Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

How can I configure Microsoft Active Directory Federation Services v. 2.0, 2.1, or 3.0 as a SAML authentication provider for the AppD Controller?

 

You can configure Microsoft Active Directory Federation Services (ADFS) as a SAML authentication provider for the AppDynamics Controller. The instructions below apply to ADFS v2.0, 2.1, and 3.0.

 

Table of Contents

  1. Add the Relying Party Trust for AppDynamics Application in ADFS
  2. Add a Claim Rule
  3. Pass Group Information in SAML Response
  4. Download the X509 Certificate for AppDynamics
  5. Complete the AppDynamics SAML Config for ADFS
  6. Troubleshooting

 

Note: After upgrading the Controller to v4.5.x, you may encounter an issue where the SAML authentication request fails for accounts that use Active Directory Federation Services (ADFS) SAML. We suggest you configure your ADFS to send the NameID attribute in the SAML assertion following the steps outlined here: How do I troubleshoot Active Directory Federation Services (ADFS) SAML?

 

Add the Relying Party Trust for AppDynamics Application in ADFS

Step 1. Open AD FS 2.0 by clicking Management StartAdministrative ToolsAD FS 2.0 Management.

 

1 ADFS 2.0 management.png

 

There is a slightly different workflow depending on your version of Windows Server. Earlier versions require an intermediate step.

 

Windows Server 2012 or later

If you are using Windows Server 2012 or above, reference the screenshots below. Then, skip to Step 3 - Add Relying Party Trust.

2 ADFS management.png

 

 

3 server manager dashboard.png

 

 

Windows Server 2008 or earlier

Step 2. For Windows Server 2008 or earlier only: Expand Trust RelationshipsRelying Party Trusts.

4 winserver 2008 trust relationships.png

 

 

Step 3. Add a Relying Party Trust. The steps depend on the version of Windows Server you are on. Click below for the instructions that fit your context.

 

 

Windows Server 2008 and earlier

1. Trust Relationships → Right click on Relying Party TrustsAdd Relying Party Trust

 

Windows Server 2012 and earlier

1. Trust Relationships → Right click on Relying Party TrustsAdd Relying Party Trust

2. Actions  Relying Party Trusts →  Add Relying Party Trust…

5 winserver 2012 trust relationships.png

 

Windows Server 2012 and later

1. Actions  Relying Party Trusts →  Add Relying Party Trust…

6 winserver 2012 later relying party trusts.png

 

2. Right click on Relying Party Trusts Add Relying Party Trust… 

7 winserver 2012 later add relying party trust.png

 

 

Step 4. Click Start on the Add Relying Party Trust Wizard

8 add relying party trust wizard.png

 

For versions 2016+, select Claims awareStart.

 

Step 5. On the Select Data Source Page, select the Enter data about the relying party manually option →  Next.

9 select data source.png

 

Step 6. On the Specify Display Name page, enter Display NameNext.

 

Step 7. On the Choose Profile Page (through Windows Srver 2016), select AD FS 2.0 profile →  Next. 

Note: This step does not exist for ADFS on Windows Server 2016 or later.

 

Step 8. On the Configure Certificate page,  add the certificate if you want to encrypt the SAML response. For details, see Enabling SAML Authentication. Otherwise, click Next.

 

Step 9. On the Configure URL page, check the Enable support for the SAML 2.0 WebSSO protocol checkbox and enter the Relying party SAML 2.0 SSO service URL in the following format. Then click Next.

 

Format: 

http[s]://<controllerurl>:<port (if any)>/controller/saml-auth?accountName=<accountName>

Example:
https://data20181119011417134.saas.appdynamics.com/controller/saml-auth?accountName=data20181119011417134

10 config url.png

 

Step 10. On the Configure Identifiers page, enter the Relying Trust Identifier in the following format.
Click
Add → Next.

Format: http[s]://<controllerurl>:<port (if any)>/controller

Example: https://data20181119011417134.saas.appdynamics.com/controller

 11 config identifiers.png

 

Step 11. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party →  Next.

Step 12. On the Ready to Add Trust page, click Next.

Step 13. On the Finish page check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox → Close.

 

Add a Claim Rule

Step 1. Click on Edit Claim Rules... to add the claims.

12 edit claim rules.png

 

Step 2. On the Edit Claim Rule page, click Add Rule.

13 edit claim rule add rule.png

 

Step 3. The Add Transform Claim Rule Wizard will open. Select Send LDAP Attributes as Claims as the Claim Rule Template → Next.

Step 4. On the Configure Claim Rule page, enter the Claim Rule Name and select Active Directory as Attribute Store. Add LDAP attributes accordingly and click FinishOK. The Name ID is the required parameter for Controller version 4.5+. Click here for instructions on adding the Name ID.

14 config claim rule.png

 

Pass Group Information in SAML Response

There are 2 ways to pass the group in SAML response:

 

1. Pass the LDAP attribute and map it to the desired group(s) or role(s)

Pass the LDAP attribute Is-Member-Of-DL and map it to Group or Groups or Roles or the name which you like.

15 edit claim rules.png

 

2. Add Groups one by one

Step 1Click Edit Claim Rules…

Step 2On the Edit Claim Rules page, click Add Rule.

Step 3. Select Send Group Membership as a Claim as the Claim Rule templateNext.

Add the Desired Group. You have to create a new claim for each group. 

16.png

 

17.png

 

18.png

 

19.png

 

20.png

 

 

Download the X509 Certificate for AppDynamics

Step 1. Go to the Token Signing Certificate → right-click on the available certificate → View certificate.

21.png

 

Step 2On the Details tab, click Copy to File…

22.png

 

Step 3. The Certificate Export Wizard will open. Click Next to begin.

Step 4. Select Base-54 encoded X.509 (.CER) as the format → Next.

Step 5. Browse to locate the file → Next.

23.png

Step 6. Click Finish. You’ll see a notification saying the export was successful.

 

Complete the AppDynamics SAML Config for ADFS

Follow the steps outlined in our documentation to complete the AppDynamics SAML config: Enabling SAML Authentication.

 

Troubleshooting

 

Configure the Time Skew for Active Directory Federation Services

If the system time for the Active Directory server and the Controller machine do not align, you can configure the time skew for Active Directory.

 

To set the time skew, run the following command in PowerShell:

Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew <time_in_minutes>

For example, run the following command to set the time skew to 3 minutes:

Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew 3

 

HTTP Controller Endpoint Test

  1. Depending on your browser, install one of the following tools:

 

  1. Sign on with the Developer Tools window open.
    You will see Request and Response as mentioned below

Request: 

24.png

 

 

Response:25.png

 

  1. After successful login, a user will automatically be created with SAML Source in AppDynamics.

26.png

 

  1. Test the logout process from the Controller.
  2. The resulting AttributeStatement in the SAML response will be like:
<saml2:AttributeStatement 
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute 
                Name="user.email" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">amit.goyal@appdynamics.com
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute 
                Name="user.name" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">Amit
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute 
                Name="user.login" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">amit.goyal@appdynamics.com
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute 
                Name="Groups" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">Appd-Admin/Admin
                </saml2:AttributeValue>
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">Appd-ReadOnly
                </saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
Version history
Revision #:
26 of 26
Last update:
3 weeks ago
Updated by:
 
Labels (1)
Tags (1)
0 Kudos
Comments
May we include a call out to include NameID in the MS ADFS setup doc? This will mirror what is called out on docs.appdynamics.com From the docs: After upgrading the Controller to 4.5.x, you may encounter issues where the SAML authentication request fails for accounts that use ADFS SAML. We suggest you configure your ADFS to send the Name Id attribute in the SAML assertion. You can also create a shared local user and use the local login option to bypass the login issue.

Thanks for the feedback @Blake.Salvador, I've updated the article.