This topic describes how to configure SAML-based single sign-on (SSO) authentication for Controller access with a particular identity provider, OneLogin. See SAML Authentication for general information about SAML integration.
- As an administrator or account owner in the Controller UI, access the Authentication Provider tab. See SAML Authentication for information on accessing the tab.
- Select SAML as the provider.
- In the Login URL field, enter the SAML Login URL from your OneLogin configuration. The SAML Login URL is the URL to the SSO service at the identify provider. The identity provider provides this URL to the Controller.
If you do not know your SAML Login URL, you can locate it in your OneLogin configuration:
a. Log in to your OneLogin account.
b. Click the Apps tab in the first set of tabs.
c. Click edit next to the application for which you want to view the Login URL.
d. Click the Company Apps tab in the second set of tabs if it is not already selected.
e. Click in the third set of tabs. The SAML Login URL is the HTTP SAML Endpoint in the Sign-on method section.
- In the Logout URL field in the AppDynamics form, enter the URL to which the browser should redirect when the user logs out. This field is optional. It's used to redirect a user who logs out to an identity provider URL instead of to the AppDynamics login screen. For example, using the following logout URL would redirect the user to the OneLogin application dashboard: https://app.onelogin.com/client/apps
- In the Certificate field in the AppDynamics form, paste the x.509 certificate from your OneLogin configuration between the BEGIN CERTIFICATE and END CERTIFICATE delimiters. Do not copy the BEGIN CERTIFICATE and END CERTIFICATE from the OneLogin x.509 certificate field.
To find your x.509 certificate in your OneLogin configuration:
a. Log in to your OneLogin account.
b. Click the Security tab in the first set of tabs.
c. Click SAML in the second set of tabs.
- In the Default Roles section in the AppDynamics form, select the roles to grant to new users of the SAML-enabled controller by checking the Member check box for the role. You can select multiple roles in the list. See Roles and Permissions for information about roles and permissions.
The roles that you assign here will be granted to new users when they first log in to the SAML-enabled controller if those users have not been previously created directly in the Controller. Users created prior to SAML enablement retain their original roles.
You must grant at least one default role.
- Click Save.
In your OneLogin account, configure the SAML Consumer URL with the host, port and optional account name values from the AppDynamics Controller. The Consumer URL is where the identify provider posts the SAML Authentication Assertion.
- Log in to your OneLogin account.
- Click the Apps tab in the first set of tabs.
- Click edit next to the AppDynamics Connector.
Click the Company Apps tab in the second set of tabs if it is not already selected.
- In the third set of tabs click Configuration.
- Enter the Consumer URL for the AppDynamics connector.
It has the format:
http[s]://<controller-host>:<controller-port>/controller/saml-auth
The host and port for your Controller account are supplied by AppDynamics.
- Provide the AppDynamics account name if your controller is configured in multi-tenant mode and if the user normally enters an account name on login. If your controller is configured in single-tenant mode or if the user does not supply an account name on login, you can leave the Account Name field blank.
See Controller Tenant Mode and Accounts for information about controller tenant modes.
- Save your settings.