Documentation forAppOptics

SAML 2.0 Integration

SolarWinds AppOptics, Pingdom and Papertail products now support SAML 2.0 integration. SAML (Security Assertion Markup Language) is an industry standard used to provide single sign-on (SSO) by authenticating against a particular identity provider (IdP). Users can log into their Active Directory domain or intranet and have immediate access to these SolarWinds APM products, without requiring additional log-in.

When SSO is enabled, organization members must authenticate against IdP, except the organization owner, which can also log in with a service account.

Configure SAML

The SAML configuration page is only available to the organization owner. They can access it from any of the individual Application Management products via the Security menu option.

configure-image

To create a SAML configuration:

  1. Enter the three URLs displayed in the SSO Service URLs section into your Identity Provider (IdP).
  2. Enter the following information from the Identity Provider into this screen:

    • Issuer (Entity ID)
    • SAML URL
    • Single Logout URL (optional)
    • Identity Provider Certificate
  3. Save the configuration.
  4. Once the configuration has been saved, the organization owner can enable SAML integration for the organization (using the "switch" in the upper right corner), which will log out all organization members, except the organization owner.
  5. Organization members can now login (and authenticate) either via the IdP or the dedicated login screen that is available from the login screen (see The SSO Login screen below).

For a member to be able to use IdP initiated login, set the NameID attribute to user.email value. The member must be known to the provider and exist in PaperTrail, Pingdom, or AppOptics.

From this page, the organization owner can then:

  • Edit or remove SAML configuration
  • Disable and re-enable SAML integration using the "switch" in the upper right corner

If SAML integration is disabled, organization members (except the organization owner and users who were in the organization before SAML was enabled) should use their original password to be able to use their product specific logins.

The organization owner can invite new Application Management users known to the IdP into the SAML enabled organization. Note that existing users cannot be invited.

This feature does not support the following:

  • Integrating an organization with SAML IdP where one or more member is a member of another organization
  • Inviting an organization member if that member is already a member of another organization
  • Enabling SAML integration for additional organizations authenticated against one IdP

The SSO login screen

The SSO Login screen for each Application Management product is accessed from the standard login screen.

login-image

To log in, only the organization member's email address is required.

Differences between Identity providers

Please note that SSO configuration can vary between Identity Providers. The following list provides links to the appropriate IdP documentation:

Onelogin

https://support.templafy.com/hc/en-us/articles/115005026225-How-to-setup-SSO-with-OneLogin-SAML-

Azure

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

Okta

https://www.okta.com/products/single-sign-on/https://developer.okta.com/docs/guides/build-sso-integration/saml2/create-your-app/

LastPass Enterprise

https://support.logmeininc.com/lastpass/help/add-lastpass-sso-apps

Ping Identity PingOne

https://docs.pingidentity.com/bundle/pingone/page/rjt1564020492343.html

Keycloak

https://docs.axway.com/bundle/B2Bi_25_AdministratorsGuide_allOS_en_HTML5/page/Content/User_admin/SSO/sso_keycloak_saml_conf.htmhttps://www.keycloak.org/docs/6.0/server_admin/#_saml

Miniorange

https://idp.miniorange.com/setup-single-sign-on-for-saml-apps/