Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

Configure SAML for Microsoft Active Directory on Azure

The following article outlines the steps needed to configure Microsoft Active Directory on Windows Azure as a SAML authentication provider for the AppDynamics Controller. 

 

Contents:

  1. Configure Active Directory on Windows Azure for AppDynamics

  2. Configure AppDynamics SAML settings for Active Directory on Azure

  3. Configure AppDynamics to use Azure Active Directory for SAML SSO

 

Configure Active Directory on Windows Azure for AppDynamics

 

 

  1. In the Windows Azure portal, click Active Directory in the left navigation menu.
  2. Click into your Active Directory.
  3. Under the EXPLORE menu, click Add an application.
  4. Click Add an application my organization is developing.
  5. In the APPLICATION GALLERY window, click CUSTOM.
  6. Enter AppDynamics Controller for the name and click the check icon.
  7. Click Configure single sign-on.
  8. Click Windows Azure AD Single Sign-On.
  9. On the Configure App Settings window, enter the following:
    • SIGN ON URL: https://{appdynamics_controller_url}:{port}/controller/saml-auth 
    • ISSUER URL: https://{appdynamics_controller_url}:{port}/controller
    • REPLY URL: https://{appdynamics_controller_url}:{port}/controller
  10. On the Configure single sign-on at AppDynamics Controller window, download the certificate. You'll need this to configure SAML on the Controller.
  11. Copy the SINGLE SIGN-ON SERVICE URL. You will need this for the Login URL in the Controller.

 

 

Configure AppDynamics SAML settings for Active Directory on Azure

 

Configure SAML settings in the Controller according to SAML Authentication

 

 

Configure AppDynamics to use Azure Active Directory for SAML SSO

 

 

Step 1: Set Azure Active Directory (AD) identities

  • The directory services should contain user principals that you expect to use. These can be optionally synced with your on-premises directory.
  • Example: we have 3 AD users that we will intend to use to authenticate to AppDynamics:
    • Agent Smith
    • Agent Jones
    • Agent Brown
    • Agent Colson

Picture1.png

 

 

Step 2: Prepare Azure AD Security Groups

 

Although it is possible to associate the AD user record with Enterprise Application role directly, the mapping is strictly 1:1, so in this configuration, the user will only have one single role.

 

Create AD security groups and assign an Enterprise Application role to the group. That way users that have more than one security group membership can be assigned to more than one Enterprise Application role.

 

Example: We have created four AD security groups that we will assign Enterprise Application roles to:

  • AppD-SecGroup-Administrators
  • AppD-SecGroup-AllGroups
  • AppD-SecGroup-Power Users
  • AppD-SecGroup-Read Only

 

Picture2.png

 

 

Step 3: Assign Azure AD users to the AD security groups

 

Use the Azure Active Directory management tools to assign users to security groups.

 

Example: we have put certain users into certain groups, and combined all groups into “AppD-SecGroup-AllGroups” group:

 

Group

Members

AppD-SecGroup-Administrators

Agent Smith

AppD-SecGroup-AllGroups

Agent Colson

AppD-SecGroup-Administrators

AppD-SecGroup-Power Users

AppD-SecGroup-Read Only

AppD-SecGroup-Power Users

Agent Brown

AppD-SecGroup-Read Only

Agent Jones

 

 

Picture3.png

 

Picture7.png

 

 

Step 4: Create an Enterprise Application in Azure Active Directory using AppDynamics template

 

1. Create a new AppDynamics application.

2. Navigate to Azure AD > Enterprise Applications > All Applications and click New Application.

3. Search for AppDynamics under Business Management, select it and click Add.

 

Picture8.png

 

 

Note that this template can only be used to connect to AppDynamics SaaS Controllers. For non-SaaS Controllers, you must use a generic Enterprise Application configuration instead. 

 

 

Step 5: Create Roles for the AppDynamics Enterprise Application

 

To send security groups as roles when using newly created AppDynamics Enterprise Application, you must first create the roles to be used by Enterprise Application. Unfortunately, at the time of writing, Azure management UI does not provide the ability to create those roles.

 

Instead, use Azure AD Graph Explorer tool to add roles programmatically. The steps are documented here: Enterprise App Role Management. Follow the steps under Create Roles for an Application starting with step 6 and complete sections A, B, C and D in order to grant the Directory.AccessAsUser.All, Directory.Read.All and Directory.ReadWrite.All permissions to the administrative account that will perform additional configuration. This is a one-time step. You will be signed out and signed in with the following style prompt:

 

Picture10.png

 

 

 

Before proceeding, select the Object ID of the newly created AppDynamics Enterprise Application from the properties tab and then follow the steps under Create Roles for an Application starting with step 6 sections E, F, G, H, I and J in order to read the current roles and create new ones.

 

 

Picture11.png

 

 

As instructions state, switch to “beta” version and run a GET query against the https://graph.microsoft.com/beta/servicePrincipals endpoint.

 

Find your Enterprise Application by looking for the Object ID:

 

Picture12.png

 

 

 

Then run a new GET query against the https://graph.microsoft.com/beta/servicePrincipals/<objectID> with the Object ID of your AppDynamics Enterprise Application.

 

 

 

Picture13.png

 

 

 

 

Extract the app roles object, which contains a JSON array of custom objects that are the current application roles. Put the data into some sort of text editor.

 

In your newly created AppDynamics Enterprise Application, you should only have “msiam_access”. You will now need to generate new roles for your application by constructing a new JSON object and executing a PATCH operation against the same management endpoint.

 

Few notes on that object:

  • You must preserve “msiam_access” role.
  • You also must generate new GUIDs for each of the roles
  • The role names must be unique

 

Here is an example JSON file defining the following roles:

  • msiam_access (existing)
  • AppD-AppRole-Administrators
  • AppD-AppRole-PowerUsers
  • AppD-AppRole-ReadOnly
  • AppD-AppRole-All

 

The description field is not necessary.

Use a GUID generator to make those unique identifiers:

 

{
   "appRoles": [
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "msiam_access",
        "displayName": "msiam_access",
        "id": "48383f87-53cf-4ff0-ac40-06798faf26a8",
        "isEnabled": true,
        "origin": "Application",
        "value": null
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "This role will be administrators",
        "displayName": "AppD-AppRole-Administrators",
        "id": "BFECB407-1121-4B5C-8468-76BEE81B5F68",
        "isEnabled": true,
        "origin": "ServicePrincipal",
        "value": "AppD-AppRole-Administrators"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "This role will be power users",
        "displayName": "AppD-AppRole-PowerUsers",
        "id": "C0003602-0404-49B0-9A5C-3F29C56DA451",
        "isEnabled": true,
        "origin": "ServicePrincipal",
        "value": "AppD-AppRole-PowerUsers"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "This role will be read only",
        "displayName": "AppD-AppRole-ReadOnly",
        "id": "5924E9BE-4DD2-4782-8887-F7522F4C6A47",
        "isEnabled": true,
        "origin": "ServicePrincipal",
        "value": "AppD-AppRole-ReadOnly"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "This role will be all groups",
        "displayName": "AppD-AppRole-All",
        "id": "F21990FD-CA27-4D37-A2E8-08CF9A1AD28A",
        "isEnabled": true,
        "origin": "ServicePrincipal",
        "value": "AppD-AppRole-All"
    }
    ]
}

 

Using constructed JSON, execute PATCH operation https://graph.microsoft.com/beta/servicePrincipals/<objectID> with the Object ID of your AppDynamics Enterprise Application:

 

Picture14.png

 

You should get a success 204 error code.

 

 

Step 6: Configure Role to Group Mapping in AppDynamics Enterprise Application

 

Now that the roles have been created, use the Users and Groups tab of AppDynamics Enterprise Application to map the AD security groups to the newly created roles.

 

Example: our AD groups are mapped to Enterprise Application Role in the following way:

AD Group

Enterprise Application Role

AppD-SecGroup-Administrators

AppD-AppRole-Administrators

AppD-SecGroup-AllGroups

AppD-AppRole-All

AppD-SecGroup-Power Users

AppD-AppRole-PowerUsers

AppD-SecGroup-Read Only

AppD-AppRole-ReadOnly

 

Picture15.pngPicture16.pngPicture17.png

 

 

Step 7: Configure AppDynamics Enterprise Application Claims and Connection to AppDynamics Controller

 

Connect the AppDynamics Enterprise Application to the AppDynamics Controller.

 

Specify the following values in AppDynamics Enterprise Application Single Sign-on tab:

 

To enable SSO:

  • Single Sign-on Mode = SAML-based Sign-on

 

To connect to the Controller (Microsoft document subtopics 1, 2, 3):

  • Sign on URL = https://<YOURTENANT>.saas.appdynamics.com
  • Identifier (Entity ID) = https://<YOURTENANT>.saas.appdynamics.com/controller
  • Check the “Show advanced URL Settings” checkbox
  • Reply URL = https://<YOURTENANT>.saas.appdynamics.com/controller/sam-auth
  • Leave the Relay State blank

 

To add roles as claims:

  • Check “View and edit all other user attributes”
  • Click “Add attribute”
  • Specify “Group-Membership” in “Name” textbox
  • Specify “user.assignedroles” in “Value” drop-down
  • Leave “Namespace” textbox blank
  • Click OK

Picture18.png

 

  • On the SAML Signing Certificate section, click “Certificate (Base64)” and then save the certificate file on your computer.

 

Your final screen should look like that:

 

Picture19.png

 

 

Scroll to the bottom of the page and click on "Configure AppDynamics."

 

Find values of “Azure AD Single Sign-On Service URL” and “Azure AD Sign Out URL” in “Quick Reference” section:

 

Picture20.png

 

 

You are now ready to configure AppDynamics Controller to accept SAML authentication and authorization from this Enterprise Application.

Step 8: Configure AppDynamics Controller

Follow the steps in Enabling SAML authentication

 

 

Version history
Revision #:
8 of 9
Last update:
‎09-07-2018 02:22 PM
Updated by: