We are configuring SSO in SaaS using SAML. All the configuration it's ok but when we have tried to verify configuration we got an error showing "User 'email@example.com' is not in domain 'companydomain.es'". That's right, we have tried to verify the metadata XML configuration with a user included in the company's Active Directory, but the user is a external contractor identified by their own company e-mail address. A user from the company can pass the verification, so we can finish the configuration, but the problem is that most of the SaaS installation' users are from external companies.
So, we need to know before continuing if:
- it is possible to use SSO for users included in company's Active Directory but identified by an external e-mail address once verification process is finished or
- it is needed to do a separate configuration for each e-mail domain but we can continue using the same Active Directory federation or (even more complicated)
- it is needed to do a separate configuration for each e-mail domain and each domain must use their own Identity Provider separate from the others.
Thanks for your answers and sorry for the long explanation.
Answer by Jose C. ·
After a session with DT One (thanks Eric) I can answer my question:
Based on the domain part of your corporate email address, Dynatrace can determine if SAML was configured for that domain and redirect to your company’s IdP for authentication. So, the domain verification is needed (mandadory) for each e-mail address' domain: Verify your ownership of the domain
But we can have the same metadata configuration for several verified domains, as is stated in the FAQ answers: Are multiple domains and subdomains supported for authentication?
SAML progress update for Dynatrace SaaS 3 Answers