This documentation assumes that you already have a SAML Identity Provider up and running.
Configuring SAML (Security Assertion Markup Language) for your Datadog account lets you and all your teammates log in to Datadog using the credentials stored in your organization’s Active Directory, LDAP, or other identity store that has been configured with a SAML Identity Provider.
Note: If you don’t have SAML enabled on your Datadog account, reach out to support to enable it.
Here’s a two-minute video walkthrough:
This brings you to the SAML Single Sign On Configuration page:
Upload the IdP Metadata from your SAML Identity provider by clicking the Choose File button.
After choosing the file, click Upload File.
Download Datadog’s Service Provider metadata to configure your IdP to recognize Datadog as a Service Provider.
After you upload the IdP Meta-data and configure your IdP, enable SAML in Datadog by clicking the Enable button.
Once SAML is configured in Datadog and your IdP is set up to accept requests from Datadog, users can log in by using the Single Sign-on URL shown in the Status box at the top of the SAML Configuration page.
The Single Sign-on URL is also displayed on the Team page. Loading this URL initiates a SAML authentication against your IdP. Note: This URL isn’t displayed until SAML is enabled for your account.
Note: If you want to configure SAML for a multi-org, see the multi-org documentation.
Users with the Access Management permission can assign or remove Datadog roles based on a user’s SAML-assigned attributes:
Go to Teams and click the Mappings tab.
Click the New Mapping button.
Specify the SAML identity provider key-value pair that you want to associate with an existing Datadog role (either default or custom). Note that these entries are case-sensitive.
For example, if you want all users whose
member_of attribute has a value of
Development to be assigned to a custom Datadog role called
If you have not already done so, enable mappings by clicking Enable Mappings.
When a user logs in who has the specified identity provider attribute, they will automatically be assigned the Datadog role. Likewise, if someone has that identity provider attribute removed, they will also lose access to the role (unless another mapping adds it).
You can make changes to a mapping by clicking the pencil icon, or remove it by clicking the garbage icon. These actions affect only the mapping, not the identity provider attributes or the Datadog roles.
Alternatively, you can create and change mappings of SAML attributes to Datadog roles by using the
authn_mappings endpoint. See Federated Authentication to Role Mapping API for more information.
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressfor the format of the NameIDPolicy in assertion requests.
Attributes may be included with the Assertion. Datadog looks for 3 Attributes in the AttributeStatement:
Datadog expects that Attributes use the URI NameFormat
urn:oasis:names:tc:SAML:2.0:attrname-format:uri or the Basic NameFormat
urn:oasis:names:tc:SAML:2.0:attrname-format:basic. The name used for each attribute depends on the NameFormat that your IdP uses.
If your IdP is configured to use the URI NameFormat
urn:oid:220.127.116.11.4.1.5918.104.22.168.6as the name of the attribute.
urn:oid:22.214.171.124as the name of the attribute.
urn:oid:126.96.36.199as the name of the attribute.
If your IdP is configured to use the Basic NameFormat
urn:mace:dir:attribute-def:eduPersonPrincipalNameas the name of the attribute.
urn:mace:dir:attribute-def:snas the name of the attribute.
urn:mace:dir:attribute-def:givenNameas the name of the attribute.
If eduPersonPrincipalName exists in the AttributeStatement, the value of this attribute is used for the username. If eduPersonPrincipalName is not included in the AttributeStatement, the username is taken from the NameID in the Subject. The NameID must use the Format
If sn and givenName are provided, they are used to update the user’s name in their Datadog profile.
For more information about configuring specific IdP’s, refer to the following documentation:
The following features can be enabled through the SAML Configuration dialog.
With JIT provisioning, a user is created within Datadog the first time they try to log in. This eliminates the need for administrators to manually create user accounts one at a time. The invitation email is not sent in this case.
Some organizations might not want to invite all of their users to Datadog. If you would like to make changes to how SAML works for your account, contact Datadog support. It is up to the organization to configure their IdP to not send assertions to Datadog if they don’t want a particular user to access Datadog.
Administrators can set the default role for new JIT users. The default role is Standard, but you can choose to add new JIT users as Read-Only or even Administrators.
When the Datadog URL is loaded, the browser is redirected to the customer IdP where the user enters their credentials, then the IdP redirects back to Datadog. Some IdPs have the ability to send an assertion directly to Datadog without first getting an AuthnRequest (IdP Initiated Login).
After enabling the IdP Initiated Login feature (and waiting for caches to clear), you need to get a new version of the SP Metadata. Your new SP Metadata contains a different, organization-specific AssertionConsumerService endpoint to send assertions to.
If you do not use the updated SP Metadata, Datadog is not able to associate the assertion with your organization and displays an error page with a message that the SAML response is missing the “InResponseTo” attribute.
With SAML strict mode enabled, all users must log in with SAML. An existing username/password or Google OAuth login does not work. This ensures that all users with access to Datadog must have valid credentials in your company’s identity provider/directory service to access your Datadog account.
Additional helpful documentation, links, and articles: