This guide assumes that you already have a SAML Identity Provider up and running.
Configuring SAML (Security Assertion Markup Language) for your Datadog account will let you and all your teammates log in to Datadog using the credentials stored in your organization’s Active Directory, LDAP, or other identity store that has been configured with a SAML Identity Provider.
If you are a Datadog Admin, there is a “Configure SAML” option in the drop down menu that is accessed by clicking on your username in the upper right corner of the Datadog web page.
That brings you to the “SAML Single Sign On Configuration” page where you can:
Upload the IdP Metadata from your SAML Identity provider by clicking the “Choose File” button.
After you’ve chosen the file, click “Upload File”.
Datadog’s Service Provider metadata can be found here. You can use this SP Metadata to configure your IdP to recognize Datadog as a Service Provider.
After you upload the IdP Metadata and configure your IdP, you will need up enable SAML in Datadog by clicking the Enable button. Once SAML is configured in Datadog and your IdP is set up to accept requests from Datadog, users can log in by using the Single Sign On URL that is shown in the Status box at the top of the SAML Configuration page. The Single Sign On URL will also be displayed on the Team page. Loading this URL will initiate a SAML authentication against your IdP. Please note that the URL will not be displayed until SAML is enabled for your account.
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressfor the Format of the NameIDPolicy in Assertion Requests.
urn:oasis:names:tc:SAML:2.0:attrname-format:basic. The name used for each attribute will depend on the NameFormat that your IdP uses.
urn:oid:22.214.171.124.4.1.59126.96.36.199.6as the Name of the Attribute
urn:oid:188.8.131.52as the Name of the Attribute
urn:oid:184.108.40.206as the Name of the Attribute
urn:mace:dir:attribute-def:eduPersonPrincipalNameas the Name of the Attribute
urn:mace:dir:attribute-def:snas the Name of the Attribute
urn:mace:dir:attribute-def:givenNameas the Name of the Attribute
For more information about configuring specific IdP’s, refer to the following Knowledge Base articles:
The following features can be enabled through the SAML Configuration dialog.
Normally users must be invited to Datadog, even for organizations with SAML enabled. If a user that has not been invited to Datadog logs in via an Org’s IdP, the SAML assertion will be validated, but they will be redirected to a SAML Error page.
Some organizations might not want to have to invite all of their users to Datadog. If you would like to make changes to how SAML works for your account, contact support. It is up to the organization to configure their IdP to not send assertions to Datadog if they don’t want a particular user to access Datadog.
Admins in accounts using SAML can also set the default role for new Just-in-Time users. The default role is currently Standard, but you can choose to add new JIT users as Read-Only or even Admin.
The normal workflow is that when the Datadog url is loaded, the browser is redirected to the customer IdP, user types in credentials, then the IdP redirects back to Datadog. Some IdPs have the ability to send an assertion directly to Datadog without first getting an AuthnRequest (IdP Initiated Login).
In the normal setup, we won’t know which org the assertion came from and this will result in an error page with a message saying that SAML Response is missing “InResponseTo” attribute.
After enabling the feature (and waiting for caches to clear) the customer will need to get a new version of the SP Metadata, which will have a different, org-specific AssertionConsumerService endpoint to send assertions to.