Support Advisory: Azure SAML Support

Summary

As of 4.5.16, SAML Azure users may lose their Controller permissions.

Affected Software

Logging into the Controller as of 4.5.16.

Workarounds

Apply a data transformation in the AppDynamics Azure integration settings by completing the following steps:

Configure Attributes in Azure and the Controller

Follow these steps to configure attributes in Azure and the Controller:

Configure Attributes in Azure

You add claims for the attributes that you want to be added to your SAML response. The instructions below show you how to add three required attributes to Azure for using SAML with the Controller.

1. From Azure, navigate to the User Attributes & Claims page.

2. Click Add new claim.

   

3. The first attribute is for the username. In the example below, the attribute is Username and is formed through a transformation joining user.givenname and user.surname. Azure will pass the attribute Username your SAML response that maps to the Controller's SAML attribute Username Attribute. Note, if you're using a namespace, the namespace will also be part of the attribute: <namespace>/Username

   

4. Create another claim to set an attribute for the display name. This example sets the attribute DisplayName that will be passed to the SAML response and map to the Controller's SAML attribute Display Name Attribute. 

5. For the last attribute, create a claim and set an attribute for the user's email. Azure has a preset namespace for the email attribute, so from Additional claims > Claim name, click the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to automatically create the email attribute.
   

6. You should see the claim created as follows. Retain the default value emailaddress for the Name field.
   

Configure Attributes in the Controller

Use one of the following three ways to configure attributes:

Controller to Use the Same Attributes

1. Once the attributes are set in Azure, log into the Controller as the local administrator user and navigate to Administration > Authentication Provider. 

2. From the SAML Attribute Mapping section, enter the value of attribute set for the username in Azure in the Username Attribute field. 

3. Enter the value of the attribute set for the display name in Azure in the Display Name Attribute.

4. Finally, enter the value of the attribute set for the email in Azure in the Display Name Attribute. The example screenshot below shows the SAML Attribute Mappings fields with the example attributes set in the previous section. Note that the Email Attribute field includes the namespace and the attribute name emailaddress.

   

Pass an Attribute in the SAML Response

1. You can pass the NameId in the SAML response and have the value as a unique identifier such as SamlAccountName, UPN, email, etc. 

2. From the Controller, leave the Username Attribute field empty as in the following screenshot. If you are passing email as the NameId, then AppDynamics will create a user with the username only: everything after '@' is ignored. For example, if you have an email address such as abc@xyz.com, then the username will get created as abc. After logging in, the user will get the roles based on the configuration done in SAML to Role Mapping section. 

   

   

   If you have assigned the role manually, however, then you need to log in to the Controller as a local user and grant the permissions manually to the users; you need to do for all the newly created users. Note that this will create a duplicate user.

Use the Username Attribute in the Controller

Set the Username Attribute field in the Controller to the attribute which will uniquely identify the users. For example: SamlAccountName, UPN, or email. If this is set AppDynamics will not consider NameId from the SAML response, so whatever you set in the Username Attribute section will be used as the username. Once logged in, the user will get the roles based on the configuration done in SAML to Role Mapping section in the Controller. 

If you have assigned the role manually, however, then you need to log in to the Controller as a local user and grant the permissions manually to the users; you need to do for all the newly created users. Note that this will create a duplicate user.

Delete Duplicate SAML Users with the REST API

Follow the steps below to use the Controller REST API to delete the duplicate SAML users:

Get User IDs

1. Get the user ID that you want to delete with one of the following REST API methods:
   • Get User by Name

   • Get All Users

     

     These APIs will not distinguish whether the user is SAML or AppDynamics if you have a user with the same name in AppDynamics as well as for SAML.

2. (On-Prem Controller Only) If you are unable to find the user ID with the REST API, you can query the Controller's MySQL database:
   1. Log into the Controller host machine.
   2. Change to <controller-install-dir>/bin.

   3. Run the following command based on your OS:

      ./controller.sh login-db

      BASH

      controller.bat login-db

      POWERSHELL

   4. Enter the Controller database root user password if prompted.

   5. Execute the following MySQL query:

      Select id, name from account.user where name like '%<name which you want to delete>%' and security_provider_type='SAML'

      TEXT
3. (SaaS Controller) You can use the client browser to get the user IDs as well:
   1. Open Chrome or any browser and log into the Controller.
      
   2. Open the Developer Tool and click the Network tab.
      
   3. From the Controller, navigate to Settings > Administration > Users. 
   4. Search for the users network call and view its response.
   5. From the response, find the IDs of the users and confirm that "SAML" is the value for the securityProviderType as shown below. 

Delete Duplicate Users

Once you have the user ID, use the Delete User API to delete the duplicate users.

In the following example cURL command, replace user1 with a user with administrator access in the Controller, customer1 with your actual account name, http[s] with the protocol your Controller is using, localhost:8080 with the domain of the Controller host machine and the port, and user-id with the user ID that you want to delete:

curl -X DELETE -u user1@customer1 http[s]://localhost:8080/controller/api/rbac/v1/users/<user-id>

Resolution

This problem is not going to be repaired because of a previous problem with Azure whereby special code had to be injected to enable Azure. Azure has repaired this problem and AppDynamics is now able to treat Azure like any other SAML provider. Unfortunately, this has resulted in existing users being “disconnected” from their existing Controller account and permissions.  

For existing customers, they will need to apply the transformations to their Azure SAML settings for AppDynamics to ensure user continuity.  Once applied, these changes will ensure the users have uninterrupted access to AppDynamics. 

Revision History

• 02/03/2020, v1 (initial publication of this advisory)