This page describes how to configure SAML attributes to role mapping and the SAML group attribute value mapping options.

If the identity assertion from the SAML provider includes group names that correspond to AppDynamics roles, you can configure mappings between those group names and the roles. The SAML Group Mappings settings in SAML Configuration > Authentication Provider control the mappings.

Configure SAML Attribute to Role Mapping

To configure the SAML attribute to role mapping: 

  1. In the SAML Group Attribute Name field, enter the Name attribute value that identifies the SAML Attribute element with group affiliations for the user. For example, given the following response snippet, use SAML groups-Membership in the SAML Group Attribute Name field. 

    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Groups-Membership">
   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      {group1};{group2}
   </saml:AttributeValue>
</saml:Attribute>
    XML
  2. Use the Group Attribute Value and Mapping of Group to Roles settings to describe the structure of the SAML group attribute from which AppDynamics needs to extract the group value and the roles associated with those values. The Controller can extract Group Attribute values based on the following options:
    • Singular Group Values: The response contains an AttributeValue element with a single group-mapping value. 
    • Multiple Nested Group Values: The response contains more than one AttributeValue element, each with a single group-mapping value.
    • Singular Delimited Group Value: The response contains one AttributeValue element with multiple, delimiter-separated group-mapping values. 
    • Regex on Singular Group Value: The response contains a single AttributeValue element from which you want to extract the group-mapping value with a regular expression.  
    The next sections provide examples for each option.
  3. With any option selected, select the Value is in LDAP Format checkbox if the value or values returned by the group attribute value is in LDAP format. For example: OU=AppDynamics-Users. With this option enabled, only AppDynamics-Users is used to map to the SAML Group name.  

SAML Group Mappings

Singular Group Values

Select Singular Group Value if the SAML group attribute contains a single group, as in the following example. 

<saml:AttributeStatement>
   <saml:Attribute Name="Groups-Membership" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml:AttributeValue>
   </saml:Attribute>
</saml:AttributeStatement>
XML

For this example, AppDynamics would extract the value Admin and associate the user with a SAML Group with the same name. In this sample configuration, the user would get the configured roles assigned to the Admin SAML group, such as Account Administrator and Analytics Administrator.

SAML Group Mappings

Multiple Nested Group Values

With Multiple Nested Group Values selected, AppDynamics expects multiple AttributeValue child elements under the SAML Attribute with the group information, as in the following example: 

<saml:Attribute Name="Groups-Membership" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">_Admin_</saml:AttributeValue>
   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">_DBManager_</saml:AttributeValue>
</saml:Attribute> 
XML

AppDynamics would extract _Admin_ and _DBManager_ from the example. In this sample configuration, the user with the previous response would receive the roles from the _Admin_ and _DBManager_ groups.

Multiple Nested Group Values

Singular Delimited Group Value

With this option selected, AppDynamics expects a single AttributeValue element with multiple, delimiter-separated values, as in the following example: 

<saml:Attribute Name="Groups-Membership" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin;DB-Manager</saml:AttributeValue>
</saml:Attribute>
XML

Specify the delimiter that separates the values to extract, such as a semi-colon in the example.

In this sample configuration, the user would get the AppDynamics roles associated with both the Admin and DB-Manager groups, such as the Dashboard Viewer, User, and DB Monitoring Administrator.

Singular Delimited Group Value

Regex on Singular Group Value

Choose this option to have AppDynamics extract group mapping values using a regular expression. Regular expressions enable you to pull group values from unstructured contexts, such as from within a larger string, as in the following response example:  

<saml:AttributeStatement>
   <saml:Attribute Name="Groups-Membership" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User memberships in _Admin_ and _DBManager_ groups.</saml:AttributeValue>
   </saml:Attribute>
</saml:AttributeStatement>
XML

In this example, the group names _Admin_ and _DBManager_ are embedded in the AttributeValue string. To extract those names, you can use a regular expression such as _[a-zA-Z]_. Like other types of group attribute sources, AppDynamics assigns all roles associated with both the _Admin_ and _DBManager_ SAML Groups, as in this sample configuration

Regex on Singular Group Value