---
title: "Configure SAML authentication | Grafana Labs"
description: "Set up SAML single sign-on with your identity provider to enable automated user access."
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

# Configure SAML authentication

Configuring SAML authentication enables your users to sign in to Grafana Cloud using your organization’s identity provider. This eliminates the need for separate Grafana credentials and enables automated user provisioning based on group memberships.

This milestone configures SAML in the Grafana Cloud UI, which is a prerequisite for the Terraform-managed team sync you’ll configure in the next milestone.

To configure SAML authentication, complete the following steps:

1. Sign in to your identity provider (OKTA is used in this example).
2. Create a new SAML 2.0 application integration.
3. Configure the SAML settings:
   
   - Set **Single sign-on URL** to `https://<YOUR_STACK>.grafana.net/saml/acs`
   - Set **Audience URI** to `https://<YOUR_STACK>.grafana.net/saml/metadata`
4. Configure the attribute statements:
   
   - `login` → `user.login`
   - `email` → `user.email`
   - `displayName` → `user.firstName`
5. Add a group attribute statement:
   
   - `groups` → Matches regex → `.*`
6. Make sure your identity provider is correctly configured with the groups you want to use for access management. For this example, add the groups Finance, Marketing, and IT.
   
   - If you’re using OKTA, go to **Directory** &gt; **Groups** and then click on **Add Group**.
   - Assign the **Grafana Cloud** application to each group.
   - Refer to the OKTA documentation for more details.
7. Copy the **Metadata URL** from your identity provider’s Sign On tab.

Next, in Grafana Cloud, navigate to **Administration** &gt; **Authentication** &gt; **SAML**.

1. In the **Display name** field, enter your identity provider name. For example, enter `OKTA`.
2. Paste the Metadata URL from your identity provider.
3. Configure the assertion attribute mappings and role mapping with a least privilege approach:
   
   - Set the default role for the `Everyone` group to `None`
   - Access rights will be granted through team sync
4. Click **Test and enable**.
5. Click **Save and enable**.

SAML authentication is configured and users can sign in using your identity provider.

In the next milestone, you’ll create teams with external group synchronization using Terraform.