--- title: "Troubleshoot SAML configuration | Grafana documentation" description: "Learn how to configure SAML authentication in Grafana's UI." --- [Documentation](/docs/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Grafana documentation](/docs/grafana/latest/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Set up](/docs/grafana/latest/setup-grafana/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Configure access management](/docs/grafana/latest/setup-grafana/configure-access/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Configure authentication](/docs/grafana/latest/setup-grafana/configure-access/configure-authentication/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [SAML](/docs/grafana/latest/setup-grafana/configure-access/configure-authentication/saml/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) Troubleshooting Grafana Cloud Enterprise ## Troubleshooting Following are common issues found in configuring SAML authentication in Grafana and how to resolve them. ### Troubleshoot SAML authentication in Grafana To troubleshoot and get more log information, enable SAML debug logging in the configuration file. Refer to [Configuration](/docs/grafana/latest/setup-grafana/configure-grafana/#filters) for more information. ini ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```ini [log] filters = saml.auth:debug ``` ### Infinite redirect loop / User gets redirected to the login page after successful login on the IdP side If you experience an infinite redirect loop when `auto_login = true` or redirected to the login page after successful login, it is likely that the `grafana_session` cookie’s SameSite setting is set to `Strict`. This setting prevents the `grafana_session` cookie from being sent to Grafana during cross-site requests. To resolve this issue, set the `security.cookie_samesite` option to `Lax` in the Grafana configuration file. ### SAML authentication fails with error: - `asn1: structure error: tags don't match` We only support one private key format: PKCS#8. The keys may be in a different format (PKCS#1 or PKCS#12); in that case, it may be necessary to convert the private key format. The following command creates a pkcs8 key file. Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes ``` #### **Convert** the private key format to base64 The following command converts keys to base64 format. Base64-encode the cert.pem and key.pem files: (-w0 switch is not needed on Mac, only for Linux) sh ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sh $ base64 -w0 key.pem > key.pem.base64 $ base64 -w0 cert.pem > cert.pem.base64 ``` The base64-encoded values (`key.pem.base64, cert.pem.base64` files) are then used for certificate and `private_key`. The keys you provide should look like: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none -----BEGIN PRIVATE KEY----- ... ... -----END PRIVATE KEY----- ``` ### SAML login attempts fail with request response `origin not allowed` When the user logs in using SAML and gets presented with `origin not allowed`, the user might be issuing the login from an IdP (identity provider) service or the user is behind a reverse proxy. This potentially happens as the CSRF checks in Grafana deem the requests to be invalid. For more information [CSRF](https://owasp.org/www-community/attacks/csrf). To solve this issue, you can configure either the [`csrf_trusted_origins`](/docs/grafana/latest/setup-grafana/configure-grafana/#csrf_trusted_origins) or [`csrf_additional_headers`](/docs/grafana/latest/setup-grafana/configure-grafana/#csrf_additional_headers) option in the SAML configuration. Example of a configuration file: ini ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```ini # config.ini ... [security] csrf_trusted_origins = https://grafana.example.com csrf_additional_headers = X-Forwarded-Host ... ``` ### SAML login attempts fail with request response “login session has expired” Accessing the Grafana login page from a URL that is not the root URL of the Grafana server can cause the instance to return the following error: “login session has expired”. If you are accessing Grafana through a proxy server, ensure that cookies are correctly rewritten to the root URL of Grafana. Cookies must be set on the same URL as the `root_url` of Grafana. This is normally the reverse proxy’s domain/address. Review the cookie settings in your proxy server configuration to ensure that cookies are not being discarded Review the following settings in your Grafana configuration: ini ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```ini [security] cookie_samesite = lax ``` This setting should be set to `lax` to allow Grafana session cookies to work correctly with redirects. ini ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```ini [security] cookie_secure = true ``` For enhanced security, set `cookie_secure` to `true`, which forces cookies to be sent only via HTTPS. ### Troubleshoot Graph API calls When setting up SAML authentication with Entra ID, you may encounter issues with Graph API calls. This can happen if the Entra ID application is not properly configured to allow Graph API access. To help in the troubleshooting process, test the Graph API calls using the following commands: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl -X POST "{token_url}" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials&client_id={client_id}&client_secret={client_secret}&scope=https://graph.microsoft.com/.default" ``` Where the following values come from your [SAML configuration](../saml-configuration-options/_index.md#saml-configuration-options): - `token_url`: The token URL of your Entra ID application. - `client_id`: The client ID of your Entra ID application. - `client_secret`: The client secret of your Entra ID application. The response should look like: JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "access_token": "...ACCESS_TOKEN...", "token_type": "Bearer", "expires_in": 3600 } ``` Use the `access_token` to test the Graph API calls. Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl -X GET "https://graph.microsoft.com/v1.0/groups" \ -H "Authorization: Bearer ${access_token}" \ -H "Content-Type: application/json" ``` The response should look like: JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)", "value": ["29f2e7c8-9b9d-443c-bc62-7d8cdcfcfe59", "f0224e82-0eb8-4eda-8979-0c36e98deb00"] } ``` If the second call fails due to 401 or 403, you may need to check the Entra ID application settings to ensure that Graph API access is enabled.