The Service Map for APM is here!

Configuring up Microsoft Active Directory Federation Services as a SAML IdP

The Datadog SAML integration for SSO provides an easy pathway for linking an organization to an external user management system so that credentials can be kept and managed in a central system.

This article is meant to be used as an add-on to the main guide on this integration which is available by clicking the link below and focuses on some extra steps that may be required when connecting Datadog to ADFS.

Single Sign On With SAML (main doc)

The following steps should be followed when configure this with ADFS.

Open the ADFS management console. This can be done from Server Manager as shown below:

1ef6IBS

Click the button on the right for Add a Relying Party Trust.

O85HjIi

This opens a wizard for the trust with a welcome screen describing the feature. Review the description and click Start to begin.

KWe4h6W

Import the Datadog SAML Metadata file.

The file requires a login to access it, making it easiest to download then import by file instead of directly via the URL as shown in the import options below. (As a warning: when downloading the file, if you open and/or rename the file, that may end up changing the file type which can cause xml parsing issues at the next step.)

UAjeUVL

Click Browse to select the downloaded metadata file then Next.

LWZCPG6

Provide a display name for the Trust, “Datadog” or something similar is recommended and click Next.

IQDM19N

Multi-factor Authentication is not supported at this time. Leave the selection default and click Next.

AhM25jW

Permit access to all users and click Next.

Note: Access can be controlled through Datadog by inviting only specific users to your Organization from within the application Team page

Rd13Ofm

Review the trust to ensure the appropriate endpoint is configured and click Next.

xex71aV

Finish by clicking Close. This saves the trust definition and open the claims window where you may add a couple of recommended Claim Rules.

5NkUanW

We recommend two Claim Rules for brokering the SAML assertions. They can be added by first clicking the Add Rule button.

QkNaDCD

This first rule is an LDAP Attributes rule that ensures the required information is passed between the two systems. Configure the rule as shown below and click OK to save. (Make sure to use three separate fields for “E-Mail-Addresses, Given-Name, and Surname” or else some relevant info may be left as “None” later on.)

cogaUQT

The second rule is a Transform rule. Datadog specifies urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress for the Format of the NameIDPolicy in Assertion Requests where ADFS natively expects these in Name ID format so we need to transform the format from email to Name ID.

Select Transform an Incoming Claim from the drop-down and click Next to continue.

JS5FNbR

Input the configuration as shown below and click Finish.

OT9i0K5

Save the new claim rules by clicking OK.

CeCyDmc

Finally, download and import the ADFS identity provider metadata from the ADFS server into the SAML configuration in your Datadog Organization Saml page

This file can be downloaded from the following URL (replace hostname with the public DNS hostname of your server) - https://hostname/FederationMetadata/2007-06/FederationMetadata.xml

Import into your Datadog Organization from the SAML configuration page as shown below:

KJxaVYe

That’s it! Once SAML is configured, users can login by using the link provided in the SAML configuration page.

Keep in mind that users still need to be invited and activated before they’re able to login. Be sure to invite new users by using the email address corresponding to their Active Directory user record otherwise they may be denied as shown below.

6TsPUla

While in most setups the user’s user@domain is his Microsoft login does not enforce this. You can confirm the email address used within the user record as shown below.

0R81SaK

For any questions or help with this, reach out to the Datadog support team!