Datadog

Setting up MIRACL Trust SSO as an Identity Provider within Datadog

These instructions are up-to-date at the time of writing, but you should refer back to the Datadog page on SAML IdP access to check for any changes. We cannot guarantee the accuracy of our SP-specific guidance.

  1. Log in to Datadog (as administrator).

  2. Click on your username at the top right of the screen and select Configure SAML from the drop-down.
    The ‘SAML Single Sign On Configuration’ page is displayed.

  3. Find the MIRACL Trust metadata document – you should have downloaded this as an XML file (available at the following endpoint: http://<yourssoip>/metadata) (be sure to save it as an .xml file)

  4. Upload by clicking on the Choose File button, browsing to the MIRACL Trust metadata document then clicking on the Upload File button.

  5. Authorize SAML in Datadog by clicking on the Enable button.

  6. The ‘Single Sign-on URL’ is shown in the status box at the top of the SAML Configuration page. saml_enabled

Enabling IdP-initiated login within Datadog

In order to enable IdP-initiated login (i.e. http://<yourssoip>/login/datadog) it is necessary to go to the ‘Additional Features’ section in Datadog admin, and tick the relevant box:

Datadog_IdPInitiatedLoginEnable

After enabling the feature (and waiting for caches to clear) you will need to get a new version of the SP Metadata, which will have a different, org-specific AssertionConsumerService endpoint to send assertions to:

Datadog_AssertionURLs

Configuring your Datadog Service Provider profile with MIRACL Trust SSO

  1. Edit /etc/miracl-sso/service_providers/datadog.yaml:
profile:
  attribute:
    datadog: >-
      <AttributeStatement>{{ if not (eq .SessionUserEmail "")}}
        <Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <AttributeValue xmlns:XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance" XMLSchema-instance:type="xs:string">{{.SessionUserEmail}}</AttributeValue>
        </Attribute>
        <Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <AttributeValue xmlns:XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance" XMLSchema-instance:type="xs:string">{{.SessionUserEmail}}
        </AttributeValue>
        </Attribute>
        <Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <AttributeValue xmlns:XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance" XMLSchema-instance:type="xs:string">{{.SessionUserEmail}}</AttributeValue>
        </Attribute>{{end}}
      </AttributeStatement>
sp:
  datadog:
    description: Datadog
    relay_state: ""
    login_url: https://app.datadoghq.com/account/login/id/12345678
    logout_url: https://app.datadoghq.com/account/logout
    idp_initiated_acs_index: 0
    metadata: >-
      <!-- insert downloaded SP metatadata here -->
    sign_response: false
    sign_assertion: true
    encrypt_assertion: true
    authorize:
    - - email: ^[^@]+@example.com$
    profile:
      nameid: email
      attribute: datadog
  1. Note that sp name is used to create your IdP-initiated login url, i.e. https://<yourssoip>/login/datadog

  2. Note that the logout url is the standard SP url which Datadog makes available for SAML IdPs to use.

The login_url should be set to match what was issued in the Datadog admin UI:

Datadog_SSO_URL

  1. The Datadog SP metadata is available from https://app.datadoghq.com/account/saml/metadata.xml and should be pasted into the above metadata field.

The downloaded metadata file must be converted to a single line with a command such as:

echo -e "\n"$(cat metadata.xml | tr -d '\n')"\n"

The contents will then be output in the terminal in a format that can be pasted into the metadata field.

Note that, if you are using JSON format for your config file, the downloaded metadata should be saved as an xml file and converted to a single line with the " characters escaped with \ to meet json structure requirements. This can be achieved by running the following command on the downloaded metadata.xml file:

echo -e "\n"$(cat metadata.xml | tr -d '\n' | sed -E 's/"/\\"/g')"\n"

The contents will then be output in the terminal in a format that can be pasted into the metadata field of a JSON file.

  1. In order for IdP-initiated login (i.e. https://<yourssoip>/login/datadog) to work, the downloaded Datadog metadata provides two options for SAML. Inspection of the metadata will find the following indexed values for AssertionConsumerService:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.datadoghq.com/account/saml/assertion/id/7b1af572f" index="1"/>

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.datadoghq.com/account/saml/assertion" index="2"/>

The above parameter setting of “idp_initiated_acs_index”: 1 makes sure that the correct of these is chosen.

  1. In the authorize subsection, you can control what users are allowed to attempt login by following one or both of the below steps:
  • Call up an LDAP setup from an ldap.yaml file stored in /etc/miracl-sso/integrations.
  • Configure a regex list of email addresses/domains. The above config shows an example of how you would use email: ^[^@]+@example.com$" to only allow users from a certain email domain to login.

Note that if this is not set correctly, you will receive ‘unauthorized user’ messages.

For more detailed info on using LDAP and regex to control authorized users, please see the LDAP and authorization menu section

  1. Save and close the file.

  2. In your /etc/miracl-sso/config.yaml file make sure you add datadog.yaml to the list of ‘includes’:

includes:
  - core.yaml

# service providers
  - service_providers/datadog.yaml
  1. As always after config changes, restart the server with sudo service miracl-sso restart

  2. You can now visit e.g. https://app.datadoghq.com/account/login/id/12345678 to test SP-initiated login, or https://<yourssoip>/login/datadog to test IdP-initiated login.

  3. Now your service is configured, you can visit https://<yourssoip>/login/datadog or https://<yourssoip>/services to login to the service using IdP-initiated login, or visit the Datadog login page and SP-initiated login will be triggered automatically.