SAML authentication integration allows your Grafana users to log in by using an external SAML 2.0 Identity Provider (IdP). To enable this, Grafana becomes a Service Provider (SP) in the authentication flow, interacting with the IdP to exchange user information.
The SAML single-sign-on (SSO) standard is varied and flexible. Our implementation contains the subset of features needed to provide a smooth authentication experience into Grafana.
Only available in Grafana Enterprise v6.3+. If you encounter any problems with our implementation, please don’t hesitate to contact us.
Grafana supports the following SAML 2.0 bindings:
From the Service Provider (SP) to the Identity Provider (IdP):
From the Identity Provider (IdP) to the Service Provider (SP):
In terms of security:
- Grafana supports signed and encrypted assertions.
- Grafana does not support signed or encrypted requests.
In terms of initiation:
- Grafana supports SP-initiated requests.
- Grafana does not support IdP-initiated request.
Set up SAML authentication
The table below describes all SAML configuration options. Continue reading below for details on specific options. Like any other Grafana configuration, you can apply these options as environment variables.
||No||Whether SAML authentication is allowed||
||Yes||Base64-encoded string or Path for the SP X.509 certificate|
||Yes||Base64-encoded string or Path for the SP private key|
||Yes||Base64-encoded string, Path or URL for the IdP SAML metadata XML|
||No||Duration, since the IdP issued a response and the SP is allowed to process it||
||No||Duration, for how long the SP metadata is valid||
||No||Friendly name or name of the attribute within the SAML assertion to use as the user name||
||No||Friendly name or name of the attribute within the SAML assertion to use as the user login handle|
||No||Friendly name or name of the attribute within the SAML assertion to use as the user email|
||No||Friendly name or name of the attribute within the SAML assertion to use as the user groups|
||No||Friendly name or name of the attribute within the SAML assertion to use as the user roles|
||No||Friendly name or name of the attribute within the SAML assertion to use as the user organization|
||No||List of comma- or space-separated organizations. User should be a member of at least one organization to log in.|
||No||List of comma- or space-separated Organization:OrgId mappings|
||No||List of comma- or space-separated roles which will be mapped into the Editor role|
||No||List of comma- or space-separated roles which will be mapped into the Admin role|
||No||List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role|
Enable SAML authentication
To use the SAML integration, in the
auth.saml section of in the Grafana custom configuration file, set
Refer to Configuration for more information about configuring Grafana.
Certificate and private key
The SAML SSO standard uses asymmetric encryption to exchange information between the SP (Grafana) and the IdP. To perform such encryption, you need a public part and a private part. In this case, the X.509 certificate provides the public part, while the private key provides the private part.
Grafana supports two ways of specifying both the
- Without a suffix (
private_key), the configuration assumes you’ve supplied the base64-encoded file contents.
- With the
private_key_path), then Grafana treats the value entered as a file path and attempts to read the file from the file system.
You can only use one form of each configuration option. Using multiple forms, such as both
certificate_path, results in an error.
You also need to define the public part of the IdP for message verification. The SAML IdP metadata XML defines where and how Grafana exchanges user information.
Grafana supports three ways of specifying the IdP metadata.
- Without a suffix
idp_metadata, Grafana assumes base64-encoded XML file contents.
- With the
_pathsuffix, Grafana assumes a file path and attempts to read the file from the file system.
- With the
_urlsuffix, Grafana assumes a URL and attempts to load the metadata from the given location.
Maximum issue delay
Prevents SAML response replay attacks and internal clock skews between the SP (Grafana) and the IdP. You can set a maximum amount of time between the IdP issuing a response and the SP (Grafana) processing it.
The configuration options is specified as a duration, such as
max_issue_delay = 90s or
max_issue_delay = 1h.
Metadata valid duration
SP metadata is likely to expire at some point, perhaps due to a certificate rotation or change of location binding. Grafana allows you to specify for how long the metadata should be valid. Leveraging the
validUntil field, you can tell consumers until when your metadata is going to be valid. The duration is computed by adding the duration to the current time.
The configuration option is specified as a duration, such as
metadata_valid_duration = 48h.
Identity provider (IdP) registration
For the SAML integration to work correctly, you need to make the IdP aware of the SP.
The integration provides two key endpoints as part of Grafana:
/saml/metadataendpoint, which contains the SP metadata. You can either download and upload it manually, or youmake the IdP request it directly from the endpoint. Some providers name it Identifier or Entity ID.
/saml/acsendpoint, which is intended to receive the ACS (Assertion Customer Service) callback. Some providers name it SSO URL or Reply URL.
During the SAML SSO authentication flow, Grafana receives the ACS callback. The callback contains all the relevant information of the user under authentication embedded in the SAML response. Grafana parses the response to create (or update) the user within its internal database.
For Grafana to map the user information, it looks at the individual attributes within the assertion. You can think of these attributes as Key/Value pairs (although, they contain more information than that).
Grafana provides configuration options that let you modify which keys to look at for these values. The data we need to create the user in Grafana is Name, Login handle, and email.
An example is
assertion_attribute_name = "givenName" where Grafana looks within the assertion for an attribute with a friendly name or name of
givenName. Both, the friendly name (e.g.
givenName) or the name (e.g.
urn:oid:220.127.116.11) can be used interchangeably as the value for the configuration option.
Configure team sync
Team sync support for SAML only available in Grafana v7.0+
To use SAML Team sync, set
assertion_attribute_groups to the attribute name where you store user groups. Then Grafana will use attribute values extracted from SAML assertion to add user into the groups with the same name configured on the External group sync tab.
Configure role sync
Only available in Grafana v7.0+
- In the configuration file, set
assertion_attribute_roleoption to the attribute name where the role information will be extracted from.
- Set the
role_values_editoroption to the values mapped to the
- Set the
role_values_adminoption to the values mapped to the organization
- Set the
role_values_grafana_adminoption to the values mapped to the
If a user role doesn’t match any of configured values, then the
Viewer role will be assigned.
Refer to Organization roles for more information about roles and permissions in Grafana.
[auth.saml] assertion_attribute_role = role role_values_editor = editor, developer role_values_admin = admin, operator role_values_grafana_admin = superadmin
Important: When role sync is configured, any changes of user roles and organization membership made manually in Grafana will be overwritten on next user login. Assign user organizations and roles in the IdP instead.
Configure organization mapping
Only available in Grafana v7.0+
Organization mapping allows you to assign users to particular organization in Grafana depending on attribute value obtained from identity provider.
- In configuration file, set
assertion_attribute_orgto the attribute name you store organization info in.
org_mappingoption to the comma-separated list of
Organization:OrgIdpairs to map organization from IdP to Grafana organization specified by id.
For example, use following config to assign users from
Engineering organization to the Grafana organization with id
2 and users from
Sales - to the org with id
3, based on
Org assertion attribute value:
[auth.saml] assertion_attribute_org = Org org_mapping = Engineering:2, Sales:3
You can specify multiple organizations both for the IdP and Grafana:
org_mapping = Engineering:2, Sales:2to map users from
org_mapping = Engineering:2, Engineering:3to assign
Configure allowed organizations
Only available in Grafana v7.0+
allowed_organizations option you can specify a list of organizations where the user must be a member of at least one of them to be able to log in to Grafana.
Example SAML configuration
[auth.saml] enabled = true certificate_path = "/path/to/certificate.cert" private_key_path = "/path/to/private_key.pem" metadata_path = "/my/metadata.xml" max_issue_delay = 90s metadata_valid_duration = 48h assertion_attribute_name = displayName assertion_attribute_login = mail assertion_attribute_email = mail assertion_attribute_groups = Group assertion_attribute_role = Role assertion_attribute_org = Org role_values_editor = editor, developer role_values_admin = admin, operator role_values_grafana_admin = superadmin org_mapping = Engineering:2, Sales:3 allowed_organizations = Engineering, Sales
Set up SAML with Okta
This guide will follow you through the steps of configuring SAML authentication in Grafana with Okta. You need to be an admin in your Okta organization to access Admin Console and create SAML integration. You also need permissions to edit Grafana config file and restart Grafana server.
Configure the SAML integration in Okta
To configure SAML integration with Okta, create integration inside the Okta organization first.
- Log in to the Okta portal.
- Go to the Admin Console in your Okta organization by clicking Admin in the upper-right corner. If you are in the Developer Console, then click Developer Console in the upper-left corner and then click Classic UI to switch over to the Admin Console.
- In the Admin Console, navigate to Applications > Applications.
- Click Add Application.
- Click Create New App to start the Application Integration Wizard.
- Choose Web as a platform.
- Select SAML 2.0 in the Sign on method section.
- Click Create.
- On the General Settings tab, enter a name for your Grafana integration. You can also upload a logo.
- On the Configure SAML tab, enter the SAML information related to your Grafana instance:
In the Single sign on URL field, use the
/saml/acsendpoint URL of your Grafana instance, for example,
In the Audience URI (SP Entity ID) field, use the
/saml/metadataendpoint URL, for example,
Leave the default values for Name ID format and Application username.
In the ATTRIBUTE STATEMENTS (OPTIONAL) section, enter the SAML attributes to be shared with Grafana, for example:
Attribute name (in Grafana) Value (in Okta profile) Login
user.firstName + " " + user.lastName
In the GROUP ATTRIBUTE STATEMENTS (OPTIONAL) section, enter a group attribute name (for example,
Group) and set filter to
Matches regex .*to return all user groups.
- Click Next.
- On the final Feedback tab, fill out the form and then click Finish.
Edit SAML options in the Grafana config file
Once the application is created, configure Grafana to use it for SAML authentication. Refer to Configuration to get more information about how to configure Grafana.
- In the
[auth.saml]section in the Grafana configuration file, set
- Configure the certificate and private key.
- On the Okta application page where you have been redirected after application created, navigate to the Sign On tab and find Identity Provider metadata link in the Settings section.
- Set the
idp_metadata_urlto the URL obtained from the previous step. The URL should look like
- Set the following options to the attribute names configured at the step 10 of the SAML integration setup. You can find this attributes on the General tab of the application page (ATTRIBUTE STATEMENTS and GROUP ATTRIBUTE STATEMENTS in the SAML Settings section).
- Save the configuration file and and then restart the Grafana server.
When you are finished, the Grafana configuration might look like this example:
[server] root_url = https://grafana.example.com [auth.saml] enabled = true private_key_path = "/path/to/private_key.pem" certificate_path = "/path/to/certificate.cert" idp_metadata_url = "https://my-org.okta.com/app/my-application/sso/saml/metadata" assertion_attribute_name = DisplayName assertion_attribute_login = Login assertion_attribute_email = Email assertion_attribute_groups = Group
Troubleshoot SAML authentication
To troubleshoot and get more log information, enable SAML debug logging in the configuration file. Refer to Configuration for more information.
[log] filters = saml.auth:debug