IdP Group Mapping

Introduction

You can set up Instana to automatically provision users to certain Instana groups depending on the attributes they have set within your Identity Provider (IdP). This reduces your user management overhead significantly. We allow the usage of our manual user and group management capabilities, even while having a working IdP mapping configuration. However, our recommendation is to migrate all group assignments based on IdP mapping rules to centralize your user and group management within your IdP. For further details on having IdP mapping rules enabled along with traditional RBAC, see the section Implementation Details.

Prerequisites

To make this work, you firstly need to configure your Instana authentication to make use of either SAML, OIDC or LDAP. After you set up Instana to delegate authentication by using your IdP, it is immensely important that you know your users' assertion claim, such as SAML, since a successful mapping depends on entering correct assertion key and values. You are recommended to use either built-in browser tools or browser extensions to view the assertion.

Mapping Rules

A mapping rule defines which SAML assertion attribute gets mapped to which Instana group. You can use the same assertion attribute for multiple Instana groups. The only thing you need to do is, identify the correct attributes in the SAML assertion that shall be mapped to existing Instana groups.

IdP Mapping Rules In Instana

A mapping rule conists of a key, value, and an Instana group. The key and value refer to the SAML attribute and its corresponding value that you map from. For example, you want to map every user that has the value "SRE" in the key "Deparment" to the Instana Owner Group.

Deny Access

Selecting the checkbox in the screenshot above locks your tenant and will let only users allow access that have at least one working mapping rule applied to them during the login process.

Important: It's recommended to select the checkbox only after you have configured mapping rules for your admins and successfully validated your configuration.

Implementation Details

Groups that are assigned by your configured mapping rules are treated slightly differently than usual group assignment. The core difference is that users lose the group assignments that do not apply anymore during future logins. Having both, IdP mapping rules and traditional Instana RBAC enabled, works under certain rules that then apply:

  • If the checkbox to deny access is not selected, users with no mapping rules will be put into the Default group. If those same users happen to be already in the Default group, we change the assignment to an IdP group assignment, meaning the user can lose this group during future logins if the mapping has been edited/does not apply anymore.

  • Once you select the checkbox to deny access, users with no applicable mapping rules will not be able to login (anymore). Even users with existing RBAC group assignments will be locked out. We recommend selecting the checkbox only after you have configured mapping rules for your admins and successfully logged in afterwards.