Configuring Service Provider (SAML/OIDC)

Configure Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) as the service provider.

Before you configure SAML or OIDC, make sure that you connected your identity provider (Idp) with Instana. For more information, see Configuring LDAP.

Creating Service Provider key and certificate for IdP configuration

The service provider requires a key and certificate to sign or validate messages that it exchanges with the IdP. The key and certificate must be encrypted. Unencrypted keys and certificates aren't accepted.

To generate an SSL (Secure Sockets Layer) key and certificate in PEM format, use the openssl tool.

  1. Generate a private key.

    openssl genrsa -aes128 -out sp_key.pem 2048
    

    You might be prompted for a passphrase. Make sure to remember this passphrase since you'll need it later on to provide it as the key_pass value.

  2. Generate a self-signed certificate by using the private key.

    openssl req -new -x509 -key sp_key.pem -out sp_cert.pem -days 365
    

    Fill out the CSR (Certificate Signing Request) information as prompted. Make sure to enter the same information that you used when you generated the private key.

  3. Combine the certificte and key into one PEM file.

    cat sp_key.pem sp_cert.pem > sp_key_cert.pem
    

Make sure to store the sp_key_cert.pem file in a safe location.

Adjusting the settings.hcl file

This section is not applicable to Self-Hosted Standard Edition.

  1. Copy the combined certificate and key file (sp_key_cert.pem) file to your Instana host, and make sure that the Instana installation can read the file.

  2. Update the settings.hcl file with the certificate and key information. The settings.hcl file is available in the same directory from where you ran the instana init command for installing the Instana backend.

    • key_cert_path: Filepath of the sp_key_cert.pem file
    • key_pass: Passphrase that you specified in the previous section where you generated the key.
    service_provider {
       key_cert_path = "/path/to/sp_key_cert.pem"
       key_pass = "key_pass"
     }
    
  3. Update the Instana configuration.

    instana update
    
  4. Sign in to Instana UI. Click the profile picture > Management Portal > Tenant Authentication. The

Configure authentication and authorization as in SAML authentication and authorization and OpenId Connect authentication and authorization.

Replacing the certificate

The certificate that is created before has a lifetime of 365 days after which you need to provide a new one.

To do so, follow the steps:

  1. Get the sp_key.pem file that you created before.

  2. Create the certificate.

    openssl req -new -x509 -key sp_key.pem -out sp_cert.pem -days 365
    
  3. Combine them into one PEM file.

    cat sp_key.pem sp_cert.pem > sp_key_cert.pem
    
  4. Copy the resulting sp_key_cert.pem to pathToKeyCertPem file, and restart instana by running the command instana stop && instana start.

After you click Settings > Authentication > SAML, if you don't see the SAML links there, check whether you have created the Service Provider key and certificate for IdP configuration and adjusted the settings.hcl file.