Onelogin

About

Onelogin doesn’t provide automatic setup of SAML applications by uploading the Service Provider Meta Data. This small tutorial will guide you through the necessary steps to get Instana integrated with Onelogin as a SAML app.

Prerequisites

  • You will require administrator privileges in Onelogin.
  • Please open the SAML configuration page in Instana as you will be copy pasting some values between there and Onelogin. (See Option 2: Manual Setup in the dialog)

SAML

Creating the SAML app in Onelogin

First thing to do is to go to the application perspective in Onelogin by selecting it from the menu bar and then clicking on the Add App button on the right.

Onelogin Create_SAML Application

Now search for SAML and select SAML Test Connector (IdP w/ attr w/sign response).

Onelogin_Select_Template

After selecting the template you will be prompted with a screen where you can fill in the name of your application. You are free to pick a name/image since these values have no impact on the actual SAML login flow. After filling everything in click on Configuration to start the actual SAML configuration.

Onelogin_fillin_name

This screen now contains all the fields required to interact with Instana. Copy the appropriate values from the Instana SAML configuration page into the appropriate fields, then hit save. Note: Yes, the .* in the ACS (Consumer) URL Validator is required.

Onelogin_fillin_name

Almost done. After saving everything we now have an Instana SAML application in Onelogin. The only thing left to do is to transfer the IdP-Metadata from Onelogin to Instana.

To do so select the More Actions dropdown and select SAML Metadata. Store the downloaded file and upload it in the Instana SAML configuration page.

Adding users to Instana

With SAML enabled this is now the only way for your users to access Instana.

To actually enable users they have to get the SAML app assigned to them.

Use your regular flow to associate a given app with a user so they get access.

NOTE: Make sure that every user has an associated eMail-address.

Each new user will receive the default role when first logging in.