On-Premises SAML

Creating key and cert for SAML

SAML requires a key to sign/validate messages exchanged with the IDP. The key MUST be encrypted. Unencrypted keys won’t be accepted.

  • create the key

    openssl genrsa -aes128 -out saml_key.pem 2048

  • create the cert

    openssl req -new -x509 -key saml_key.pem -out saml_cert.pem -days 365

  • combine them into one PEM

    cat saml_key.pem saml_cert.pem > saml_key_cert.pem

Make sure to store the saml_key.pem in a safe location.

Adjust settings.yaml

Copy the saml_key_cert.pem to your Instana on-premise box and make sure instana-butler user can read the file. Then configure the filepath pathToKeyCertPem and keyPassword in the settings.yaml and run instana-configure afterwards. ‘baseUrl’ has to be set to ‘/auth’ by default, it is only required to be different in very specific cases.

    # Configure SAML
    saml:
      baseUrl: '/auth'
      pathToKeyCertPem: '<insert full path to saml_key_cert.pem>'
      keyPassword: '<insert password for the key>'

After that you can login to Instana in your browser, go to “Management Portal” -> “Tenant Authentication” and follow the steps described in the UI.

Replacing the certificate

The certificate created above has a lifetime of 365 days, after which you will have to provide a new one.

To do so:

  • Get saml_key.pem you have created before.

  • create the cert

    openssl req -new -x509 -key saml_key.pem -out saml_cert.pem -days 365

  • combine them into one PEM

    cat saml_key.pem saml_cert.pem > saml_key_cert.pem

Copy the resulting saml_key_cert.pem to pathToKeyCertPem and restart butler.

For more information, head over to our docs on SAML authentication and authorization.