Knowledge Base

Showing results for 
Search instead for 
Did you mean: 

Configure SAML for Microsoft Active Directory on Azure

The following article outlines the steps needed to configure Microsoft Active Directory on Windows Azure as a SAML authentication provider for the AppDynamics Controller. 



  1. Configure Active Directory on Windows Azure for AppDynamics

  2. Configure AppDynamics SAML settings for Active Directory on Azure

  3. Configure AppDynamics to use Azure Active Directory for SAML SSO


Configure Active Directory on Windows Azure for AppDynamics



  1. In the Windows Azure portal, click Active Directory in the left navigation menu.
  2. Click into your Active Directory.
  3. Under the EXPLORE menu, click Add an application.
  4. Click Add an application my organization is developing.
  5. In the APPLICATION GALLERY window, click CUSTOM.
  6. Enter AppDynamics Controller for the name and click the check icon.
  7. Click Configure single sign-on.
  8. Click Windows Azure AD Single Sign-On.
  9. On the Configure App Settings window, enter the following:
    • SIGN ON URL: https://{appdynamics_controller_url}:{port}/controller/saml-auth 
    • ISSUER URL: https://{appdynamics_controller_url}:{port}/controller
    • REPLY URL: https://{appdynamics_controller_url}:{port}/controller
  10. On the Configure single sign-on at AppDynamics Controller window, download the certificate. You'll need this to configure SAML on the Controller.
  11. Copy the SINGLE SIGN-ON SERVICE URL. You will need this for the Login URL in the Controller.



Configure AppDynamics SAML settings for Active Directory on Azure


Configure SAML settings in the Controller according to SAML Authentication



Configure AppDynamics to use Azure Active Directory for SAML SSO



Step 1: Set Azure Active Directory (AD) identities

  • The directory services should contain user principals that you expect to use. These can be optionally synced with your on-premises directory.
  • Example: we have 3 AD users that we will intend to use to authenticate to AppDynamics:
    • Agent Smith
    • Agent Jones
    • Agent Brown
    • Agent Colson




Step 2: Prepare Azure AD Security Groups


Although it is possible to associate the AD user record with Enterprise Application role directly, the mapping is strictly 1:1, so in this configuration, the user will only have one single role.


Create AD security groups and assign an Enterprise Application role to the group. That way users that have more than one security group membership can be assigned to more than one Enterprise Application role.


Example: We have created four AD security groups that we will assign Enterprise Application roles to:

  • AppD-SecGroup-Administrators
  • AppD-SecGroup-AllGroups
  • AppD-SecGroup-Power Users
  • AppD-SecGroup-Read Only





Step 3: Assign Azure AD users to the AD security groups


Use the Azure Active Directory management tools to assign users to security groups.


Example: we have put certain users into certain groups, and combined all groups into “AppD-SecGroup-AllGroups” group:





Agent Smith


Agent Colson


AppD-SecGroup-Power Users

AppD-SecGroup-Read Only

AppD-SecGroup-Power Users

Agent Brown

AppD-SecGroup-Read Only

Agent Jones








Step 4: Create an Enterprise Application in Azure Active Directory using AppDynamics template


1. Create a new AppDynamics application.

2. Navigate to Azure AD > Enterprise Applications > All Applications and click New Application.

3. Search for AppDynamics under Business Management, select it and click Add.





Note that this template can only be used to connect to AppDynamics SaaS Controllers. For non-SaaS Controllers, you must use a generic Enterprise Application configuration instead. 



Step 5: Create Roles for the AppDynamics Enterprise Application


To send security groups as roles when using newly created AppDynamics Enterprise Application, you must first create the roles to be used by Enterprise Application. Unfortunately, at the time of writing, Azure management UI does not provide the ability to create those roles.


Instead, use Azure AD Graph Explorer tool to add roles programmatically. The steps are documented here: Enterprise App Role Management. Follow the steps under Create Roles for an Application starting with step 6 and complete sections A, B, C and D in order to grant the Directory.AccessAsUser.All, Directory.Read.All and Directory.ReadWrite.All permissions to the administrative account that will perform additional configuration. This is a one-time step. You will be signed out and signed in with the following style prompt:






Before proceeding, select the Object ID of the newly created AppDynamics Enterprise Application from the properties tab and then follow the steps under Create Roles for an Application starting with step 6 sections E, F, G, H, I and J in order to read the current roles and create new ones.






As instructions state, switch to “beta” version and run a GET query against the endpoint.


Find your Enterprise Application by looking for the Object ID:






Then run a new GET query against the<objectID> with the Object ID of your AppDynamics Enterprise Application.









Extract the app roles object, which contains a JSON array of custom objects that are the current application roles. Put the data into some sort of text editor.


In your newly created AppDynamics Enterprise Application, you should only have “msiam_access”. You will now need to generate new roles for your application by constructing a new JSON object and executing a PATCH operation against the same management endpoint.


Few notes on that object:

  • You must preserve “msiam_access” role.
  • You also must generate new GUIDs for each of the roles
  • The role names must be unique


Here is an example JSON file defining the following roles:

  • msiam_access (existing)
  • AppD-AppRole-Administrators
  • AppD-AppRole-PowerUsers
  • AppD-AppRole-ReadOnly
  • AppD-AppRole-All


The description field is not necessary.

Use a GUID generator to make those unique identifiers:


   "appRoles": [
        "allowedMemberTypes": [
        "description": "msiam_access",
        "displayName": "msiam_access",
        "id": "48383f87-53cf-4ff0-ac40-06798faf26a8",
        "isEnabled": true,
        "origin": "Application",
        "value": null
        "allowedMemberTypes": [
        "description": "This role will be administrators",
        "displayName": "AppD-AppRole-Administrators",
        "id": "BFECB407-1121-4B5C-8468-76BEE81B5F68",
        "isEnabled": true,
        "origin": "ServicePrincipal",
        "value": "AppD-AppRole-Administrators"
        "allowedMemberTypes": [
        "description": "This role will be power users",
        "displayName": "AppD-AppRole-PowerUsers",
        "id": "C0003602-0404-49B0-9A5C-3F29C56DA451",
        "isEnabled": true,
        "origin": "ServicePrincipal",
        "value": "AppD-AppRole-PowerUsers"
        "allowedMemberTypes": [
        "description": "This role will be read only",
        "displayName": "AppD-AppRole-ReadOnly",
        "id": "5924E9BE-4DD2-4782-8887-F7522F4C6A47",
        "isEnabled": true,
        "origin": "ServicePrincipal",
        "value": "AppD-AppRole-ReadOnly"
        "allowedMemberTypes": [
        "description": "This role will be all groups",
        "displayName": "AppD-AppRole-All",
        "id": "F21990FD-CA27-4D37-A2E8-08CF9A1AD28A",
        "isEnabled": true,
        "origin": "ServicePrincipal",
        "value": "AppD-AppRole-All"


Using constructed JSON, execute PATCH operation<objectID> with the Object ID of your AppDynamics Enterprise Application:




You should get a success 204 error code.



Step 6: Configure Role to Group Mapping in AppDynamics Enterprise Application


Now that the roles have been created, use the Users and Groups tab of AppDynamics Enterprise Application to map the AD security groups to the newly created roles.


Example: our AD groups are mapped to Enterprise Application Role in the following way:

AD Group

Enterprise Application Role





AppD-SecGroup-Power Users


AppD-SecGroup-Read Only






Step 7: Configure AppDynamics Enterprise Application Claims and Connection to AppDynamics Controller


Connect the AppDynamics Enterprise Application to the AppDynamics Controller.


Specify the following values in AppDynamics Enterprise Application Single Sign-on tab:


To enable SSO:

  • Single Sign-on Mode = SAML-based Sign-on


To connect to the Controller (Microsoft document subtopics 1, 2, 3):

  • Sign on URL = https://<YOURTENANT>
  • Identifier (Entity ID) = https://<YOURTENANT>
  • Check the “Show advanced URL Settings” checkbox
  • Reply URL = https://<YOURTENANT>
  • Leave the Relay State blank


To add roles as claims:

  • Check “View and edit all other user attributes”
  • Click “Add attribute”
  • Specify “Group-Membership” in “Name” textbox
  • Specify “user.assignedroles” in “Value” drop-down
  • Leave “Namespace” textbox blank
  • Click OK



  • On the SAML Signing Certificate section, click “Certificate (Base64)” and then save the certificate file on your computer.


Your final screen should look like that:





Scroll to the bottom of the page and click on "Configure AppDynamics."


Find values of “Azure AD Single Sign-On Service URL” and “Azure AD Sign Out URL” in “Quick Reference” section:





You are now ready to configure AppDynamics Controller to accept SAML authentication and authorization from this Enterprise Application.

Step 8: Configure AppDynamics Controller

Follow the steps in Enabling SAML authentication



Version history
Revision #:
8 of 9
Last update:
‎09-07-2018 02:22 PM
Updated by: