SolarWinds AppOptics, Pingdom, and Papertail products support single sign-on via SAML 2.0 integration. SAML (Security Assertion Markup Language) is an industry standard used to provide single sign-on (SSO) by authenticating against a particular identity provider (IdP). Users can log into their Active Directory domain or intranet and have immediate access to these SolarWinds products, without requiring additional log-in.
When SSO is enabled, organization members must authenticate against IdP, unless the user account is identified as a service account. Service accounts are allowed to log in with a separate username and password. See Set up service accounts.
The SAML configuration page is only available to the organization owner and can be
Use the three SolarWinds URLs when configuring your Identity Provider (IdP) for integration with SolarWinds Application Management products.
Find the following information from the Identity Provider and enter it in the fields provided:
Issuer (Entity ID)
Single Logout URL (optional)
Identity Provider X.509 certificate, provided in a PEM format with a proper prefix and suffix. See example below.
Save the configuration.
Click the toggle on the right side of the SAML pane to enable SAML integration for the organization. All organization members except the owner will be logged out of AppOptics.
Organization members can login either via the IdP or the dedicated login screen that is available from the login screen (see Log in with SSO credentials).
For a member to be able to use IdP initiated login, set the NameID attribute to user.email value. The member must be known to the provider and exist in PaperTrail, Pingdom, or AppOptics.
SSO configuration can vary between Identity Providers. The following list provides links to the appropriate IdP documentation:
- Okta: Reference1, Reference2
- LastPass Enterprise
- Ping Identity PingOne
Additional SAML integration information
If SAML integration is disabled, legacy users (those who existed in the organization before SAML was enabled) should use their original password to log into the product. Users added after the integration will have to perform a password reset.
The organization owner can invite new Application Management users known to the IdP into the SAML-enabled organization or use role mapping to grant immediate access all users in an IdP user group.
Role mapping allows you to define organization and product roles based on the account's IdP group membership. Members added to an IdP group will automatically gain access to any organization or product role mapped to that group. If a new user is added to a mapped IdP user group, a SolarWinds Unified Login account will be created for the user automatically.
Once role mapping is turned on, the user's product and organization roles will be updated to match the roles assigned via Role Mapping and permissions can only be changed in SAML settings.
Product or organization roles previously set on a per-user basis will not be restored if role mapping is disabled.
To map roles to group memberships, select the Role Mapping tab and click Enable Role Mapping.
To map an organization
The organization owner role cannot be defined via role mapping.
When role mapping is enabled or disabled, all organization members except the owner will be logged out of AppOptics.
Additional role mapping information
Every time an organization member logs into AppOptics, the organization's IdP is accessed and read.
If an IdP group is mapped to multiple product or organization roles, the role with the most access will be used for that group.
With service accounts, users can log in to AppOptics with either their SAML login or their SolarWinds Unified Login account's username and password. Organization owner accounts are automatically included as a service account.
To define a user account as a service account and allow the user options for how they log in, click the Service Accounts tab and type the user's email address in the Accounts field or select the user from the dropdown.
Once all service accounts are defined, click Save.
Click Log in with Single Sign On from the AppOptics login page, enter your organization email address, and click Log in with Single Sign On. If you are not already logged into your identity provider, you will be prompted to log in with your identity provider first.
When the APM Integrated Experience is enabled, AppOptics shares a common navigation and enhanced feature set with the other integrated experiences' products. How you navigate AppOptics and access its features may vary from these instructions. For more information, go to the APM Integrated Experience documentation.