Documentationbreadcrumb arrow Learning Pathsbreadcrumb arrow Configure Grafana Cloud using Terraformbreadcrumb arrow Configure SAML
Configure Grafana Cloud using Terraform
18 min
Milestone 1
Value of as Code
2 min
Milestone 2
Install the Terraform provider
1 min
Milestone 3
Configure SAML
2 min
Milestone 4
Create teams
1 min
Milestone 5
Configure RBAC
1 min
Milestone 6
Configure data sources with LBAC
1 min
Milestone 7
Import dashboards
2 min
Milestone 8
Configure alerts
2 min
Milestone 9
Verify setup
2 min
Milestone 10
Update configuration
1 min
Milestone 11
Destination reached!
1 min

Configure SAML authentication

Configuring SAML authentication enables your users to sign in to Grafana Cloud using your organization’s identity provider. This eliminates the need for separate Grafana credentials and enables automated user provisioning based on group memberships.

This milestone configures SAML in the Grafana Cloud UI, which is a prerequisite for the Terraform-managed team sync you’ll configure in the next milestone.

To configure SAML authentication, complete the following steps:

  1. Sign in to your identity provider (OKTA is used in this example).

  2. Create a new SAML 2.0 application integration.

  3. Configure the SAML settings:

    • Set Single sign-on URL to https://<YOUR_STACK>.grafana.net/saml/acs
    • Set Audience URI to https://<YOUR_STACK>.grafana.net/saml/metadata

  4. Configure the attribute statements:

    • login → user.login
    • email → user.email
    • displayName → user.firstName

  5. Add a group attribute statement:

    • groups → Matches regex → .*

  6. Make sure your identity provider is correctly configured with the groups you want to use for access management. For this example, add the groups Finance, Marketing, and IT.

    • If you’re using OKTA, go to Directory > Groups and then click on Add Group.
    • Assign the Grafana Cloud application to each group.
    • Refer to the OKTA documentation for more details.

  7. Copy the Metadata URL from your identity provider’s Sign On tab.

Next, in Grafana Cloud, navigate to Administration > Authentication > SAML.

  1. In the Display name field, enter your identity provider name. For example, enter OKTA.

  2. Paste the Metadata URL from your identity provider.

  3. Configure the assertion attribute mappings and role mapping with a least privilege approach:

    • Set the default role for the Everyone group to None
    • Access rights will be granted through team sync

  4. Click Test and enable.

  5. Click Save and enable.

SAML authentication is configured and users can sign in using your identity provider.

In the next milestone, you’ll create teams with external group synchronization using Terraform.

Install the Terraform provider
page 4 of 12
Create teams
page 4 of 12