Configuring Active Directory
The following guidance is for a classic Active Directory installation, not for Azure Active Directory.
Classic Active Directory requires more configuration to get running with SAML than its Azure sibling. Follow the regular SAML-documentation for that one.
- Prerequisites
- Get the service provider metadata
- Creating the Relying Trust Partner
- Add necessary attribute mappings
- Finish configuration in Instana
Prerequisites
- In your Active Directory installation, enable Active Directory Federation Service (ADFS).
- To access Instana, ensure that all users have an email address in their profile.
- Administrative rights are required.
Get the service provider metadata
To make the configuration easier, a Service Provider metadata XML file is provided. It can be downloaded from the SAML settings dialog:
To save the file for later use, click METADATA DOWNLOAD.
Creating the Relying Trust Partner
-
From the tools list, open AD FS Management.
-
Select Add Relying Party Trust.
Then, you are presented with a wizard for creating a Relying Party Trust, also known as SAML.
The Select Data Source step of this dialog allows you to upload the service provider metadata that you downloaded from Instana. Upload the file and wait until Active Directory is done processing.
Finish the remaining steps to create the new trust.
You are then prompted with the AD FS Management default view, which now contains the newly created Relying Party Trust.
Add necessary attribute mappings
Instana needs to receive the email address of an authenticated user. Therefore, you need to add a mapping to get the email address of each individual user that is mapped into the SAML-interaction.
Active Directory has some issues with doing this mapping correctly, so you need to help with a rule combination.
To add the rule, select the newly created Relying Party Trust, and click Edit Claim Issuance Policy ....
There might be no rules in there since it is just created.
Select Add Rule....
The next dialog guides you through the creation of the mapping rule.
Select Send LDAP Attributes as Claims from the list.
Give a name to the rule and select to map E-Mail-Address to E-Mail-Address.
The dropdown list also contains a field that is named NameID and you might be tempted to use this field. Sadly, the conversion is broken, and the resulting configuration produces invalid SAML-messages.
Select Add Rule... to add Transform an Incoming Claim. This rule takes care of converting the email address into the NameID required by the SAML-standard.
Select E-Mail Address as the incoming claim type, and Name ID as the outgoing claim type. Outgoing name ID format needs to be set to email for the actual conversion to take place.
Then, you can see the following list of rules.
The order of these rules is important so double check that everything is where it is supposed to be.
That's it for the Active Directory side of things.
Finish configuration in Instana
The only part left is to connect Instana with AD. You already uploaded the Service Provider metadata from Instana to AD.
Now you need to provide the IdP-Metadata from AD to Instana. Follow the steps:
First, you need to download the metadata file. Use a browser and navigate to https://<AD_HOST_NAME>/FederationMetadata/2007-06/FederationMetadata.xml, and make sure to replace <AD_HOST_NAME> with the name of the machine where the AD is running.
Store the downloaded file locally and open the Instana-SAML-configuration dialog.
Select Click here to select IDP-Metadata-File for uploading and then click ACTIVATE.
Instana can be accessible by using SAML.