Map SAML Group to Splunk AppDynamics Roles - On-Premises

This page describes how to configure Security Assertion Markup Language (SAML) attributes to role mapping and the SAML group attribute value mapping options in your Splunk AppDynamicson-premises environment.

If the identity assertion from the SAML provider includes group names that correspond to Splunk AppDynamics roles, you can configure mappings between those group names and the roles. The SAML Group Mappings settings in SAML Configuration > Authentication Provider control the mappings.

Note: You cannot manually assign roles to SAML users. You can only configure mappings between groups and roles.

Configure SAML Attribute to Role Mapping

To configure the SAML attribute to role mapping:

In the Name SAML groups-Membership SAML Group Attribute Name field, enter the SAML Group Attribute Name field.

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Groups-Membership">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
{group1};{group2}
</saml:AttributeValue>
</saml:Attribute>

Use the Group Attribute Value and Mapping of Group to Roles settings to describe the structure of the SAML group attribute from which Splunk AppDynamics needs to extract the group value and the roles associated with those values. The Controller can extract Group Attribute values based on the following options:
- Singchoicesar Group Values—the response contains an AttributeValue element with a single group-mapping value.
- Mchoicestiple Nested Group Values—the response contains more than one AttributeValue element, each with a single group-mapping value.
- Singchoicesar Delimited Group Value—the response contains one AttributeValue element with multiple, delimiter-separated group-mapping values.
- Regex on Singchoicesar Group Value—the response contains a single AttributeValue element from which you want to extract the group-mapping value with a regchoicesar expression.
If the group attribute value returns in LDAP format, select the Value is in LDAP Format checkbox. For example: when OU=AppDynamics-Users is enabled, only AppDynamics-Users maps to the SAML Group name.

SAML Group Mappings

Singular Group Values

Select Singular Group Value if the SAML group attribute contains a single group.

<saml:AttributeStatement>
<saml:Attribute Name="Groups-Membership" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

For this example, Splunk AppDynamics would extract the value Admin

SAML Singular Group Mapping

Multiple Nested Group Values

When you select this option, Splunk AppDynamics expects multiple AttributeValue

<saml:Attribute Name="Groups-Membership" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">_Admin_</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">_DBManager_</saml:AttributeValue>
</saml:Attribute>

Splunk AppDynamics would extract _Admin_ _DBManager_ _Admin_ _DBManager_

SAML Multiple Group Mapping

Singular Delimited Group Value

When you select this option, Splunk AppDynamics expects a single AttributeValue

<saml:Attribute Name="Groups-Membership" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin;DB-Manager</saml:AttributeValue>
</saml:Attribute>

Specify the delimiter that separates the values to extract, such as a semi-colon.

In this sample configuration, the user would get the Splunk AppDynamics roles that associate with both the Admin and DB-Manager groups, such as the Dashboard Viewer, User, and DB Monitoring Administrator.

SAML Delimited Group Mapping

Regex on Singular Group Value

Choose this option to have Splunk AppDynamics extract group mapping values using a regular expression. Regular expressions enable you to pull group values from unstructured contexts, such as from within a larger string.

<saml:AttributeStatement>
<saml:Attribute Name="Groups-Membership" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User memberships in _Admin_ and _DBManager_ groups.</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

In this example, the group names _Admin_ _DBManager_ AttributeValue _[a-zA-Z]_ _Admin_ _DBManager_

SAML Regex Group Mapping

Documentation