Follow the steps to configure authentication.
- Standard authentication
- Two-factor authentication (2FA)
- SAML authentication and authorization
- OpenId Connect authentication and authorization
- Google Single Sign-On (SSO)
Standard authentication, with username (email address) and password, is the default authentication method for Instana.
To mitigate the risk of identity theft, use multi-factor authentication (MFA) for all users, especially for privileged accounts. If your organization is relying on an Identity Provider (IdP), configure it for Instana use according to your existing policy because IdP addresses authentication, MFA enforcement, password complexity, and password rotation requirements. In case IdP is not used, enable two-factor authentication (2FA) as soon as possible upon creating your Instana account to mitigate the risk of identity theft.
Two-factor authentication (2FA)
The 2FA option offered by Instana provides enhanced security in comparison to standard authentication.
When 2FA is activated, a QR code is displayed. You can scan this QR code with an authentication app, like Authy, Duo, or Google Authenticator, to create an account in the app. This account shows the rotating 2FA code. rotating 2FA code. After 2FA is activated for an account, you must use the 2FA code for every login.
Scratch codes serve as a backup in case you ever lose access to your authentication device. Five 8-digit codes are shown to you immediately after activating 2FA, and each of them can be used only once. Without authentication device and scratch codes, access to Instana is not possible.
Google Single Sign-On (SSO)
Alternatively, you can enable Instana's preconfigured Google Single Sign-On for your organization.
To enable this authentication method, go to Settings > Authentication > Google SSO, and specify the domain filter.
Instana users who are created through Google SSO are added to the built-in user group that are named "default".
Enter a domain filter that matches your organization's email addresses. For example, the filter
@instana.com is used. Multiple filters can be provided, and separated by a comma.
NOTE: Single sign-on is a tenant setting, meaning that once enabled it is active for all of your organization's tenant units. Make sure to not use a generic filter, such as
@gmail.com, as this can grant access to
everyone with a gmail account.