Active Directory

About

This is a small tutorial for a classic Active Directory installation, not Azure Active Directory.

Classic Active Directory requires a lot more configuration work to get running with SAML than its Azure sibling. Please follow the regular SAML-documentation for that one.

Prerequisites

  • Enable Active Directory Federation Service (ADFS) in your Active Directory installation.
  • Ensure that all users which are supposed to access Instana have an eMail-address in their profile.
  • You will need administrative rights to do the required changes.

Get the Service Provider Metadata

*Service Provider Metadata is an XML file provided by Instana to make the configuration easier. It can be downloaded from the SAML settings dialog:

SAML

Hit METADATA DOWNLOAD and store the file for later use.

Creating the Relying Trust Partner

With everything prepared we now dive right into the actual setup process.

Open AD FS Management from the tools list.

ADFS Management

The default view gives several of options on the right side. The one we are interested in is Add Relying Party Trust.

Add Relying Party Trust

After selecting we get presented with a wizard for creating a Relying Pary Trust, aka SAML.

Add Relying Party Trust 1

The “Select Data Source”-step of this dialog allows us to upload Service Provider Metadata which you should have downloaded from Instana. Upload the file and wait until Active Directory is done processing.

Add Relying Party Trust upload

Finish the remaining steps and have the new trust be created.

Afterwards you will be again prompted with the AD FS Management default view which now contains the newly created Relying Party Trust

Add necessary attribute mappings

Instana needs to receive the eMail-address of an authenticated user. We therefore have to add a mapping to get the eMail-address of each individual user mapped into the SAML-interaction.

Active Directory has some issues with doing this mapping correctly so we have to help with a rule combination.

To add this rules we now select the newly created Relying Party Trust and click on Edit Claim Issuance Policy …

Edit Claim Issuance Policy

There should be no rules in there since we just created it.

Edit Claim Issuance Policy empty

Select Add Rule….

The next dialog will guide us through the creation of the mapping rule.

Select Send LDAP Attributes as Claims from the dropdown.

Edit Claim Issuance Policy LDAP Attribute as Claim

Give a name to the rule and select to map E-Mail-Address to E-Mail-Address.

NOTE: The dropdown also contains a field named NameID and you might be tempted to use this. Sadly the conversion is broken and the resulting configuration will produce invalid SAML-messages.

Edit Claim Issuance Policy LDAP Attribute as Claim 2

Select Add Rule… once more to add Transform an Incoming Claim. This rule will take care of converting the E-Mail-Address into the NameID required by the SAML-standard.

Edit Claim Issuance Policy Transform incoming Claim

Select E-Mail Address as the incoming claim type and Name ID as the outgoing claim type. Outgoing name ID format has to be set to to Email for the actual conversion to take place.

Edit Claim Issuance Policy Transform incoming Claim 2

After hitting finish you should see the following list of rules.

Edit Claim Issuance Policy  overview

The order of these rules is important so double check that everything is where it is supposed to be.

That’s it for the Active Directory side of things.

Finish configuration in Instana.

The only part left is to connect Instana with AD. We already uploaded the Service Provider Metadata from Instana to AD.

Now we need to provide the IdP-Metadata from AD to Instana.

To do this we first have to download the metadata file. Use a browser and navigate to https://<ADHOSTNAME>/FederationMetadata/2007-06/FederationMetadata.xml, make sure to replace <ADHOSTNAME> with the name of the machine AD is running on.

Store the downloaded file locally and open the Instana-SAML-configuration dialog.

Select Click here to select IDP-Metadata-File for uploading and afterwards ACTIVATE.

That’s it, Instana will now be accessible via SAML.