On-Premises SAML

Creating key and cert for SAML

SAML requires a key to sign/validate messages exchanged with the IDP. The key MUST be encrypted. Unencrypted keys won’t be accepted.

  • create the key

    openssl genrsa -aes128 -out saml_key.pem 2048

  • create the cert

    openssl req -new -x509 -key saml_key.pem -out saml_cert.pem -days 365

  • combine them into one PEM

    cat saml_key.pem saml_cert.pem > saml_key_cert.pem

Make sure to store the saml_key.pem in a safe location.

Adjust settings.hcl

Copy the saml_key_cert.pem to your Instana on-premise box and make sure instana-butler user can read the file. Configure the filepath cert.crt and cert.key in the settings.hcl and then run instana update.

baseUrl has to be set to /auth by default, it is only required to be different in specific cases.

saml {
  base_url = "/auth"
  cert {
    crt   = "<Enter-full-path-to-saml_key_cert.pem>"
    key   = "<Enter-password-for-the-key>"
  }
}

Sign in to Instana, select “Management Portal” -> “Tenant Authentication” and follow the steps described in the UI.

Replacing the certificate

The certificate created above has a lifetime of 365 days, after which you will have to provide a new one.

To do so:

  • Get saml_key.pem you have created before.

  • create the cert

    openssl req -new -x509 -key saml_key.pem -out saml_cert.pem -days 365

  • combine them into one PEM

    cat saml_key.pem saml_cert.pem > saml_key_cert.pem

Copy the resulting saml_key_cert.pem to pathToKeyCertPem and restart butler.

For more information, head over to our docs on SAML authentication and authorization.