This page provides an overview of configuring basic SAML authentication.
Configure SAML Authentication for the Identity Provider
This section provides guidelines for configuring an identity provider to enable single sign-on access to the AppDynamics Controller using the SAML 2.0 protocol. Refer to the documentation of your identity provider for detailed configuration instructions.
SAML Settings for the Identity Provider
Your identity provider requires the following information about your AppDynamics Controller for the SAML settings. The
<controller_domain> can be the domain of one of the AppDynamics SaaS Controllers or your on-prem Controller.
|Audience URI (Service Provider Entity ID)|
This is the unique identifier intended for the SAML assertion. In most cases, it is the Service Provider Entity ID, unless the Service Provider decides to use a different identifier.
|Single Sign-On URL (Assertion Consumer URL)|
This is the AppDynamics endpoint to service SAML Authentication. You need to specify your AppDynamics account name with the query string parameter
SAML Attributes for the Identity Provider (Recommended)
You set attributes with your identity provider that map to SAML users in your AppDynamics account. These attributes map to the Username Attribute, Display Name Attribute, and the Email Attribute settings in the AppDynamics Controller.
When the attributes are set, the Controller displays the user's information, such as the username and email. Changes to these attributes on the IDP will update the mapped SAML attributes on AppDynamics Controller when the user successfully logs in.
In the below table, the IDP example attributes map to the Username Attribute, Display Name Attribute, and the Email Attribute settings of the Controller.
|Example Attribute Name||Example Attribute Values||Description|
Unique identifier for the user in the SAML response. This value corresponds to the AppDynamics
If no username is mapped, AppDynamics obtains the
|Display Name Attribute||The informal name for the user corresponding to the AppDynamics |
|Email Attribute||The user's email address, corresponding to AppDynamics |
Configure SAML Authentication from the Controller
Configuring the SAML authentication from the Controller consists of the following steps:
Configure SAML Authentication
Navigate to your Controller.
Log in as the Account Owner. See Who Can Configure SAML to learn more about the Account Owner role.
As a user with AppDynamics account administrator privileges in the Controller UI, click the gear icon () > Administration.
Click on the Authentication Provider tab and select SAML.
From Authentication Provider > SAML, enter the following SAML configuration settings:
Login URL: The SAML Login URL where the Controller routes Service Provider (SP)-initiated login requests. This login URL is required.
Login URL Method: The HTTP method for the authentication request to the identity provider for the sign-out message to the identity provider.
Logout URL: The URL where the Controller redirects users after they log out. If you do not specify a logout URL, users will get the AppDynamics login screen when they log out.
Certificate: The X.509 certificate from your identity provider configuration. Paste the certificate between the
END CERTIFICATEdelimiters. Avoid duplicating "BEGIN CERTIFICATE" and "END CERTIFICATE" delimiters from the source certificate itself.
Configure SAML Attribute Mapping (Optional)
From SAML Attribute Mappings, you can specify how SAML-authenticated users are identified in the AppDynamics Controller with the following:
- Username Attribute: Unique identifier for the user in the SAML response. This value corresponds to the AppDynamics
usernamefield, so the value must be unique among all SAML users in the Controller account. Given the sample response below, the value for this setting would be
- Display Name Attribute: The informal name for the user corresponding to the AppDynamics Name field. Given the sample response, this value would be
- Email Attribute: The user's email address, corresponding to AppDynamics email field. Given the sample response, this value would be
Map SAML-Authenticated Users to AppDynamics Roles
From SAML Group Mappings, you can map SAML-authenticated users to one of the Controller roles:
- Default Role: If a user's identity assertion has no SAML group attribute, the authenticated user is assigned the SAML default role upon the first login. The default role cannot be removed, and you are recommended to provide minimum permissions. An AppDynamics administrator can verify and adjust the roles for users manually in AppDynamics once those users have accounts.
- SAML Group: You can map SAML group membership attributes to roles in AppDynamics. Using this method, each time the user authenticates, the Controller checks the SAML assertion and updates the role assignment if needed.
- Internal Group: If a SAML-authenticated user has the same username as an AppDynamics internal user account and the SAML assertion does not contain mapped SAML group attributes, the Controller gives the user the roles for the internal AppDynamics account.
Configure Default Permissions
Instead of mapping SAML attributes to roles, you can also assign users to a default role with the permissions you specify:
- To use default permissions, edit the Default Permissions settings in the SAML Group Mappings list.
- In the Default Group Mapping dialog, choose the AppDynamics roles that all authenticated users get.
Verify the SAML Authentication Configuration
The best way to verify that you have configured SAML authentication correctly is to log in to your AppDynamics Controller.
The steps below guide you through the SAML flow from the service provider (your Controller) and describe the SAML requests and responses. You can also start the SAML flow from the IDP.
- Navigate to your AppDynamics Controller.
- You will see the Login dialogue for the 3rd-party service, which is your IDP.
- Click Login.
- After you are redirected to your IDP, enter and submit your credentials.
The IDP redirects you to your AppDynamics Controller.
(On-Prem Only) If you are redirected, but the Controller fails to load, this could be because the request URL from the IDP is different from your internal Controller URL. The most common causes are your Controller is configured to use HTTPS but the redirect used HTTP, or you changed the default port of the Controller. See the suggested resolution in Support Advisory: SAML Authentication Fails after 4.3 Upgrade.
- From the Controller, if you set SAML attributes to map to the user account, you can view the user info by going to (
- If you set default permissions, the user is assigned to the default role, which can be viewed by navigating to (