AWS Single Sign-On Integration Guide for Dynatrace

By Shashiraj Jeripotula, Sr. Partner Solutions Architect at AWS

AWS-Single-Sign-On End users can now configure AWS Single Sign-On (AWS SSO) to access Dynatrace with a single sign-on experience using the same credentials they use with their Amazon Web Services (AWS) account.

AWS Single Sign-On provides administrators a simple way to assign users and groups access to AWS accounts, roles, and SAML-based applications. This makes it easy for end users to sign into the AWS Console to access AWS resources, and also have a single sign-on experience to applications with a single set of credentials.

Customers can choose to create their user identities and groups in AWS SSO, or they can connect AWS SSO to use the identities and groups they already administer in Active Directory or Azure AD.

Dynatrace is an AWS Partner Network (APN) Advanced Technology Partner with AWS Competencies in DevOps, Migration, and Containers. Dynatrace provides an artificial intelligence-powered platform that delivers full-stack, automated monitoring. It goes beyond collecting data and can help you address the root cause of the performance problems in operations, DevOps, cloud migration, and customer experience.

Until now, customers had to sign into the AWS Console to work with AWS resources, and they had to sign in separately to Dynatrace to monitor their environment or the resources in their environment, or to monitor the resources in their environment.

AWS SSO includes a simple way to connect Dynatrace, enabling users to have one portal to access their AWS accounts and Dynatrace. From there, Dynatrace will work with the same identities you choose to use within AWS SSO, and it’s easier to administer the users.

In this post, I’ll show you how to connect Dynatrace with AWS SSO using SAML 2.0, so your users have a single experience to access both the AWS Console and Dynatrace.

Prerequisites

For this walkthrough, you should have the following prerequisites:

AWS account.
Access to the AWS SSO console with permissions to manage applications.
Dynatrace account with permissions to configure SAML SSO.

Walkthrough

This post will help you configure AWS SSO to facilitate single sign-on for Dynatrace using SAML.

Configuring AWS SSO

Log in to the AWS Console and navigate to the AWS SSO Console.
In the AWS Console, select Applications.
Choose Add a New Application.
On the Add New Application page, in the AWS SSO Application Catalog, enter Dynatrace into the search bar.
Select Dynatrace, and then choose Add Application.
On the Configure Dynatrace page, in the Details section, you may optionally update the default application name and description. I suggest choosing a unique display name if you plan to have more than one of the same application.
In the AWS SSO metadata section, scroll to the AWS SSO SAML Metadata File section, choose the download link and save a copy of the AWS SSO metadata file to your computer.
Finally, click Save.

Configuring Dynatrace for Use with AWS SSO

Open a new browser and log in to https://DOMAINNAME.live.dynatrace.com/ as an administrator.
Click on your account, and then choose Account Settings.
In the left navigation, choose Single Sign-On.
On the SSO page, choose Add New Domain to begin specifying a domain.

Verify your domain in Dynatrace. To learn more, see the documentation.
In the Domain box, enter the domain (for example, @mycompanyname.com) for which you want to set up SAML.

Click Copy and add the TXT resource record to your domain’s DNS configuration.
Select Verify so that Dynatrace can verify the record was added to your domain’s DNS. It may take a few minutes for the record to be propagated in the DNS system and the value to become available for Dynatrace to verify.
After successful verification, the Verify button will change to Verified.

Once your domain is verified, click Add Configuration.
Upload AWS SSO Metadata File to Dynatrace by clicking on Upload XML.
Next, insert the following values:
- First name: firstname
- Last name: lastname

Assigning AWS SSO Users to Test the Setup

Assign a user to the application in AWS SSO. To learn how, see the documentation.
Go back to the SSO Configuration page for Dynatrace, and click Validate Configuration.
Sign in with a user assigned to the Dynatrace application in AWS SSO.
Once logged in, you will see the message, “You will get the SAML configuration validation complete page.”
Go back to the SSO Configuration page for Dynatrace, and click Continue.
Check the box next to Single Sign-On.
Click on Save.

Verification

Use the following sections to verify the SSO integration.

Ensure the user performing the verification is logged out of both AWS SSO and the application before performing the steps in each section.
Users will not be able to log in using SSO unless they exist in both your AWS SSO directory and Custom SAML 2.0, and the user is assigned to the application.

Verifying SSO from AWS SSO:

Access the AWS SSO end user portal using the credentials of a user assigned to the Dynatrace application. You can find this URL by going to the AWS SSO Console’s Setting page.
In the list of applications, choose Dynatrace to initiate a login to Dynatrace.
If login is successful, you will be signed in to the Dynatrace application. If sign in is not successful, please see the troubleshooting steps below.

Verifying Service Provider Initiated SSO from Dynatrace:

Access Dynatrace using the following URL: https://DOMAINNAME.live.dynatrace.com/
Type the credentials of a user assigned to the application in the AWS SSO console and a user which exists in Dynatrace.
Choose Sign In.
On the Dynatrace home page, verify that both Dynatrace and AWS SSO are logged in with the same user. If sign in isn’t successful, please see the troubleshooting steps below.

Troubleshooting

Issue

When AWS SSO creates a SAML Assertion for a user, it uses the value of the ’email’ and ‘subject’ fields (if they are present) from the identity source to populate the ‘Email’ and ‘Subject’ attributes in the SAML assertion.
Many service providers expect these attributes to contain the user’s email address.

Solution

Your directory may be configured to contain the users email in the ‘Email’ attribute instead. If so, you may need to change this in your identity source settings.
If your identity source is Active Directory, update the Active Directory Attribute Mappings in AWS SSO to use email from AD.
If you use a SAML IdP as an identity source with automatic user synchronization via the SCIM protocol, you must update the attribute mappings in your IdP (refer to your IdP vendor’s documentation).

For general troubleshooting problems, please refer to our guide on Troubleshooting AWS SSO Issues.

Summary

In this post, I have demonstrate how to configure Dynatrace to use AWS Single Sign-On (AWS SSO) for authentication, which will provide the ability for users to access Dynatrace applications by logging in to the AWS Console.

This eliminates the need for users to log in to Dynatrace separately. Previously, users did not have the ability to navigate to Dynatrace directly from AWS account.

In addition, AWS SSO manages single sign-on access to multiple AWS accounts and business applications. AWS SSO will also help you create SAML2.0 integrations to extend AWS SSO access to any of your SAML-enabled applications.

To learn more, see the AWS SSO home page. If you have any questions, please post them on AWS SSO service forum.
.

.

Dynatrace – APN Partner Spotlight

Dynatrace is an AWS Competency Partner. Its AI-powered, full stack, and completely automated solution provides answers, not just data, based on deep insight into every user, every transaction, across every application.

Contact Dynatrace | Solution Overview | AWS Marketplace

*Already worked with Dynatrace? Rate this Partner

*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.