Configuring Active Directory

The following guidance is for a classic Active Directory installation, not for Azure Active Directory.

Classic Active Directory requires more configuration to get running with SAML than its Azure sibling. Follow the regular SAML-documentation for that one.

Prerequisites

Get the service provider metadata

To make the configuration easier, a Service Provider metadata XML file is provided. It can be downloaded from the SAML settings dialog:

SAML

To save the file for later use, click METADATA DOWNLOAD.

Creating the Relying Trust Partner

  1. From the tools list, open AD FS Management.

    ADFS Management

  2. Select Add Relying Party Trust.

    Add Relying Party Trust

    Then, you are presented with a wizard for creating a Relying Party Trust, also known as SAML.

    Add Relying Party Trust 1

    The Select Data Source step of this dialog allows you to upload the service provider metadata that you downloaded from Instana. Upload the file and wait until Active Directory is done processing.

    Add Relying Party Trust upload

    Finish the remaining steps to create the new trust.

    You are then prompted with the AD FS Management default view, which now contains the newly created Relying Party Trust.

Add necessary attribute mappings

Instana needs to receive the email address of an authenticated user. Therefore, you need to add a mapping to get the email address of each individual user that is mapped into the SAML-interaction.

Active Directory has some issues with doing this mapping correctly, so you need to help with a rule combination.

To add the rule, select the newly created Relying Party Trust, and click Edit Claim Issuance Policy ....

Edit Claim Issuance Policy

There might be no rules in there since it is just created.

Edit Claim Issuance Policy empty

Select Add Rule....

The next dialog guides you through the creation of the mapping rule.

Select Send LDAP Attributes as Claims from the list.

Edit Claim Issuance Policy LDAP Attribute as Claim

Give a name to the rule and select to map E-Mail-Address to E-Mail-Address.

The dropdown list also contains a field that is named NameID and you might be tempted to use this field. Sadly, the conversion is broken, and the resulting configuration produces invalid SAML-messages.

Edit Claim Issuance Policy LDAP Attribute as Claim 2

Select Add Rule... to add Transform an Incoming Claim. This rule takes care of converting the email address into the NameID required by the SAML-standard.

Edit Claim Issuance Policy Transform incoming Claim

Select E-Mail Address as the incoming claim type, and Name ID as the outgoing claim type. Outgoing name ID format needs to be set to email for the actual conversion to take place.

Edit Claim Issuance Policy Transform incoming Claim 2

Then, you can see the following list of rules.

Edit Claim Issuance Policy overview

The order of these rules is important so double check that everything is where it is supposed to be.

That's it for the Active Directory side of things.

Finish configuration in Instana

The only part left is to connect Instana with AD. You already uploaded the Service Provider metadata from Instana to AD.

Now you need to provide the IdP-Metadata from AD to Instana. Follow the steps:

First, you need to download the metadata file. Use a browser and navigate to https://<AD_HOST_NAME>/FederationMetadata/2007-06/FederationMetadata.xml, and make sure to replace <AD_HOST_NAME> with the name of the machine where the AD is running.

Store the downloaded file locally and open the Instana-SAML-configuration dialog.

Select Click here to select IDP-Metadata-File for uploading and then click ACTIVATE.

Instana can be accessible by using SAML.