Configuring Service Provider (SAML/OIDC)
Configure Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) as the service provider.
- Creating Service Provider key and certificate for IdP configuration
- Adjusting the settings.hcl file
- Replacing the certificate
Before you configure SAML or OIDC, make sure that you connected your identity provider (Idp) with Instana. For more information, see Configuring LDAP.
Creating Service Provider key and certificate for IdP configuration
The service provider requires a key and certificate to sign or validate messages that it exchanges with the IdP. The key and certificate must be encrypted. Unencrypted keys and certificates aren't accepted.
To generate an SSL (Secure Sockets Layer) key and certificate in PEM format, use the openssl
tool.
-
Generate a private key.
openssl genrsa -aes128 -out sp_key.pem 2048
You might be prompted for a passphrase. Make sure to remember this passphrase since you'll need it later on to provide it as the
key_pass
value. -
Generate a self-signed certificate by using the private key.
openssl req -new -x509 -key sp_key.pem -out sp_cert.pem -days 365
Fill out the CSR (Certificate Signing Request) information as prompted. Make sure to enter the same information that you used when you generated the private key.
-
Combine the certificte and key into one PEM file.
cat sp_key.pem sp_cert.pem > sp_key_cert.pem
Make sure to store the sp_key_cert.pem
file in a safe location.
Adjusting the settings.hcl file
This section is not applicable to Self-Hosted Standard Edition.
-
Copy the combined certificate and key file (
sp_key_cert.pem
) file to your Instana host, and make sure that the Instana installation can read the file. -
Update the
settings.hcl
file with the certificate and key information. Thesettings.hcl
file is available in the same directory from where you ran theinstana init
command for installing the Instana backend.key_cert_path
: Filepath of thesp_key_cert.pem
filekey_pass
: Passphrase that you specified in the previous section where you generated the key.
service_provider { key_cert_path = "/path/to/sp_key_cert.pem" key_pass = "key_pass" }
-
Update the Instana configuration.
instana update
-
Sign in to Instana UI. Click the profile picture > Management Portal > Tenant Authentication. The
Configure authentication and authorization as in SAML authentication and authorization and OpenId Connect authentication and authorization.
Replacing the certificate
The certificate that is created before has a lifetime of 365 days after which you need to provide a new one.
To do so, follow the steps:
-
Get the
sp_key.pem
file that you created before. -
Create the certificate.
openssl req -new -x509 -key sp_key.pem -out sp_cert.pem -days 365
-
Combine them into one PEM file.
cat sp_key.pem sp_cert.pem > sp_key_cert.pem
-
Copy the resulting
sp_key_cert.pem
topathToKeyCertPem
file, and restart instana by running the command instana stop && instana start.
After you click Settings > Authentication > SAML, if you don't see the SAML links there, check whether you have created the Service Provider key and certificate for IdP configuration and
adjusted the settings.hcl
file.