Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDynamics Team


You can configure Microsoft Active Directory Federation Services (ADFS) as a SAML authentication provider for the AppDynamics Controller. The instructions below apply to ADFS v2.0, 2.1, and 3.0.


Table of Contents

  1. Add the Relying Party Trust for AppDynamics Application in ADFS
  2. Add a Claim Rule
  3. Pass Group Information in SAML Response
  4. Download the X509 Certificate for AppDynamics
  5. Complete the AppDynamics SAML Config for ADFS
  6. Troubleshooting


Note: After upgrading the Controller to v4.5.x, you may encounter an issue where the SAML authentication request fails for accounts that use Active Directory Federation Services (ADFS) SAML. We suggest you configure your ADFS to send the NameID attribute in the SAML assertion following the steps outlined here: How do I troubleshoot Active Directory Federation Services (ADFS) SAML?


Add the Relying Party Trust for AppDynamics Application in ADFS

Step 1. Open AD FS 2.0 by clicking Management StartAdministrative ToolsAD FS 2.0 Management.


1 ADFS 2.0 management.png


There is a slightly different workflow depending on your version of Windows Server. Earlier versions require an intermediate step.


Windows Server 2012 or later

If you are using Windows Server 2012 or above, reference the screenshots below. Then, skip to Step 3 - Add Relying Party Trust.

2 ADFS management.png



3 server manager dashboard.png



Windows Server 2008 or earlier

Step 2. For Windows Server 2008 or earlier only: Expand Trust RelationshipsRelying Party Trusts.

4 winserver 2008 trust relationships.png



Step 3. Add a Relying Party Trust. The steps depend on the version of Windows Server you are on. Click below for the instructions that fit your context.



Windows Server 2008 and earlier

1. Trust Relationships → Right click on Relying Party TrustsAdd Relying Party Trust


Windows Server 2012 and earlier

1. Trust Relationships → Right click on Relying Party TrustsAdd Relying Party Trust

2. Actions  Relying Party Trusts →  Add Relying Party Trust…

5 winserver 2012 trust relationships.png


Windows Server 2012 and later

1. Actions  Relying Party Trusts →  Add Relying Party Trust…

6 winserver 2012 later relying party trusts.png


2. Right click on Relying Party Trusts Add Relying Party Trust… 

7 winserver 2012 later add relying party trust.png



Step 4. Click Start on the Add Relying Party Trust Wizard

8 add relying party trust wizard.png


For versions 2016+, select Claims awareStart.


Step 5. On the Select Data Source Page, select the Enter data about the relying party manually option →  Next.

9 select data source.png


Step 6. On the Specify Display Name page, enter Display NameNext.


Step 7. On the Choose Profile Page (through Windows Srver 2016), select AD FS 2.0 profile →  Next. 

Note: This step does not exist for ADFS on Windows Server 2016 or later.


Step 8. On the Configure Certificate page,  add the certificate if you want to encrypt the SAML response. For details, see Enabling SAML Authentication. Otherwise, click Next.


Step 9. On the Configure URL page, check the Enable support for the SAML 2.0 WebSSO protocol checkbox and enter the Relying party SAML 2.0 SSO service URL in the following format. Then click Next.



http[s]://<controllerurl>:<port (if any)>/controller/saml-auth?accountName=<accountName>


10 config url.png


Step 10. On the Configure Identifiers page, enter the Relying Trust Identifier in the following format.
Add → Next.

Format: http[s]://<controllerurl>:<port (if any)>/controller


 11 config identifiers.png


Step 11. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party →  Next.

Step 12. On the Ready to Add Trust page, click Next.

Step 13. On the Finish page check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox → Close.


Add a Claim Rule

Step 1. Click on Edit Claim Rules... to add the claims.

12 edit claim rules.png


Step 2. On the Edit Claim Rule page, click Add Rule.

13 edit claim rule add rule.png


Step 3. The Add Transform Claim Rule Wizard will open. Select Send LDAP Attributes as Claims as the Claim Rule Template → Next.

Step 4. On the Configure Claim Rule page, enter the Claim Rule Name and select Active Directory as Attribute Store. Add LDAP attributes accordingly and click FinishOK. The Name ID is the required parameter for Controller version 4.5+. Click here for instructions on adding the Name ID.

14 config claim rule.png


Pass Group Information in SAML Response

There are 2 ways to pass the group in SAML response:


1. Pass the LDAP attribute and map it to the desired group(s) or role(s)

Pass the LDAP attribute Is-Member-Of-DL and map it to Group or Groups or Roles or the name which you like.

15 edit claim rules.png


2. Add Groups one by one

Step 1Click Edit Claim Rules…

Step 2On the Edit Claim Rules page, click Add Rule.

Step 3. Select Send Group Membership as a Claim as the Claim Rule templateNext.

Add the Desired Group. You have to create a new claim for each group. 












Download the X509 Certificate for AppDynamics

Step 1. Go to the Token Signing Certificate → right-click on the available certificate → View certificate.



Step 2On the Details tab, click Copy to File…



Step 3. The Certificate Export Wizard will open. Click Next to begin.

Step 4. Select Base-54 encoded X.509 (.CER) as the format → Next.

Step 5. Browse to locate the file → Next.


Step 6. Click Finish. You’ll see a notification saying the export was successful.


Complete the AppDynamics SAML Config for ADFS

Follow the steps outlined in our documentation to complete the AppDynamics SAML config: Enabling SAML Authentication.




Configure the Time Skew for Active Directory Federation Services

If the system time for the Active Directory server and the Controller machine do not align, you can configure the time skew for Active Directory.


To set the time skew, run the following command in PowerShell:

Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew <time_in_minutes>

For example, run the following command to set the time skew to 3 minutes:

Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew 3


HTTP Controller Endpoint Test

  1. Depending on your browser, install one of the following tools:


  1. Sign on with the Developer Tools window open.
    You will see Request and Response as mentioned below







  1. After successful login, a user will automatically be created with SAML Source in AppDynamics.



  1. Test the logout process from the Controller.
  2. The resulting AttributeStatement in the SAML response will be like:
AppDynamics Team (Retired)
May we include a call out to include NameID in the MS ADFS setup doc? This will mirror what is called out on From the docs: After upgrading the Controller to 4.5.x, you may encounter issues where the SAML authentication request fails for accounts that use ADFS SAML. We suggest you configure your ADFS to send the Name Id attribute in the SAML assertion. You can also create a shared local user and use the local login option to bypass the login issue.
AppDynamics Team

Thanks for the feedback @Blake.Salvador, I've updated the article.

Version history
Last update:
‎08-26-2019 05:23 PM
Updated by:
June 26 Webinar
Discover new Splunk integrations and AI innovations for Cisco AppDynamics.

Register Now!

Observe and Explore
Dive into our Community Blog for the Latest Insights and Updates!

Read the blog here