Integrating with Keycloak
Keycloak is a powerful tool that helps to implement authentication and authorization in the applications quickly and efficiently. To integrate Instana with Keycloak, follow the steps:
- Prerequisites
- Downloading the service provider metadata
- Using an existing Realm
- Creating the SAML client in Keycloak
- Adding users to Instana
Prerequisites
After SAML is activated for a tenant, you have no other way to log in to Instana. The SAML configuration can be deleted through API by using a token with enough permissions.
Before you integrate Keycloak with Instana, you require administrator privileges in Keycloak.
Downloading the service provider metadata
To configure Keycloak in Instana, a Service Provider Metadata XML file is provided. To download the file, click METADATA DOWNLOAD from the SAML settings dialog:
To save the file for later use, click METADATA DOWNLOAD.
For more information about configuring a service provider, see Configuring Service Provider.
Using an existing Realm
You must have an existing Realm in Keycloak. The following example uses SAML-DEMO.
Creating the SAML client in Keycloak
To create the SAML client in Keyclock, complete the following steps:
-
Go to Configure > Clients, and click Create.
-
Click Select file, and choose the previous downloaded service provider metadata.xml.
-
Click Save. You return to the newly imported client edit page.
-
Go to Realm Settings, and click SAML 2.0 Identity Provider Metadata to download the SAML 2.0 IdP metadata.
-
Save the content as descriptor.xml.
-
Go to the Instana-SAML setup page and upload the
descriptor.xml
file. -
Click Save to activate the SAML client configuration.
Adding users to Instana
You must enable SAML for your users to access Instana. To enable users, assign them in the SAML app.
To assign the users in the SAML app, do the following steps:
- Open the application overview in Keycloak.
- Select the user from the dropdown list.
Make sure that every user has an associated email address.
Each new user receives the default role when they log in for the first time.