Dynatrace - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide
2 years ago
Originally Published: 2021-12-02

This section describes how to integrate RSA SecurID Access with Dynatrace using a SAML SSO Agent.

Architecture Diagram

jaink9_0-1638480847773.png

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Dynatrace .

Procedure

1. Sign into the RSA Cloud Administration Console and browse to Applications > Application Catalog, click Create From Template and select SAML Direct.

jaink9_1-1638480876338.png

2. On the Basic Information page, specify the application name and click Next Step.

jaink9_2-1638480900930.png

3. On the Connection Profile page, click Import metadata and select the Dynatrace SP metadata file, which can be obtained from Step 4 of Configure Dynatrace.

jaink9_3-1638480925770.png

4. In the Initiate SAML Workflow section, the details should be automatically filled as we selected Dynatrace SP metadata XML file in Step 3 above.

a. Connection URL: The Connection URL obtained from Dynatrace SP metadata XML file in Step 3 above. In this case it is : https://sso.dynatrace.com:443/saml2/login.

b. Select the SP-initiated radio button.

jaink9_4-1638480946977.png

5. In the SAML Identity Provider (Issuer) section:

a. Identity Provider URL and Issuer Entity ID : These will be automatically generated.

b. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.

c. Select the first Choose File and upload the RSA SecurID Access private key.

d. Select the second Choose File and upload the RSA SecurID Access public certificate.

jaink9_5-1638480980872.png

6. Under Service Provider section:

a. Assertion Consumer Service (ACS) URL: The Assertion Consumer Service (ACS) URL is obtained from Dynatrace SP metadata XML file in Step 3 above. In this case it is : https://sso.dynatrace.com:443/saml2/sp/consumer.

b. Audience (Service Provider Entity ID): The Audience is obtained from Dynatrace SP metadata XML file in Step 3 above. In this case it is : https://sso.dynatrace.com:443/saml2/login.

jaink9_1-1638481125557.png

7. Under User Identity section, select Email Address from the Identifier Type drop-down list, select the name of your user Identity Source and select the property value as mail.

jaink9_0-1638481094222.png

8. Click Show Advanced Configuration and under Attribute Extension section, click on +Add button and add the following three attributes:

a. Attribute Name : First Name, Identity Source : your identity source, Property : givenName.

b. Attribute Name : Last Name, Identity Source : your identity source, Property : sn.

c. Attribute Name : Email, Identity Source : your identity source, Property : mail.

jaink9_2-1638481270379.png

9. On the User Access page, select the access policy the identity router will use to determine which users can access the Dynatrace service provider. Click Next Step.

jaink9_3-1638481306180.png

10. On the Portal Display page, configure the portal display and other settings. Click Save and Finish.

11. Click Publish Changes in the top left corner of the page, and wait for the operation to complete.

jaink9_4-1638481331869.png

12. Navigate to Applications > My Applications and locate Dynatrace in the list and from the Edit option, select Export Metadata.

 

Configure Dynatrace

Perform these steps to integrate Dynatrace with RSA SecurID Access as a SAML SSO Agent.

Note: For the remainder of this configuration, your domain must be verified in Dynatrace SaaS account.

Procedure

1. Log in to your Dynatrace SaaS account.

2. Navigate to Account Setting > Identity management > Single sign-on.

jaink9_0-1638481442094.png

3. On the Single sign-on page, under Verified Domains click Add button for your domain.

jaink9_1-1638481480960.png

4.On the Add configuration page, click Download XML and save the metadata file. This file is required in Step 3 of Configure RSA Cloud Authentication Service.

jaink9_3-1638481625323.png

5. In the Upload XML section, select Choose file and select the RSA IDP metadata file downloaded in Step 12 of Configure RSA Cloud Authentication Service.

jaink9_0-1638481766758.png

6. In the Attribute mapping section, specify the following:

jaink9_1-1638481791120.png

a. First name attribute: Enter FirstName.

b. Last name attribute: Enter LastName.

7. Select Validate configuration to verify your settings. After verification one of the following may happen:

jaink9_2-1638481821663.png

a. If validation is successful, Dynatrace displays a confirmation message. Close the message to return to Add configuration and then select Continue to display a summary of the validated configuration.

b. If there's an error in the Results list, select Edit configuration to fix it and re-validate.

8. On Enable SSO page, select Enable.

jaink9_3-1638481867508.png

9. Click Save & continue.

Next Step: Head back to the main page.

Configuration is complete.

For additional integrations, see "Configuration Summary" section.

Don't see what you're looking for?