Configuring Single Sign-On With SAML

Overview

This page covers how to enable single sign-on (SSO) with SAML in Datadog, as well as how enterprise customers can enable multiple SAML identity providers (IdPs).

Notes:

  • If you don’t have SAML enabled on your Datadog account, reach out to support to enable it.
  • This documentation assumes that you already have a SAML Identity Provider (IdP). If you do not have a SAML IdP, there are several IdPs that have integrations with Datadog such as Active Directory, Auth0, Google, LastPass, Microsoft Entra ID, Okta, and SafeNet.
  • SAML configuration requires Datadog Administrator access, or the Org Management permission if you’re using custom roles.

Configuring SAML

  1. To begin configuration, see your IdP’s documentation:

  2. Download Datadog’s Service Provider metadata to configure your IdP to recognize Datadog as a Service Provider.

  3. In Datadog, hover over your username in the bottom left corner and select Organization Settings. Select Login Methods and click Configure under SAML.

  4. Click Add SAML.

  5. In the configuration modal:

    • Create a user-friendly name for this SAML provider. The name appears to end users when they choose a login method.
    • Upload the IdP metadata from your SAML identity provider by clicking browse files or dragging and dropping the XML metadata file onto the modal.
      The IdP metadata must contain ASCII characters only.
    Configure SAML by uploading your IdP metadata

  6. Click Save.

Note: To configure SAML for a multi-org, see Managing Multiple-Organization Accounts.

Configuring multiple SAML providers

Enterprise customers can have multiple SAML configurations per organization (up to three at the same time). This feature simplifies identity management across complex environments, such as during IdP changes, mergers, or contractor onboarding.

To configure additional SAML providers:

  1. Navigate to Organization Settings > Login Methods. Under SAML, click Update, then Add SAML.

  2. In the configuration modal:

    • Create a user-friendly name for this SAML provider. The name appears to end users when they choose a login method.
      All users can see and access all configured IdPs; there is no way to assign specific user groups to specific configurations. Setting clear and descriptive names for each provider helps users select the appropriate IdP during login. Also note that there is no way to set a default configuration.
    • Upload the IdP metadata from your SAML identity provider by clicking browse files or dragging and dropping the XML metadata file onto the modal.

  3. Click Save.

Role mapping with multiple SAML providers

If you use SAML role mapping or team mapping and want to use the same mappings in any additional providers you add, make sure the attributes in the new IdP(s) match what is defined in your mappings. If you add a new IdP, make sure to either use the same attribute names as your existing IdP, or add new mappings that align with the new IdP’s attributes to ensure roles and teams are assigned correctly when users log in with different IdPs.