Download PDF
Download page Support Advisory: Azure SAML Support.
Support Advisory: Azure SAML Support
Summary
As of 4.5.16, SAML Azure users may lose their Controller permissions.
Affected Software
Logging into the Controller as of 4.5.16.
Workarounds
Apply a data transformation in the AppDynamics Azure integration settings by completing the following steps:
Configure Attributes in Azure and the Controller
Follow these steps to configure attributes in Azure and the Controller:
Configure Attributes in Azure
You add claims for the attributes that you want to be added to your SAML response. The instructions below show you how to add three required attributes to Azure for using SAML with the Controller.
From Azure, navigate to the User Attributes & Claims page.
Click Add new claim.
The first attribute is for the username. In the example below, the attribute is
Username
and is formed through a transformation joininguser.givenname
anduser.surname
. Azure will pass the attributeUsername
your SAML response that maps to the Controller's SAML attribute Username Attribute. Note, if you're using a namespace, the namespace will also be part of the attribute:<namespace>/Username
- Create another claim to set an attribute for the display name. This example sets the attribute
DisplayName
that will be passed to the SAML response and map to the Controller's SAML attribute Display Name Attribute. For the last attribute, create a claim and set an attribute for the user's email. Azure has a preset namespace for the email attribute, so from Additional claims > Claim name, click the
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
to automatically create the email attribute.- You should see the claim created as follows. Retain the default value
emailaddress
for the Name field.
Configure Attributes in the Controller
Use one of the following three ways to configure attributes:
Controller to Use the Same Attributes
- Once the attributes are set in Azure, log into the Controller as the local administrator user and navigate to Administration > Authentication Provider.
From the SAML Attribute Mapping section, enter the value of attribute set for the username in Azure in the Username Attribute field.
Enter the value of the attribute set for the display name in Azure in the Display Name Attribute.
Finally, enter the value of the attribute set for the email in Azure in the Display Name Attribute. The example screenshot below shows the SAML Attribute Mappings fields with the example attributes set in the previous section. Note that the Email Attribute field includes the namespace and the attribute name
emailaddress
.
Pass an Attribute in the SAML Response
- You can pass the Name
Id
in the SAML response and have the value as a unique identifier such asSamlAccountName
,UPN
,email
, etc. From the Controller, leave the Username Attribute field empty as in the following screenshot. If you are passing
email
as the NameId, then AppDynamics will create a user with the username only: everything after '@' is ignored. For example, if you have an email address such asabc@xyz.com
, then the username will get created asabc
. After logging in, the user will get the roles based on the configuration done in SAML to Role Mapping section.If you have assigned the role manually, however, then you need to log in to the Controller as a local user and grant the permissions manually to the users; you need to do for all the newly created users. Note that this will create a duplicate user.
Use the Username Attribute in the Controller
Set the Username Attribute field in the Controller to the attribute which will uniquely identify the users. For example: SamlAccountName
, UPN
, or email
. If this is set AppDynamics will not consider NameId
from the SAML response, so whatever you set in the Username Attribute section will be used as the username. Once logged in, the user will get the roles based on the configuration done in SAML to Role Mapping section in the Controller.
If you have assigned the role manually, however, then you need to log in to the Controller as a local user and grant the permissions manually to the users; you need to do for all the newly created users. Note that this will create a duplicate user.
Delete Duplicate SAML Users with the REST API
Follow the steps below to use the Controller REST API to delete the duplicate SAML users:
Get User IDs
- Get the user ID that you want to delete with one of the following REST API methods:
- Get User by Name
-
These APIs will not distinguish whether the user is SAML or AppDynamics if you have a user with the same name in AppDynamics as well as for SAML.
- (On-Prem Controller Only) If you are unable to find the user ID with the REST API, you can query the Controller's MySQL database:
- Log into the Controller host machine.
- Change to
<controller-install-dir>/bin.
Run the following command based on your OS:
./controller.sh login-db
BASHcontroller.bat login-db
POWERSHELLEnter the Controller database root user password if prompted.
Execute the following MySQL query:
Select id, name from account.user where name like '%<name which you want to delete>%' and security_provider_type='SAML'
TEXT
- (SaaS Controller) You can use the client browser to get the user IDs as well:
- Open Chrome or any browser and log into the Controller.
- Open the Developer Tool and click the Network tab.
- From the Controller, navigate to Settings > Administration > Users.
- Search for the users network call and view its response.
- From the response, find the IDs of the users and confirm that "SAML" is the value for the
securityProviderType
as shown below.
- Open Chrome or any browser and log into the Controller.
Delete Duplicate Users
Once you have the user ID, use the Delete User API to delete the duplicate users.
In the following example cURL command, replace user1
with a user with administrator access in the Controller, customer1
with your actual account name, http[s]
with the protocol your Controller is using, localhost:8080
with the domain of the Controller host machine and the port, and user-id
with the user ID that you want to delete:
curl -X DELETE -u user1@customer1 http[s]://localhost:8080/controller/api/rbac/v1/users/<user-id>
Resolution
This problem is not going to be repaired because of a previous problem with Azure whereby special code had to be injected to enable Azure. Azure has repaired this problem and AppDynamics is now able to treat Azure like any other SAML provider. Unfortunately, this has resulted in existing users being “disconnected” from their existing Controller account and permissions.
For existing customers, they will need to apply the transformations to their Azure SAML settings for AppDynamics to ensure user continuity. Once applied, these changes will ensure the users have uninterrupted access to AppDynamics.
Revision History
02/03/2020, v1 (initial publication of this advisory)