Integrating with Onelogin

Onelogin doesn't provide automatic setup of SAML applications by uploading the Service Provider metadata. This small tutorial guides you through the necessary steps to get Instana integrated with Onelogin as a SAML app.

Prerequisites

After SAML is activated for a tenant, you have no other way to log in to Instana. The SAML configuration can be deleted through API by using a token with enough permissions.

  • You require administrator privileges in Onelogin.
  • Open the SAML configuration page in Instana, where you need to copy and paste some values between there and Onelogin. (See Option 2: Manual Setup in the dialog)

SAML

Creating the SAML app in Onelogin

First thing to do is to go to the application perspective in Onelogin by selecting it from the menu bar, and then clicking Add App.

Onelogin Create_SAML Application

Now search for SAML and select SAML Test Connector (IdP w/ attr w/sign response).

Onelogin_Select_Template

After you select the template, you are prompted with a screen where you can enter the name of your application. You can pick a name or image since these values have no impact on the actual SAML login flow. After you fill in everything, click Configuration to start the actual SAML configuration.

Onelogin_fillin_name

This screen now contains all the fields that are required to interact with Instana. Copy the appropriate values from the Instana SAML configuration page into the appropriate fields, then press save.

Yes, the .* in the ACS (Consumer) URL Validator is required.

Onelogin_fillin_name

Almost done. After you save everything, you now have an Instana SAML application in Onelogin. The only thing left to do is to transfer the IdP-Metadata from Onelogin to Instana.

To do so select the More Actions dropdown and select SAML metadata. Store the downloaded file and upload it in the Instana SAML configuration page.

Adding Users to Instana

With SAML enabled this is now the only way for your users to access Instana. To actually enable users, they must get the SAML app assigned to them. Use your regular flow to associate a given app with a user so they get access.

Make sure that every user has an associated eMail-address.

Each new user can receive the default role during their first login.