Configure team sync for SAML
Note
Available in Grafana Enterprise and to customers on select Grafana Cloud plans. For pricing information, visit pricing or contact our sales team.
To use SAML Team sync, set
assertion_attribute_groups to the attribute name where you store user groups. Then Grafana will use attribute values extracted from SAML assertion to add user into the groups with the same name configured on the External group sync tab.
Warning
Grafana requires the SAML groups attribute to be configured with distinct
AttributeValueelements for each group. Do not include multiple groups within a singleAttributeValuedelimited by a comma or any other character. Failure to do so will prevent correct group parsing. Example:<saml2:Attribute ...> <saml2:AttributeValue ...>admins_group</saml2:AttributeValue> <saml2:AttributeValue ...>division_1</saml2:AttributeValue> </saml2:Attribute>
Note
Team Sync allows you sync users from SAML to Grafana teams. It does not automatically create teams in Grafana. You need to create teams in Grafana before you can use this feature.
Given the following partial SAML assertion:
<saml2:Attribute
Name="groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">admins_group
</saml2:AttributeValue>
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">division_1
</saml2:AttributeValue>
</saml2:Attribute>The configuration would look like this:
[auth.saml]
# ...
assertion_attribute_groups = groupsThe following External Group IDs would be valid for input in the desired team’s External group sync tab:
admins_groupdivision_1
Configure role sync for SAML
Role sync allows you to map user roles from an identity provider to Grafana. To enable role sync, configure role attribute and possible values for the Editor, Admin, and Grafana Admin roles. For more information about user roles, refer to Roles and permissions.
- In the configuration file, set
assertion_attribute_roleoption to the attribute name where the role information will be extracted from. - Set the
role_values_noneoption to the values mapped to theNonerole. - Set the
role_values_vieweroption to the values mapped to theViewerrole. - Set the
role_values_editoroption to the values mapped to theEditorrole. - Set the
role_values_adminoption to the values mapped to the organizationAdminrole. - Set the
role_values_grafana_adminoption to the values mapped to theGrafana Adminrole.
If a user role doesn’t match any of configured values, then the role specified by the auto_assign_org_role configuration option will be assigned. If the auto_assign_org_role field is not set then the user role will default to Viewer.
For more information about roles and permissions in Grafana, refer to Roles and permissions.
Example configuration:
[auth.saml]
assertion_attribute_role = role
role_values_none = none
role_values_viewer = external
role_values_editor = editor, developer
role_values_admin = admin, operator
role_values_grafana_admin = superadminImportant: When role sync is configured, any changes of user roles and organization membership made manually in Grafana will be overwritten on next user login. Assign user organizations and roles in the IdP instead.
If you don’t want user organizations and roles to be synchronized with the IdP, you can use the skip_org_role_sync configuration option.
Example configuration:
[auth.saml]
skip_org_role_sync = trueConfigure role sync with Okta
This section shows how to configure Okta to send group memberships in the SAML assertion, then use those groups to assign roles in Grafana.
Step 1: Configure Okta to send groups
In Okta Admin, go to Applications > Applications and open your Grafana SAML app.
Open the Sign On tab, then click Edit in the SAML 2.0 section.
Scroll to GROUP ATTRIBUTE STATEMENTS.
Add a group attribute with the following settings:
Click Save.
This configuration sends all Okta groups the user belongs to in the SAML assertion under the Group attribute.
Note
To send only specific groups, change the regular expression filter. For example,
grafana-.*sends only groups starting withgrafana-.
Step 2: Configure Grafana to map groups to roles
Use the group attribute for role assignment by setting assertion_attribute_role to your group attribute’s name:
[auth.saml]
# Use the Group attribute (sent from Okta) for role assignment
assertion_attribute_groups = Group
assertion_attribute_role = Group
# Map Okta group names to Grafana roles
role_values_admin = grafana-admins
role_values_editor = grafana-editors
role_values_viewer = grafana-viewersWith this configuration:
- Users in the
grafana-adminsOkta group receive the Admin role - Users in the
grafana-editorsOkta group receive the Editor role - Users in the
grafana-viewersOkta group receive the Viewer role - Users not matching any group receive the role specified by
auto_assign_org_role(defaults to Viewer)
Note
Group names are case-sensitive. Ensure the group names in Grafana configuration match exactly with the Okta group names.
If you’re a Grafana Cloud user and want to configure SAML through the UI:
- Go to Administration > Authentication > Configure SAML.
- In the User mapping section, set:
- Groups attribute:
Group - Role attribute:
Group
- Groups attribute:
- In the Role mapping section, enter your Okta group names for each role.
- Click Save.



