Discussion Feed

You can configure Microsoft Active Directory Federation Services as an SAML authentication provider for the AppDynamics Controller.   Note: After upgrading the Controller to v4.5.x, you may encounter an issue where the SAML authentication request fails for accounts that use Active Directory Federation Services (ADFS) SAML.  We suggest you configure your ADFS to send the NameID attribute in the SAML assertion. As a result of the issue mentioned above, you may experience problems logging in via SAML to your Controller. To resolve this, add the NameID as the Outgoing Claim Type in your claim rule following the instructions outlined here: How do I troubleshoot Active Directory Federation Services (ADFS) SAML?   Steps Configure Active Directory Federation Services for AppDynamics Create a Claim Rule (Multi-Tenant Customers) Complete the AppDynamics SAML Config Test with an HTTP Controller Endpoint Continue HTTP Controller Endpoint Test   Configure Active Directory Federation Services for AppDynamics 1. Export the token-signing certificate as a base-64 encoded file. 2. Under Services > Claim Descriptions, add a new "Claim Description" and set both the Display name and Claim type to "Groups." No need to enter 'Claim type', but do enter 'Claim Identifier' (This is also the case with ADFS 2.0).   3. Use "Groups" for the Claim identifier and check both checkboxes (although both may not be necessary).   4. Open the claim after it has been created to show Claim type.   5. On the Identifiers tab, set the Relying party identifier to the Controller URL: https://{appdynamics_controller_url}:{port}/controller   6. Select the Enter data about the relying party manually option in the Wizard.   7. Choose the default AD FS profile for SAML 2.0 support.   8. Skip the Configure Certificate step.   9. Choose the SAML 2.0 WebSSO option with https://<controller fqdn>:<port>/controller/saml-auth  (Note: It may be possible to leave it unchecked and add SAML endpoint later).   Note: 8181 is the default on premise port for SSL. 443 is the default for SaaS.   10. Enter the identifier and click Add.   11. Accept the default I do not want to configure multi-factor…   12. Accept the default Permit all users…   13. On the Endpoints tab, create the following: SAML Assertion Consumer endpoint: https://{appdynamics_controller_url}:{port}/controller/saml-auth SAML Logout endpoint: Set URL to https://{adfs server url}/adfs/ls/?wa=wsignout1.0…    14. The SAML Assertion Consumer Endpoint was already created in an earlier step. The Wizard does not give an option to add Endpoints on Endpoints tab, so click Next.   15. Click Close.   16. Exit the Wizard (ignore Edit Claim Rules for now).   17. Go to Relying Party Trusts --> AppDynamics Controller Properties, double click to the Endpoints tab, and click Add SAML.   18. Add the logout URL and click OK.   19. In AppDynamics, create an AppD admin group and add a user (e.g., jholmes@jah.net) to the group.   20. In ADFS, add a Claim Rule. The Claim Rule Type is "Send Group Membership as a Claim." Make sure the role names in the Controller match the Active Directory group names exactly. The Controller automatically maps incoming SAML groups to matching roles.   21. From Relying Party Trusts/AppDynamics Controller, select Edit Claim Rules…   22. Then Add Rule for groups.   23. The Claim Rule Type is "Send Group Membership as a Claim."   24. The Outgoing Claim Type references the "Groups" type created earlier (it should be plural "Groups", not the OOTB, singular, ‘Group’ type).   The Outgoing Claim Type "Groups" is the Name value of the Attribute in AttributeStatement, and the Outgoing Claim Value is the AttributeValue.   From the working samlp:Response txt file discussed later in this article : <AttributeStatement> <Attribute Name="Groups"> <AttributeValue>AppDynamicsAdminGroup</AttributeValue> </Attribute>    This should also match the SAML Group Attribute Name and the Mapping of Group to Roles/SAML Group in the AppDynamics SAML config that is covered later in this article:   26. Click Finish and OK.   Create a Claim Rule (Multi-Tenant Customers) Create a claim rule for the relying party to pass the AppDynamics account name:    1. Select the AppDynamics Relying Party Trust --> Edit Claim Rules… --> Add Rule.   2. Select the Custom rule option.   3. Replace customer1 with the Account Name from your Controller License page.   The Type is the Name value of the Attribute in AttributeStatement and Value is the AttributeValue.   From the working samlp:Response  discussed  later in article: <Attribute Name="accountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <AttributeValue>customer1</AttributeValue> </Attribute>   4. Click Finish and OK.   5. Add another claim rule for user attributes.   6. Create mappings for outgoing claims that will be referenced in AppDynamics SAML config.   The Outgoing Claim Type is the Name value of the Attribute in AttributeStatement.   From the working samlpe:Response txt file attached to this article: <Attribute> Name="userName"> <AttributeValue>jholmes@jah.net</AttributeValue> </Attribute> <Attribute Name="displayName"> <AttributeValue>Jeff Holmes</AttributeValue> </Attribute> <Attribute Name="emailAddress"> <AttributeValue>jholmes@jah.net</AttributeValue> </Attribute>   This should also match the 3 SAML Attribute Mappings in the AppDynamics SAML config that is covered later in this article: 7. Click Finish and OK.   Complete the AppDynamics SAML Config Follow the steps outlined in our documentaiton to complete the AppDynamics SAML config: Enabling SAML Authentication. See the screenshots below for context.       Test with an HTTP Controller Endpoint  If necessary, resolve timing issues.   If you have an on-prem Controller, look for an error in the server.log :  [#|2016-10-31T16:16:53.838-0700|SEVERE|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=160756;_ThreadName=Thread-5;|java.lang.Exception: Timing issues (please check your clock settings) at com.onelogin.saml.Response.isValid(Response.java:148)    Configure the time skew for Active Directory Federation Services as directed below:   If the system time for the Active Directory server and the Controller machine do not align, you can configure the time skew for Active Directory. To set the time skew, run the following command in PowerShell: Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew <time_in_minutes> For example, run the following command to set the time skew to 3 minutes: Set-ADFSRelyingPartyTrust -TargetName AppDynamics -NotBeforeSkew 3   Continue HTTP Controller Endpoint Test On ADFS host: Set-AdfsRelyingPartyTrust -TargetName "AppDynamics Controller" -NotBeforeSkew 3   1. If you're using Chrome, install SAML DevTools extension' 0.6   2. If you're using Firefox, install SAML-tracer    3. Working sign-on, with Developer Tools windows open   Attached is a working samlp:AuthnRequest and samlp:Response in a txt file based on the above configuration.   4. After successful login, a user will automatically be created with SAML Source in AppDynamics.   5. Test the logout process from the Controller.   6. Test a user with multiple AD group assignments by creating two AD groups for DB and Server Monitoring admins.   7. Add jsmith@jah.net (example) to both groups.   8. Create two new Claim Rules, one for AppDDBMonAdmins, one for AppDSvrMonAdmins.   9. Add SAML group mapping for each group (SAML Group = Outgoing claim value).   10. Click Save.   11. The resulting AttributeStatement in the SAML response lists both groups: <AttributeStatement> <Attribute Name="accountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <AttributeValue>customer1</AttributeValue> </Attribute> <Attribute Name="userName"> <AttributeValue>jsmith@jah.net</AttributeValue> </Attribute> <Attribute Name="displayName"> <AttributeValue>John Smith</AttributeValue> </Attribute> <Attribute Name="Groups-Using-Is-Member-Of-DL"> <AttributeValue> CN=AppDDBMonAdmins, DC=jah, DC=net </AttributeValue> <AttributeValue> CN=AppDSvrMonAdmins, DC=jah, DC=net </AttributeValue> </Attribute> <Attribute Name="Groups"> <AttributeValue>AppDynamicsSvrMonAdminGroup</AttributeValue> <AttributeValue>AppDynamicsDBMonAdminGroup</AttributeValue> </Attribute> </AttributeStatement> ... View more