17bd741fc0
* refactoring: saml docs * refactoring: relreferences * adding error as presented in issue * refactor: update sentence * refactor: more relref fixes that was missing * refactor: more relref fixes that was missing * Apply suggestions from code review Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * refactor: move saml with okta * fix: spell and small corrections * add: enterprise tag Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2.3 KiB
| title | menuTitle | description | keywords | aliases | weight | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Enable SAML authentication in Grafana | Enable SAML authentication | This contains information to enable SAML authentication in Grafana |
|
|
30 |
Enable SAML authentication in Grafana
To use the SAML integration, in the auth.saml section of in the Grafana custom configuration file, set enabled to true.
Refer to [Configuration]({{< relref "../../administration/configuration.md" >}}) for more information about configuring Grafana.
Certificate and private key
The SAML SSO standard uses asymmetric encryption to exchange information between the SP (Grafana) and the IdP. To perform such encryption, you need a public part and a private part. In this case, the X.509 certificate provides the public part, while the private key provides the private part. The private key needs to be issued in a PKCS#8 format.
Grafana supports two ways of specifying both the certificate and private_key.
- Without a suffix (
certificateorprivate_key), the configuration assumes you've supplied the base64-encoded file contents. - With the
_pathsuffix (certificate_pathorprivate_key_path), then Grafana treats the value entered as a file path and attempts to read the file from the file system.
Note: You can only use one form of each configuration option. Using multiple forms, such as both
certificateandcertificate_path, results in an error.
Example of how to generate SAML credentials:
An example of how to generate a self-signed certificate and private key that's valid for one year:
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Base64-encode the cert.pem and key.pem files: (-w0 switch is not needed on Mac, only for Linux)
$ base64 -w0 key.pem > key.pem.base64
$ base64 -w0 cert.pem > cert.pem.base64
The base64-encoded values (key.pem.base64, cert.pem.base64 files) are then used for certificate and private_key.
The keys you provide should look like:
It should look like:
-----BEGIN PRIVATE KEY-----
...
...
-----END PRIVATE KEY-----
If you have a key that looks like:
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----