This is a small tutorial for a classic Active Directory installation, not Azure Active Directory.
Classic Active Directory requires a lot more configuration work to get running with SAML than its Azure sibling. Please follow the regular SAML-documentation for that one.
- Enable Active Directory Federation Service (ADFS) in your Active Directory installation.
- Ensure that all users which are supposed to access Instana have an eMail-address in their profile.
- You will need administrative rights to do the required changes.
*Service Provider Metadata is an XML file provided by Instana to make the configuration easier. It can be downloaded from the SAML settings dialog:
Hit METADATA DOWNLOAD and store the file for later use.
With everything prepared we now dive right into the actual setup process.
Open AD FS Management from the tools list.
The default view gives several of options on the right side. The one we are interested in is Add Relying Party Trust.
After selecting we get presented with a wizard for creating a Relying Pary Trust, aka SAML.
The “Select Data Source”-step of this dialog allows us to upload Service Provider Metadata which you should have downloaded from Instana. Upload the file and wait until Active Directory is done processing.
Finish the remaining steps and have the new trust be created.
Afterwards you will be again prompted with the AD FS Management default view which now contains the newly created Relying Party Trust
Instana needs to receive the eMail-address of an authenticated user. We therefore have to add a mapping to get the eMail-address of each individual user mapped into the SAML-interaction.
Active Directory has some issues with doing this mapping correctly so we have to help with a rule combination.
To add this rules we now select the newly created Relying Party Trust and click on Edit Claim Issuance Policy …
There should be no rules in there since we just created it.
Select Add Rule….
The next dialog will guide us through the creation of the mapping rule.
Select Send LDAP Attributes as Claims from the dropdown.
Give a name to the rule and select to map E-Mail-Address to E-Mail-Address.
NOTE: The dropdown also contains a field named NameID and you might be tempted to use this. Sadly the conversion is broken and the resulting configuration will produce invalid SAML-messages.
Select Add Rule… once more to add Transform an Incoming Claim. This rule will take care of converting the E-Mail-Address into the NameID required by the SAML-standard.
Select E-Mail Address as the incoming claim type and Name ID as the outgoing claim type. Outgoing name ID format has to be set to to Email for the actual conversion to take place.
After hitting finish you should see the following list of rules.
The order of these rules is important so double check that everything is where it is supposed to be.
That’s it for the Active Directory side of things.
The only part left is to connect Instana with AD. We already uploaded the Service Provider Metadata from Instana to AD.
Now we need to provide the IdP-Metadata from AD to Instana.
To do this we first have to download the metadata file. Use a browser and navigate to https://<ADHOSTNAME>/FederationMetadata/2007-06/FederationMetadata.xml, make sure to replace <ADHOSTNAME> with the name of the machine AD is running on.
Store the downloaded file locally and open the Instana-SAML-configuration dialog.
Select Click here to select IDP-Metadata-File for uploading and afterwards ACTIVATE.
That’s it, Instana will now be accessible via SAML.