FAQs / Self-Service Summary
Dynatrace customers received a notification to migrate the certificate by February 29, 2024. This page covers frequent issues and questions.
Known issues Solution
|
I followed the steps, how do I know that I am done?
|
First, the top bar in Account Management should disappear that federations need to be migrated.
Secondly, the prompt upon login for to migrate the certificates should not show up as well. |
|
Customers using Azure IdP run into issues when enabling signature validation before switching to the new certificate
|
We updated the Dynatrace Documentation to state the right order. |
|
For IdPs Azure & Okta there is no signature verification by default -> it was confusing for customers not (yet) using signature verification what to do.
|
There is just one obligatory step in that case - tick the checkbox "I'm ready to use new Dynatrace SAML metadata." in Account Management. You're done.
For customers using signature verification, follow the steps in the Dynatrace Doc.
Note: Disabling signature verification is discouraged due to security reasons.
|
|
Okta federation was configured using app template from Okta Integration Network
|
Okta federation configured from OIN (Dynatrace Application in Okta) doesn't use signature verification by default and actually it can be configured only for Single Logout. If customer didn't configure it, they should just switch to the new cert in Dynatrace by ticking the checkbox "I'm ready to use new Dynatrace SAML metadata" and complete federation verification process.
|
|
We got customer reports that their IdPs certificate does not expire. If they also need to migrate.
|
Yes. The Dynatrace certificate used to sign our SAML messages is the one that is updated. So it is not about the certificate used by your IdP to sign your SAML messages.
|
|
Is there a need to change configuration or upload meta data in Account Management?
|
No. |
|
What happens if customers do not migrate by the end of February 2024?
|
SAML message signatures generated by Dynatrace SaaS SSO may not be accepted by the IdPs causing the federation (Single Sign-On configuration) to stop working and effectively making the users unable to log into the environments starting Feb 29 15:13:30 2024 GMT.
Note: Disabling signature verification would guarantee continuity of operation but is discouraged due to security reasons.
|
|
Post March 1st: What do I need to do if I cannot login anymore as I have missed the migration?
|
Follow the Dynatrace Documentation having a fallback admin logging in to your tenant without using SAML.
Alternatives:
- Temporary disable signature verification (or certificate validity time if possible) in your IDP to allow processing SAML requests signed with an expired certificate and then log in to Dynatrace and complete certificate migration.
- If disabling signature verification temporarily is also not possible, you can update the Dynatrace certificate in your IDP and ask support to turn on new certificate usage for your Dynatrace tenant.
|
|
Am I affected as a Managed customer?
|
Managed is not affected.
|
| At the validation step I get "All certificates from SAML Metadata are expired or not yet valid" error, but my metadata didn't change. |
The signing certificate inside IDP metadata has expired since you set up the SAML configuration. The metadata is always validated at the beginning of the verification process.
To solve this, you need to rotate the signing certificate on your IdP side, save (or copy) the updated IdP metadata and upload it to your federation configuration in Dynatrace.
|
If the federation does not work after switching to the new certificate, please submit a Support ticket.
