基本的な SaaS SAML 認証の設定
このページでは、基本的な SAML 認証の設定のガイドラインについて説明します。
Configure SAML Authentication for the Identity Provider
You can configure an identity provider to enable single sign-on access to the Splunk AppDynamics Controller Tenant using the SAML 2.0 protocol. Refer to your identity provider documentation for detailed configuration instructions.
SAML Settings for the Identity Provider
Your identity provider requires the following information about your Splunk AppDynamics Controller Tenant for the SAML settings. The <controller_domain>
| Setting | Description |
|---|---|
| Audience URI (Service Provider Entity ID) | The unique identifier for use in the SAML assertion. In most cases, it is the Service Provider Entity ID, unless the Service Provider decides to use a different identifier.
|
| Single Sign-On URL(Assertion Consumer URL) | The Splunk AppDynamics endpoint to service SAML Authentication. You must specify your Splunk AppDynamicsaccount name with the query string parameter accountName
|
SAML Attributes for the Identity Provider (Recommended)
You set the attributes with your identity provider that map to SAML users in your Splunk AppDynamics account. When the attributes are set, the user information displays on the Controller Tenant UI, such as the username and email. Changes to these attributes on the IdP will update the mapped SAML attributes on the Splunk AppDynamics Controller Tenant when the user successfully logs in.
This table shows how IdP example attributes map to the Username Attribute,Display Name Attribute, and the Email Attribute settings of the Controller Tenant:
| Example Attribute Name | Example Attribute Values | Description |
|---|---|---|
| Username Attribute | User.loginName | Unique identifier for the user in the SAML response. This value corresponds to the Splunk AppDynamics username If you do not map a username, Splunk AppDynamics obtains the username NameId emailaddress |
| Display Name Attribute | User.fullName | Informal name for the user corresponding to the Splunk AppDynamics Name |
| Email Attribute | User.email | User's email address, corresponding to Splunk AppDynamics email |
Configure SAML Authentication from the Controller Tenant
To configure SAML authentication from the Controller Tenant:
Configure SAML Authentication- Navigate to your Controller Tenant.
- Click Settings
> Administration. - Click the Authentication Provider tab and select SAML.
- From , enter these SAML configuration settings:
Login URL: The SAML Login URL where the Controller Tenant routes Service Provider (SP)-initiated login requests. This login URL is required.
Logout URL: The URL where the Controller Tenant redirects users after they log out. If you do not specify a logout URL, users will get the Splunk AppDynamics login screen when they log out.
Certificate: The X.509 certificate from your identity provider configuration. Paste the certificate between the BEGIN CERTIFICATE and END CERTIFICATE delimiters. Avoid duplicating BEGIN CERTIFICATE and END CERTIFICATE delimiters from the source certificate itself.
- From SAML Attribute Mappings, you can specify how the Splunk AppDynamics Controller Tenant identifies SAML-authenticated users:
- Username Attribute: Unique identifier for the user in the SAML response. This value corresponds to the Splunk AppDynamics
usernamefield, so the value must be unique among all SAML users in the Controller Tenant account. Given the sample response below, the value for this setting would beUser.OpenIDName. - Display Name Attribute: The informal name for the user corresponding to the Splunk AppDynamics Name field. Given the sample response, this value would be
User.fullName. - Email Attribute: The user email address corresponding to the Splunk AppDynamics email field. Given the sample response, this value would be
User.email.
- Username Attribute: Unique identifier for the user in the SAML response. This value corresponds to the Splunk AppDynamics
- From SAML Group Mappings, you can map SAML-authenticated users to one of the Controller Tenant roles:
- Default Role: If a user identity assertion has no SAML group attribute, the SAML default role applies to the authenticated user upon the first login. As you cannot remove the default role, recommendations are to provide minimum permissions. An Splunk AppDynamics administrator can verify and adjust the roles for users manually in Splunk AppDynamics once those users have accounts.
- SAML Group: You can map SAML group membership attributes to roles in Splunk AppDynamics. Using this method, each time the user authenticates, the Controller Tenant checks the SAML assertion and updates the role assignment as necessary.
- Internal Group: If a SAML-authenticated user has the same username as an Splunk AppDynamics internal user account and the SAML assertion does not contain mapped SAML group attributes, the Controller Tenant gives the user the roles for the internal Splunk AppDynamics account.
- 注: Instead of mapping SAML attributes to roles, you can also assign users to a default role with the permissions you specify:To use default permissions, edit the Default Permissions settings in the SAML Group Mappings list.
- In the Default Group Mapping dialog, choose the Splunk AppDynamics roles to apply to all authenticated users.
SAML 認証設定の確認
SAML 認証が正しく設定されていることを確認する最善の方法は、Splunk AppDynamics コントローラテナントにログインすることです。
この手順では、サービスプロバイダー(コントローラテナント)の SAML フローを示し、SAML 要求と応答について説明します。IdP から SAML フローを開始することもできます。
- Splunk AppDynamics コントローラテナントに移動します。サードパーティの IdP サービスの [Login] ダイアログが表示されます。
- [Login] をクリックします。システムによって IdP にリダイレクトされます。
- ログイン情報を入力して送信します。IdP によって Splunk AppDynamics コントローラテナントにリダイレクトされます。
ユーザーアカウントにマッピングするように SAML 属性を設定した場合は、[Settings] > [My Preferences] でユーザー情報を確認できます。
デフォルトのロールがユーザーに適用されるようにデフォルトの権限を設定した場合は、[Settings] > [Administration] で情報を確認できます。