question

Jim M. avatar image
Jim M. asked ·

Is there a way to change SAML authentication to local authentication from a configuration file in Dynatrace?

Is there a way to change SAML authentication to local authentication from a configuration file in Dynatrace?

sso
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Radoslaw S. avatar image
Radoslaw S. answered ·

1. To get the current configuration:

GET /api/v1/onpremise/sso/ssoProvider

Example:

curl -X GET "https://<yourClusterHosname>/api/v1.0/onpremise/sso/ssoProvider?Api-Token=<Api-Token>" -H  "accept: application/json"

2. To update config:

POST /api/v1.0/onpremise/sso/ssoProvider

Example:

curl -X POST "https://<yourClusterHosname>/api/v1.0/onpremise/sso/ssoProvider?Api-Token=<Api-Token>" -H  "accept: application/json" -H "Content-Type: application/json"

And payload:

{"ssoProvider":"NONE","loginPage":"STANDARD","ssoEnabled":false,"ssoGroupsEnabled":false,"ssoLoginDisabled":true}
3 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

That looks promising, however on my system (version 1.168), I'm receiving an HTTP 404 for that API function. I also don't see it listed under the Cluster API page. What version is required for this functionality? This is EXACTLY what I'm looking for so I'm glad it appears that it exists and is coming.

0 Likes 0 · ·

sorry - misspellig. My answer updated

0 Likes 0 · ·
Kevin K. avatar image Kevin K. Radoslaw S. ♦♦ ·

I didn't catch the v1 versus v1.0. This works perfectly! I can now comfortably move to SSO login knowing that we can revert if needed. Thanks so much.

0 Likes 0 · ·
Gerald H. avatar image
Gerald H. answered ·

Hello, you can disable it with a switch in the UI. Not via config file.

See https://www.dynatrace.com/support/help/how-to-use...

Gerald

9 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

So, if something went wrong with SAML, and user are not able to login to the UI, there isn't away to switch the authentication back from a config file ?

0 Likes 0 · ·

I raised a support ticket for exactly this problem over a month ago but never received a useful answer (case is still open).

0 Likes 0 · ·

Hello, the doc says to use a non-federated user so that you can change it in case something goes wrong.

Gerald

0 Likes 0 · ·

Curiously, how would I be able to log on using a non-federated user if "SSO" was selected in the CMC under "Home > Users > Single sign on settings" (effectively disabling the login mask) and there was a failure with the SAML authentication service?

Besides, I don't see an option for inviting users on our Dynatrace Manage instance (as suggested in the doc). Is this an exclusive SaaS feature?

0 Likes 0 · ·

As a title says - this doc page refers to SaaS.


For Managed you can only use embedded ‘admin’ account to bypass SSO. Unless you have configured “SSO only”. If that is the case - the only option is to use REST API call to change authentication method or Create a support ticket so we can reset your configuration.

0 Likes 0 · ·
Kevin K. avatar image Kevin K. Radoslaw S. ♦♦ ·

Can you share the API call needed to perform this change in authentication method? I'm hesitant to utilize SSO until we have a way to get back into the system if the SAML service is broken. Having an API call to switch it would work.

0 Likes 0 · ·

That would be calling

/api/v1/onpremise/userRepository/authenticationMode

on the Cluster Management API with the following JSON content body in a POST request:

{  "authenticationProvider": "INTERNAL" }

To revert back to SSO you can do the same with:

{  "authenticationProvider": "LDAP" }

HTH

0 Likes 0 · ·
Kevin K. avatar image Kevin K. Radoslaw S. ♦♦ ·

So I tried this and it did not work as expected. The issue is actually around the "Select login page". When I change this to SSO only so that the users are directed to SSO, I'm not seeing a way to change this back to a login prompt in case SAML SSO is unavailable. I tried using the API commands above but no matter if it's set to Internal or LDAP, if I had set the login page to use SSO only, it continues to redirect to the SAML provider. Is there a different API call that will allow me to change the Login Page? This is the real crux of my issue.

0 Likes 0 · ·

Space Topics

mobile monitoring dotnet synthetic monitoring reports iis chat kubernetes servicenow amazon web services mysql mainframe rest api errors cassandra dashboard oneagent sdk cmc application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo syntheticadvisory activegate ip addresses auto-detection high five award oracle hyperion webserver uem usql iib test automation license web performance monitoring ios news migration management zones index ibm mq web services notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming javascript appmon ai synthetic classic availability tipstricks automation extensions diagnostic tools session replay permissions davis assistant faq documentation problem detection http monitors server easytravel apdex aws-quickstart network docker tags and metadata cloud foundry google cloud platform synthetic monitoring process groups account usability dynatrace saas gui paas openshift key user actions administration user actions postgresql synthetic locations oneagent security Dynatrace Managed user management custom python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting NGINX action naming linux nam installation masking error reporting database mission control jmeter recorder apache mobileapp RUM php threshold azure purepath davis scripting agent aix nodejs android