Configuring Service Provider (SAML/OIDC)

Creating Service Provider key and certificate for IdP configuration

Service Provider (SAML/OIDC) requires a key to sign or validate messages that are exchanged with the IdP. The key must be encrypted. Unencrypted keys aren't accepted.

Follow the steps:

1. Create the key by running the command as follows:

   openssl genrsa -aes128 -out sp_key.pem 2048
   

2. Create the cert by running the command as follows:

   openssl req -new -x509 -key sp_key.pem -out sp_cert.pem -days 365
   

3. Combine them into one PEM by running the command as follows:

   cat sp_key.pem sp_cert.pem > sp_key_cert.pem
   

Make sure to store the sp_key_cert.pem file in a safe location.

Adjusting the settings.hcl file

1. Copy the sp_key_cert.pem file to your Instana on-premises box, and make sure that the Instana installation can read the file.

2. Configure the filepath sp_key_cert.pem and key_pass in the settings.hcl file as follows, and then run the command instana update.

   service_provider {
      key_cert_path = "/path/to/sp_key_cert.pem"
      key_pass = "key_pass"
    }
   

3. Sign in to Instana UI, and open the Management Portal by clicking the profile picture on the Instana user interface.

   Click Tenant Authentication, and configure authentication and authorization as in SAML authentication and authorization and OpenId Connect authentication and authorization.

Replacing the certificate

The certificate that is created before has a lifetime of 365 days after which you need to provide a new one.

To do so, follow the steps:

1. Get the sp_key.pem file that you created before.

2. Create the certificate.

   openssl req -new -x509 -key sp_key.pem -out sp_cert.pem -days 365
   

3. Combine them into one PEM file.

   cat sp_key.pem sp_cert.pem > sp_key_cert.pem
   

4. Copy the resulting sp_key_cert.pem to pathToKeyCertPem file, and restart instana by running the command instana stop && instana start.