You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/account_management/authn_mapping/_index.md
+6-3Lines changed: 6 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,6 +14,8 @@ If you are using Federated Authentication mechanisms, this API allows you to aut
14
14
15
15
**Note**: If you are a SAML user, and you have been using the existing beta Federated Mapping mechanism (`roles_v2_saml`), Datadog strongly recommends that you transition to using this API.
16
16
17
+
You can also create and manage mappings in the Datadog app UI, on the **Mappings** tab in User Management. See [Mapping SAML attributes to Datadog roles][1] for more information.
18
+
17
19
## Requests
18
20
19
21
{{< site-region region="us" >}}
@@ -43,7 +45,7 @@ Create a new AuthN Mapping from a JSON body. Returns the newly created AuthN Map
43
45
44
46
***`role["data"]["id"]`**[*required*, no default]:
45
47
The `ID` of the Role to map to. The Roles API can be used to create and manage Datadog roles, what global permissions they grant, and which users belong to them.
46
-
**Note**: This attribute should be presented as part of a `role` relationship block in requests. See the example below for more details. When you create a Role, it is assigned an ID. For more information about finding the `ID` for the role you want to map to, see the [Role API documentation][1].
48
+
**Note**: This attribute should be presented as part of a `role` relationship block in requests. See the example below for more details. When you create a Role, it is assigned an ID. For more information about finding the `ID` for the role you want to map to, see the [Role API documentation][2].
47
49
***`attributes["attribute_key"]`**[*required*, no default]:
48
50
The `attribute_key` is the key portion of a key/value pair that represents an attribute sent from your Identity Provider. You can define these for your own use case. For example, `attribute_key` could be `member-of` and the `attribute_value` could be `Development`.
49
51
***`attributes["attribute_value"]`**[*required*, no default]:
@@ -420,7 +422,7 @@ Updates the AuthN Mapping `role`, `saml_assertion_attribute_id`, or both from a
420
422
Replace `{authn_mapping_id}` with the ID of the AuthN Mapping you want to update. This is required in both the path of the request and the body of the request.
The `ID` of the Role to map to. The Roles API can be used to create and manage Datadog roles, what global permissions they grant, and which users belong to them.
423
-
**Note**: This attribute should be presented as part of a `role` relationship block in requests. See the example below for more details. When you create a Role, it is assigned an ID. For more information about finding the `ID` for the role you want to map to, see the [Role API documentation][1].
425
+
**Note**: This attribute should be presented as part of a `role` relationship block in requests. See the example below for more details. When you create a Role, it is assigned an ID. For more information about finding the `ID` for the role you want to map to, see the [Role API documentation][2].
The `attribute_key` is the key portion of a key/value pair that represents an attribute sent from your Identity Provider. You can define these for your own use case. For example, `attribute_key` could be `member-of` and the `attribute_value` could be `Development`.
Copy file name to clipboardExpand all lines: content/en/account_management/rbac/_index.md
+16-10Lines changed: 16 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,27 +17,32 @@ further_reading:
17
17
- link: '/account_management/rbac/permissions'
18
18
tag: 'Documentation'
19
19
text: 'Discover the list of permissions available.'
20
+
- link: '/account_management/saml/'
21
+
tag: 'Documentation'
22
+
text: 'Enable single sign on with SAML'
20
23
---
21
24
22
25
Roles categorize users and define what account permissions those users have, such as what data they can read or what account assets they can modify. By default, Datadog offers three roles, and you can create [custom roles](#custom-roles) so you can define a better mapping between your users and their permissions.
23
26
24
27
By granting permissions to roles, any user who is associated with that role receives that permission. When users are associated with multiple roles, they receive all the permissions granted to each of their roles. The more roles a user is associated with, the more access they have within a Datadog account.
25
28
29
+
**Note** If you use a SAML identity provider, you can integrate it with Datadog for authentication, and you can map identity attributes to Datadog default and custom roles. For more information, see [Single Sign On With SAML][1].
|**Datadog Admin Role**| Users have access to billing information and the ability to revoke API keys. They can manage users and configure [read-only dashboards][1]. They can also promote standard users to administrators. |
31
-
|**Datadog Standard Role**| Users are allowed to view and modify all monitoring features that Datadog offers, such as [dashboards][1], [monitors][2], [events][3], and [notebooks][4]. Standard users can also invite other users to organizations. |
32
-
|**Datadog Read Only Role**| Users do not have access to edit within Datadog. This comes in handy when you'd like to share specific read-only views with a client, or when a member of one business unit needs to share a [dashboard][1] with someone outside their unit. |
35
+
|**Datadog Admin Role**| Users have access to billing information and the ability to revoke API keys. They can manage users and configure [read-only dashboards][2]. They can also promote standard users to administrators. |
36
+
|**Datadog Standard Role**| Users are allowed to view and modify all monitoring features that Datadog offers, such as [dashboards][2], [monitors][3], [events][4], and [notebooks][5]. Standard users can also invite other users to organizations. |
37
+
|**Datadog Read Only Role**| Users do not have access to edit within Datadog. This comes in handy when you'd like to share specific read-only views with a client, or when a member of one business unit needs to share a [dashboard][2] with someone outside their unit. |
33
38
34
39
## Custom Roles
35
40
36
41
<divclass="alert alert-warning">
37
42
Creating and modifying custom roles is an Enterprise feature and is in private beta. <ahref="/help">Contact Datadog support</a> to get it enabled for your account.
38
43
</div>
39
44
40
-
Manage your custom roles through the Datadog application, the [Datadog Role API][5], or SAML directly. Find below how to create, update, delete a role. See the [Datadog Role permissions][6] documentation for more information about available permissions.
45
+
Manage your custom roles through the Datadog application, the [Datadog Role API][6], or SAML directly. Find below how to create, update, delete a role. See the [Datadog Role permissions][7] documentation for more information about available permissions.
41
46
42
47
### Create a custom role
43
48
@@ -133,9 +138,10 @@ Find an example of how to delete a Role in the [Datadog Create Role API document
Copy file name to clipboardExpand all lines: content/en/account_management/saml/_index.md
+39-14Lines changed: 39 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,6 +45,30 @@ The Single Sign-on URL is also displayed on the [Team page][6]. Loading this URL
45
45
46
46
**Note**: If you want to configure SAML for a multi-org, see the [multi-org documentation][7].
47
47
48
+
## Mapping SAML attributes to Datadog roles
49
+
50
+
You can assign or remove Datadog roles based on a user's SAML-assigned attributes:
51
+
52
+
1. Go to Account Management and click the Mappings tab.
53
+
54
+
2. Click the **New Mapping** button.
55
+
56
+
3. Specify the SAML identity provider key-value pair that you want to associate with an existing Datadog role (either default or custom). For example, if you want all users whose `member_of` attribute has a value of `Development` to be assigned to a custom Datadog role called `Devs`:
57
+
58
+
{{< img src="account_management/saml/create_mapping.png" alt="Creating a SAML mapping to Datadog Role" >}}
59
+
60
+
4. If you have not already done so, enable mappings by clicking **Enable Mappings**.
61
+
62
+
When a user logs in who has the specified identity provider attribute, they will automatically be assigned the Datadog role. Likewise, if someone has that identity provider attribute removed, they will also lose access to the role (unless another mapping adds it).
63
+
64
+
<divclass="alert alert-warning">
65
+
Important: If a user does _not_ match any mapping, they lose any roles they had previously, and are prevented from logging into the org with SAML. Double-check your mapping definitions.
66
+
</div>
67
+
68
+
You can make changes to a mapping by clicking the pencil icon, or remove it by clicking the garbage icon. These actions affect only the mapping, not the identity provider attributes or the Datadog roles.
69
+
70
+
Alternatively, you can create and change mappings of SAML attributes to Datadog roles by using the `authn_mappings` endpoint. See [Federated Authentication to Role Mapping API][8] for more information.
71
+
48
72
## Datadog Service Provider Details
49
73
50
74
* Datadog supports the **HTTP-POST** binding for **SAML2**:
@@ -84,13 +108,13 @@ If **sn** and **givenName** are provided, they are used to update the user's nam
84
108
85
109
For more information about configuring specific IdP's, refer to the following documentation:
86
110
87
-
*[Active Directory][8]
88
-
*[Auth0][9]
89
-
*[Azure][10]
90
-
*[Google][11]
91
-
*[NoPassword][12]
92
-
*[Okta][13]
93
-
*[SafeNet][14]
111
+
*[Active Directory][9]
112
+
*[Auth0][10]
113
+
*[Azure][11]
114
+
*[Google][12]
115
+
*[NoPassword][13]
116
+
*[Okta][14]
117
+
*[SafeNet][15]
94
118
95
119
## Additional Features
96
120
@@ -129,10 +153,11 @@ With SAML Strict mode enabled, all users must log in with SAML. An existing user
0 commit comments