Learn how to enable SAML SSO with Datadog and PingOne
To enable SSO within Datadog, you must have an administrator account.
This is a tested integration.
- Sign on to your PingOne SSO admin account and go to and click the + icon.
- On the New Application page, click Advanced Configuration, and on the SAML line, click Configure.
On the Create App Profile page, enter the following:
- Application Name
- Optional: Description
- Optional: Icon
- Click Next.
- On the corresponding Configure SAML Connection page, click Manually Enter to begin configuring Datadog with PingOne.
- In a new tab, sign on to your Datadog admin account. In the lower left hand corner, click on your account name and then Configure SAML, which will contain information for the next step.
In PingOne, enter the
following information for the required fields:
The ACS URL(s) of the application.
You can find this on the Datadog admin console under Assertion Consumer Service URL.
The Entity ID of the application. from the
You can find this on the Datadog admin console under Service Provider Entity ID .
- Update the SUBJECT NAMEID FORMAT to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
- Enter the Assertion Validity Duration (in seconds), for example, 3600.
- Configure the remaining options as needed.
- Click Save and Continue.
- The ACS URL(s) of the application.
On the Attribute Mapping page, enter the following
- Outgoing value: User ID = Application Attribute: saml_subject (required).
- Outgoing value: Family Name = Application Attribute: sn
- Outgoing value: Given Name = Application Attribute: givenName
- Outgoing value: Username = Application Attribute: eduPersonPrincipalName
- Click Save and Close.
You can add additional attributes to control roles. See the Datadog documentation for more information.
- On the newly-created application, click the Configuration tab and click Download Metadata.
- In your Datadog account, click Choose File, upload the IdP metadata that you downloaded in the previous step, and click Upload File.
- After uploading the IdP metadata and configuring your IdP, click Enable to enable SAML and finalize the configuration.
If you're leveraging this integration for an IdP-initiated sign on, in the
Additional Features section of Datadog, make sure to
select the Identity Provider (IdP) Initiated Login check
The set up is now complete.
Before you test the integration, you must create and assign identities in
If you've already assigned identities and groups in PingOne, go to step 14.
- In PingOne, go to and click the + icon next to Groups.
On the Create New Group page, enter values for
- Group Name (Required)
- Description (Optional)
- Population (Optional)
- Click Finish & Save.
- To add identities to the group, on the Identities tab, go to .
On the Add User page, enter in all the necessary
information for a user.
Verify the first name, last name, USER ID, and USERNAME are correct, as these are values passed in the SAML assertion.
- Click Save.
Assign the user that you created to the group that you created
previously. Locate the user you created and:
- Expand the section for the user.
- Select the Groups tab.
- Click + Add.
- In the Available Groups section, select the group that you created and click the + icon to add it to the user’s group memberships. Click Save.
On the Connections tab, for the Datadog
- Click the Access tab
- Click the Pencil icon to edit the configuration
Select the group that you created and add it to the Applied
Groups section. Click Save.
You’re now ready to test the integration.
- In the PingOne admin console, go to .
- Right-click on the Application Portal URL and open it in a private browser session.
Sign on as the test user that you created and click the Datadog tile.
You’re signed on to the user’s Datadog account using SSO and testing is complete.