Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

SAML for Microsoft Active Directory Federation Services 2.0 or 2.1

You can configure Microsoft Active Directory Federation Services as an SAML authentication provider for the AppDynamics Controller.

Table of Contents

Requirements

Configure Active Directory Federation Services for AppDynamics

Configure the Time Skew for Active Directory Federation Services

 

Requirements

  • Active Directory Federation Services version 2.0 or 2.1. (Note: If you are using ADFS v3.0, click here for instructions)

 

Configure Active Directory Federation Services for AppDynamics

In the Active Directory Federation Services management tool, configure a Relying Party Trust for the AppDynamics Controller:

  • Export the token-signing certificate as a base-64 encoded file. You'll need this to configure SAML on the Controller.
    adfs-cert.png

  • Under Services > Claim Descriptions, add a new Claim Description and set both the Display name and Claim type to "Groups".
  • Create a new Relying Party Trust:
    • On the Identifiers tab, set the Relying party identifier to the Controller URL: https://{appdynamics_controller_url}:{port}/controller.
      adfs-trust-identifier.png

    • On the Endpoints tab, create the following:
      • SAML Assertion Consumer endpoint: https://{appdynamics_controller_url}:{port}/controller/saml-auth.
      • SAML Logout endpoint:
        Set URL to https://{adfs server url}/adfs/ls/?wa=wsignout1.0 .
        Leave Response URL blank.
        adfs-endpoints.jpg
    • For multi-tenant customers, create a claim rule for the relying party to pass the AppDynamics account name. For example:

      => issue(Type = "accountName", Value = "MyAccount", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic");

       

    • Optionally create claim rules for the relying party to map Active Directory groups to roles in the AppDynamics Controller.  The claim rule type is "Send Group Membership as a Claim".

      Make sure role names in the Controller match the Active Directory group names exactly. The Controller automatically maps incoming SAML groups to matching roles.

      adfs-groups.jpg

Configure the Time Skew for Active Directory Federation Services

If the system time for the Active Directory server and the Controller machine do not align, you can configure the time skew for Active Directory.

 

To set the time skew, run the following command in PowerShell:

Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew <time_in_minutes>

 

For example, run the following command to set the time skew to 3 minutes

Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew 3

 

Configure AppDynamics SAML Settings for Active Directory Federation Services

Configure SAML settings in the Controller according to SAML Authentication:

  • Set the Login URL to https://adfs.example.com/adfs/ls/ .
  • Set the Logout URL to https://adfs.example.com/adfs/ls/?wa=wsignout1.0 .
  • Use a text editor to open the certificate you exported from the Active Directory Federation Services management tool. Copy the contents of the certificate and paste it in the SAML Configuration Certificate field.

 

Version history
Revision #:
9 of 9
Last update:
a month ago
Updated by:
 
Labels (1)