAML-authenticated users to one of the Tenant roles:

  • Default Permissions: If a user's identity assertion has no SAML group attribute, the authenticated user is assigned the SAML default role upon the first login. The default role cannot be removed, and you are recommended to provide minimum permissions. An AppDynamics administrator can verify and adjust the roles for users manually in AppDynamics once those users have accounts. 
  • SAML Group: You can map SAML group membership attributes to roles in AppDynamics. Using this method, each time the user authenticates, the Tenant checks the SAML assertion and updates the role assignment if needed.
  • Internal Group: If a SAML-authenticated user has the same username as an AppDynamics internal user account and the SAML assertion does not contain mapped SAML group attributes, the Tenant gives the user the roles for the internal AppDynamics account. 

Configure Default Permissions

Instead of mapping SAML attributes to roles, you can also assign users to a default role with the permissions you specify:

  1. To use default permissions, edit the Default Permissions settings in the SAML Group Mappings list.
  2. In the Default Group Mapping dialog, choose the AppDynamics roles that all authenticated users get. 

Verify the SAML Authentication Configuration

The best way to verify that you have configured SAML authentication correctly is to log in to your AppDynamics Tenant.

This procedure shows the SAML flow from the service provider and describes the SAML requests and responses. You can also start the SAML flow from the IdP.

  1. Navigate to your AppDynamics Tenant.
  2. You will see the Login dialog for the 3rd-party service, which is your IdP.
  3. Click Login.
  4. After you are redirected to your IdP, enter and submit your credentials. 
  5. The IdP redirects you to your AppDynamics Tenant.

From the Tenant, if you set SAML attributes to map to the user account, you can view the user info by clicking Settings Settings > My Preferences.

If you set default permissions, the user is assigned to the default role, which can be viewed by clicking Settings Settings> Administration.