SAML: Allow disabling of SAML signups (#47481)

* Add new error message for signup not allowed errors * Add documentation on new SAML signup option * Accept documentation feedback Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Accept documentation feedback Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * run prettier:write Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2022-04-08 18:47:07 -04:00 · 2022-04-08 18:47:07 -04:00 · 4318ffdd46
commit 4318ffdd46
parent 99bb6ebd2b
3 changed files with 7 additions and 1 deletions
--- a/docs/sources/enterprise/saml.md
+++ b/docs/sources/enterprise/saml.md
@ -46,6 +46,7 @@ The table below describes all SAML configuration options. Continue reading below
 | ---------------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
 | `enabled`                                                  | No       | Whether SAML authentication is allowed                                                                                                                                                              | `false`       |
 | `single_logout`                                            | No       | Whether SAML Single Logout enabled                                                                                                                                                                  | `false`       |
+| `allow_sign_up`                                            | No       | Whether to allow new Grafana user creation through SAML login. If set to `false`, then only existing Grafana users can log in with SAML.                                                            | `true`        |
 | `allow_idp_initiated`                                      | No       | Whether SAML IdP-initiated login is allowed                                                                                                                                                         | `false`       |
 | `certificate` or `certificate_path`                        | Yes      | Base64-encoded string or Path for the SP X.509 certificate                                                                                                                                          |               |
 | `private_key` or `private_key_path`                        | Yes      | Base64-encoded string or Path for the SP private key                                                                                                                                                |               |
@ -142,6 +143,10 @@ For Grafana to map the user information, it looks at the individual attributes w

 Grafana provides configuration options that let you modify which keys to look at for these values. The data we need to create the user in Grafana is Name, Login handle, and email.

+### Allow new user signups
+
+By default, new Grafana users using SAML authentication will have an account created for them automatically. To decouple authentication and account creation and ensure only users with existing accounts can log in with SAML, set the `allow_sign_up` option to false.
+
 ### Configure team sync

 > Team sync support for SAML only available in Grafana v7.0+
--- a/pkg/services/login/login.go
+++ b/pkg/services/login/login.go
@ -11,6 +11,7 @@ var (
 	ErrInvalidCredentials = errors.New("invalid username or password")
 	ErrUsersQuotaReached  = errors.New("users quota reached")
 	ErrGettingUserQuota   = errors.New("error getting user quota")
+	ErrSignupNotAllowed   = errors.New("system administrator has disabled signup")
 )

 type TeamSyncFunc func(user *models.User, externalUser *models.ExternalUserInfo) error
--- a/pkg/services/login/loginservice/loginservice.go
+++ b/pkg/services/login/loginservice/loginservice.go
@ -56,7 +56,7 @@ func (ls *Implementation) UpsertUser(ctx context.Context, cmd *models.UpsertUser
 		}
 		if !cmd.SignupAllowed {
 			cmd.ReqContext.Logger.Warn("Not allowing login, user not found in internal user database and allow signup = false", "authmode", extUser.AuthModule)
-			return login.ErrInvalidCredentials
+			return login.ErrSignupNotAllowed
 		}

 		limitReached, err := ls.QuotaService.QuotaReached(cmd.ReqContext, "user")