Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

SAML for Microsoft Active Directory Federation Services 3.0

You can configure Microsoft Active Directory Federation Services as an SAML authentication provider for the AppDynamics Controller.

 

Note: After upgrading the Controller to v4.5.x, you may encounter an issue where the SAML authentication request fails for accounts that use Active Directory Federation Services (ADFS) SAML. We suggest you configure your ADFS to send the NameID attribute in the SAML assertion.

Spoiler

As a result of the issue mentioned above, you may experience problems logging in via SAML to your Controller. To resolve this, add the NameID as the Outgoing Claim Type in your claim rule following the instructions outlined here: How do I troubleshoot Active Directory Federation Services (ADFS) SAML?

 

Steps

Configure Active Directory Federation Services for AppDynamics

Create a Claim Rule (Multi-Tenant Customers)

Complete the AppDynamics SAML Config

Test with an HTTP Controller Endpoint

Continue HTTP Controller Endpoint Test

 

Configure Active Directory Federation Services for AppDynamics

1. Export the token-signing certificate as a base-64 encoded file.

2. Under Services > Claim Descriptions, add a new "Claim Description" and set both the Display name and Claim type to "Groups."

  • No need to enter 'Claim type', but do enter 'Claim Identifier' (This is also the case with ADFS 2.0).

auditing ms2.png

 

3. Use "Groups" for the Claim identifier and check both checkboxes (although both may not be necessary).

Picture1.png

 

4. Open the claim after it has been created to show Claim type.

Picture1.png

 

5. On the Identifiers tab, set the Relying party identifier to the Controller URL: https://{appdynamics_controller_url}:{port}/controller
Picture1.png

 

6. Select the Enter data about the relying party manually option in the Wizard.

Picture1.png

 

7. Choose the default AD FS profile for SAML 2.0 support.

123.png

 

8. Skip the Configure Certificate step.

234.png

 

9. Choose the SAML 2.0 WebSSO option with https://<controller fqdn>:<port>/controller/saml-auth (Note: It may be possible to leave it unchecked and add SAML endpoint later).

 

Note: 8181 is the default on premise port for SSL. 443 is the default for SaaS.

345.png

 

10. Enter the identifier and click Add.

45.png

 

11. Accept the default I do not want to configure multi-factor…

56.png

 

12. Accept the default Permit all users…

67.png

 

13. On the Endpoints tab, create the following:

SAML Assertion Consumer endpoint: https://{appdynamics_controller_url}:{port}/controller/saml-auth
SAML Logout endpoint:
Set URL to https://{adfs server url}/adfs/ls/?wa=wsignout1.0…

  

14. The SAML Assertion Consumer Endpoint was already created in an earlier step. The Wizard does not give an option to add Endpoints on Endpoints tab, so click Next.

78.png

 

15. Click Close.

 

16. Exit the Wizard (ignore Edit Claim Rules for now).

 

17. Go to Relying Party Trusts --> AppDynamics Controller Properties, double click to the Endpoints tab, and click Add SAML.

3454.png

 

18. Add the logout URL and click OK.

234243.png

 

19. In AppDynamics, create an AppD admin group and add a user (e.g., jholmes@jah.net) to the group.

09.png

 

20. In ADFS, add a Claim Rule. The Claim Rule Type is "Send Group Membership as a Claim." Make sure the role names in the Controller match the Active Directory group names exactly. The Controller automatically maps incoming SAML groups to matching roles.

 

21. From Relying Party Trusts/AppDynamics Controller, select Edit Claim Rules…

a.png

 

22. Then Add Rule for groups.

 

23. The Claim Rule Type is "Send Group Membership as a Claim."

b.png

 

24. The Outgoing Claim Type references the "Groups" type created earlier (it should be plural "Groups", not the OOTB, singular, ‘Group’ type).

df.png

 

The Outgoing Claim Type "Groups" is the Name value of the Attribute in AttributeStatement, and the Outgoing Claim Value is the AttributeValue.

 

From the working samlp:Response txt file discussed later in this article:

<AttributeStatement>
    <Attribute
        Name="Groups">
        <AttributeValue>AppDynamicsAdminGroup</AttributeValue>
    </Attribute>

  

This should also match the SAML Group Attribute Name and the Mapping of Group to Roles/SAML Group in the AppDynamics SAML config that is covered later in this article:

dff.png

 

26. Click Finish and OK.

 

Create a Claim Rule (Multi-Tenant Customers)

Create a claim rule for the relying party to pass the AppDynamics account name: 

 

1. Select the AppDynamics Relying Party Trust --> Edit Claim Rules… --> Add Rule.

gt.png

 

2. Select the Custom rule option.

sx.png

 

3. Replace customer1 with the Account Name from your Controller License page.

fg.png

 

The Type is the Name value of the Attribute in AttributeStatement and Value is the AttributeValue.

 

From the working samlp:Response discussed later in article:

<Attribute
     Name="accountName"
     NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
     <AttributeValue>customer1</AttributeValue>
</Attribute>

 

4. Click Finish and OK.

re.png

 

5. Add another claim rule for user attributes.

ew.png

 

6. Create mappings for outgoing claims that will be referenced in AppDynamics SAML config.

gf.png

 

The Outgoing Claim Type is the Name value of the Attribute in AttributeStatement.

 

From the working samlpe:Response txt file attached to this article:

            <Attribute>
                Name="userName">
                <AttributeValue>jholmes@jah.net</AttributeValue>
            </Attribute>
            <Attribute
                Name="displayName">
                <AttributeValue>Jeff Holmes</AttributeValue>
            </Attribute>
            <Attribute
                Name="emailAddress">
                <AttributeValue>jholmes@jah.net</AttributeValue>
            </Attribute>

 

This should also match the 3 SAML Attribute Mappings in the AppDynamics SAML config that is covered later in this article:

zx.png

7. Click Finish and OK.

q.png

 

Complete the AppDynamics SAML Config

Follow the steps outlined in our documentaiton to complete the AppDynamics SAML config: Enabling SAML Authentication. See the screenshots below for context.

 

cs.png

 

wr.png

 

Test with an HTTP Controller Endpoint 

If necessary, resolve timing issues.

fe.png

 

If you have an on-prem Controller, look for an error in the server.log:

 [#|2016-10-31T16:16:53.838-0700|SEVERE|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=160756;_ThreadName=Thread-5;|java.lang.Exception: Timing issues (please check your clock settings) at com.onelogin.saml.Response.isValid(Response.java:148)

  

Configure the time skew for Active Directory Federation Services as directed below:

 

If the system time for the Active Directory server and the Controller machine do not align, you can configure the time skew for Active Directory.

  • To set the time skew, run the following command in PowerShell:

    Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew <time_in_minutes>

    For example, run the following command to set the time skew to 3 minutes:

    Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew 3

 

Continue HTTP Controller Endpoint Test

On ADFS host:

Set-AdfsRelyingPartyTrust -TargetName "AppDynamics Controller" -NotBeforeSkew 3

 

1. If you're using Chrome, install SAML DevTools extension' 0.6

 

2. If you're using Firefox, install SAML-tracer 

 

3. Working sign-on, with Developer Tools windows open

dffs.png

 

Attached is a working samlp:AuthnRequest and samlp:Response in a txt file based on the above configuration.

 

4. After successful login, a user will automatically be created with SAML Source in AppDynamics.

xcs.png

 

5. Test the logout process from the Controller.

 

6. Test a user with multiple AD group assignments by creating two AD groups for DB and Server Monitoring admins.

 

7. Add jsmith@jah.net (example) to both groups.

 

8. Create two new Claim Rules, one for AppDDBMonAdmins, one for AppDSvrMonAdmins.

 

9. Add SAML group mapping for each group (SAML Group = Outgoing claim value).

 

10. Click Save.

 

11. The resulting AttributeStatement in the SAML response lists both groups:

<AttributeStatement>
            <Attribute
                Name="accountName"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <AttributeValue>customer1</AttributeValue>
            </Attribute>
            <Attribute
                Name="userName">
                <AttributeValue>jsmith@jah.net</AttributeValue>
            </Attribute>
            <Attribute
                Name="displayName">
                <AttributeValue>John Smith</AttributeValue>
            </Attribute>
            <Attribute
                Name="Groups-Using-Is-Member-Of-DL">
                <AttributeValue>
                    CN=AppDDBMonAdmins,
                    DC=jah,
                    DC=net
                </AttributeValue>
                <AttributeValue>
                    CN=AppDSvrMonAdmins,
                    DC=jah,
                    DC=net
                </AttributeValue>
            </Attribute>
            <Attribute
                Name="Groups">
                <AttributeValue>AppDynamicsSvrMonAdminGroup</AttributeValue>
                <AttributeValue>AppDynamicsDBMonAdminGroup</AttributeValue>
            </Attribute>
        </AttributeStatement>
Version history
Revision #:
17 of 22
Last update:
‎03-07-2019 01:52 PM
Updated by:
 
Labels (1)
Tags (1)
0 Kudos
Comments
May we include a call out to include NameID in the MS ADFS setup doc? This will mirror what is called out on docs.appdynamics.com From the docs: After upgrading the Controller to 4.5.x, you may encounter issues where the SAML authentication request fails for accounts that use ADFS SAML. We suggest you configure your ADFS to send the Name Id attribute in the SAML assertion. You can also create a shared local user and use the local login option to bypass the login issue.

Thanks for the feedback @Blake.Salvador, I've updated the article.