Follow these steps to configure Azure AD as a SAML identity provider (IdP) within Datadog. Note: An Azure AD premium subscription is required.
Open the Azure portal and sign in as a global administrator or co-admin.
Navigate to Azure Active Directory -> Enterprise applications -> New application.
Scroll down to the Add from the gallery section, type Datadog in the search box.
Select Datadog from the results panel.
Enter the name of your application in the Name textbox and click Add.
Once your application is added, go to Single sign-on from the application’s left-side navigation menu.
On the Select a single sign-on method page, click on SAML.
Service Provider Entity ID and
Assertion Consumer Service URL from the Datadog SAML page. The default values are:
|Service Provider Entity ID|
|Assertion Consumer Service URL|
In Azure, add the values retrieved above and click save:
Service Provider Entity ID to Identifier
Assertion Consumer Service URL to Reply URL
Set the User Identifier to
user.mail and click save.
Go to SAML Signing Certificate section and check that your Notification Email is correct. When the active signing certificate approaches its expiration date, notifications are sent to this email address with instructions on how to update the certificate.
In the same SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it.
Go to the Datadog SAML page.
Choose and upload the SAML XML Metadata file downloaded from Azure.
You should see the messages SAML is ready and Valid IdP metadata installed:
Click Enable to start using Azure AD single sign-on with SAML:
If you are using SSO with a Datadog button or link, a sign-on URL is required:
Retrieve your Single Sign-on URL from the Datadog SAML page:
In Azure, navigate to the SSO Configuration section of your Azure Application, check Show advanced URL settings, and add your single sign-on URL.
Additional helpful documentation, links, and articles: