Configuring service provider (SAML/OIDC)

Edit online

You can configure Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) as the service provider.

Before you configure SAML or OIDC, make sure that you connected your identity provider (Idp) with Instana. For more information, see Configuring LDAP.

Creating service provider key and certificate for IdP configuration

Edit online

The service provider requires a key and certificate to sign or validate messages that it exchanges with the IdP. The key and certificate must be encrypted. Unencrypted keys and certificates aren't accepted.

To generate an SSL (Secure Sockets Layer) key and certificate in PEM format, use the openssl tool.

  1. Generate a private key.

    openssl genrsa -aes128 -out sp_key.pem 2048

    You might be prompted for a passphrase. Make sure to remember this passphrase since you need it later on to provide it as the key_pass value.

  2. Generate a self-signed certificate by using the private key.

    openssl req -new -x509 -key sp_key.pem -out sp_cert.pem -days 365

    Fill out the CSR (Certificate Signing Request) information as prompted. Make sure to enter the same information that you used when you generated the private key.

  3. Combine the certificate and key into one PEM file.

    cat sp_key.pem sp_cert.pem > sp_key_cert.pem

Make sure to store the sp_key_cert.pem file in a safe location.

For Self-Hosted Standard Edition, you need to import the sp_key_cert.pem file into a secret. The SAML configuration does not appear in the UI until you import the certificate.

Adjusting the settings.hcl file

Edit online

This section is not applicable to Self-Hosted Standard Edition.

  1. Copy the combined certificate and key file (sp_key_cert.pem) file to your Instana host, and make sure that the Instana installation can read the file.

  2. Update the settings.hcl file with the certificate and key information. The settings.hcl file is available in the same directory from where you ran the instana init command for installing the Instana backend.

    • key_cert_path: Filepath of the sp_key_cert.pem file
    • key_pass: Passphrase that you specified in the previous section where you generated the key.
    service_provider {
   key_cert_path = "/path/to/sp_key_cert.pem"
   key_pass = "key_pass"
 }

  3. Update the Instana configuration.

    instana update
  4. From the navigation menu in the Instana UI, select Settings > Security & access > Authentication.

For more information about configuring authentication and authorization, see SAML authentication and authorization and OpenId Connect authentication and authorization.

Replacing the certificate

Edit online

The certificate that is created before has a lifetime of 365 days after which you need to provide a new one.

To do so, follow the steps:

  1. Get the sp_key.pem file that you created before.

  2. Create the certificate.

    openssl req -new -x509 -key sp_key.pem -out sp_cert.pem -days 365

  3. Combine them into one PEM file.

    cat sp_key.pem sp_cert.pem > sp_key_cert.pem

  4. Copy the resulting sp_key_cert.pem to pathToKeyCertPem file, and restart Instana by running the command instana stop && instana start.

Note: After you click Settings > Security & access > Identity providers > SAML, if you don't see the SAML links there, check whether you have created the Service Provider key and certificate for IdP configuration and adjusted the settings.hcl file.