How to Configure SAML 2.0 for Dynatrace

Read this before you enable SAML


Supported Features

The Okta/Dynatrace SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

  1. Log in to Dynatrace.

  2. Click on your account, then select Account settings:

    Click your account, then Account Settings

  3. Before you can configure the domain for which you want to set up SAML, you need to prove ownership of the domain. Go to: Identity Management > Single sign-on. In the Verify domain section, enter the domain, enter your domain (for example, @mycompanyname.com) for which you want set up SAML.

    Single sign on > Add new domain

  4. Click Copy and add the TXT resource record to your domain’s DNS configuration.

  5. Click Verify so that Dynatrace can verify that the record was added to your domain’s DNS. It may take a few minutes for the record to be propagated in the DNS system and the value to become available for Dynatrace to verify.

  6. After successful verification, the domain is listed in Verified domains. Click Add for the verified domain.

    Note: If people in your organization use more than one domain to sign in (for example, @mycompanyname.com and @uk.mycompanyname.com), you can add additional domains using the same procedure: Enter and verify the additional domains to add them to the Verified domains list.

    enter and verify additional domain names

  7. Scroll down to the Upload XML section, then follow the steps below:

    • Identity provider SAML 2.0 XML metadata: Copy and paste the following:

      Sign in to Okta Admin app to have this variable generated for you.
    • Attribute mapping:

      • First name: Enter firstName

      • Last name: Enter lastName

      • Security group claim (optional): Enter role. This field is needed if you want to use SAML authorization. Follow the steps described here

    • Click Validate configuration to verify your settings:

      Map attributes, then validate configuration

    • If validation is successful, Dynatrace will display a confirmation message:

      Validation successful message

    • Close the validation message to return to the Configuration validation page, then click Continue to display a summary of the validated configuration:

      Click continue to display configuration summary

    • On the Enable SSO page, select Enable if you are ready to enable your configuration. Then click Save & continue.

      Note: Don't sign out of Dynatrace yet in case any SSO issues occur.

      Enable Single sign-on, then click Save

  8. [Optional SLO]:

    1. Before you enable SLO you need to get the Dynatrace SLO certificate. Follow the steps below:

      • Save and open in any text editor the following Dynatrace metadata: https://sso.dynatrace.com/sso/metadata

      • Make a copy of the certificate located in the tag <ds:X509Certificate>:

        Make a copy of the certificate located in the tag <ds:X509Certificate>

      • Paste the copied certificate in a text file, between two BEGIN/END CERTIFICATE rows as shown below:

        -----BEGIN CERTIFICATE-----
        << your copied certificate >>
        -----END CERTIFICATE-----
      • Save as slo.cert.

    2. In Okta, select the Sign On tab for the Dynatrace SAML app, then click Edit.

      • Check Enable Single Logout.

      • Signature Certificate Locate and upload the slo.cert file you saved above.

      • Click Save:

      Enable SLO in Okta

    3. Go back to Dynatrace to the Single sign-on page and click Edit for the domain for which SSO is enabled:

      Single sign on page in Dynatrace, click Edit configuration

    4. Now refresh the page of Okta SAML stepup instructions, scroll up to step 7 and notice that the SAML Metadata now includes the SingleLogoutService value:

      Refresh Okta setup instructions for updated metadata

    5. Paste your new Okta Metadata into the corresponding section, click Validate configuration, then save changes:

      paste new metadata into Dynatrace

  9. Optional: Group Attribute Steps: To send groups as a part of SAML assertion, in Okta select the Sign On tab for the Dynatrace app, then click Edit.

    • Select the appropriate filter from the role drop-down menu, then type the preferred value into the field.

    • Click Save.

      Note: To send all groups a user is assigned to, select Matches regex and type .* (dot and asterix).

    Group attribute steps in Okta

  10. Done!


The following SAML attributes are supported:

SP-initiated SSO

  1. Go to: https://sso.dynatrace.com

  2. Enter your E-mail then click Next:

    go to https://sso.dynatrace.com, enter email, click Next