IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
8c84d62e3d6fd9fd714cd7f0140aa67e8040a980
grafana/docs/sources/enterprise/saml/set-up-saml-with-okta.md
Eric Leijonmarck d8d7b3ec9d refactoring: saml (#48114) 
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
2022-05-26 10:28:08 +02:00

5.2 KiB
Raw Blame History

aliases, description, keywords, menuTitle, title, weight
aliases description keywords menuTitle title weight
/docs/grafana/latest/enterprise/saml/set-up-saml-with-okta/
This is a guide to set up SAML authentication with Okta in Grafana
grafana
saml
documentation
saml-auth
enterprise
SAML authentication with Okta Set up SAML authentication with Okta in Grafana 30

Set up SAML with Okta

Grafana supports user authentication through Okta, which is useful when you want your users to access Grafana using single sign on. This guide will follow you through the steps of configuring SAML authentication in Grafana with Okta. You need to be an admin in your Okta organization to access Admin Console and create SAML integration. You also need permissions to edit Grafana config file and restart Grafana server.

Before you begin

  • To configure SAML integration with Okta, create integration inside the Okta organization first. Add integration in Okta
  • Ensure you have permission to administer SAML authentication. For more information about permissions, refer to [About users and permissions]({{< relref "../../administration/manage-users-and-permissions/about-users-and-permissions.md#" >}}).

To set up SAML with Okta:

  1. Log in to the Okta portal.

  2. Go to the Admin Console in your Okta organization by clicking Admin in the upper-right corner. If you are in the Developer Console, then click Developer Console in the upper-left corner and then click Classic UI to switch over to the Admin Console.

  3. In the Admin Console, navigate to Applications > Applications.

  4. Click Add Application.

  5. Click Create New App to start the Application Integration Wizard.

  6. Choose Web as a platform.

  7. Select SAML 2.0 in the Sign on method section.

  8. Click Create.

  9. On the General Settings tab, enter a name for your Grafana integration. You can also upload a logo.

  10. On the Configure SAML tab, enter the SAML information related to your Grafana instance:

    • In the Single sign on URL field, use the /saml/acs endpoint URL of your Grafana instance, for example, https://grafana.example.com/saml/acs.

    • In the Audience URI (SP Entity ID) field, use the /saml/metadata endpoint URL, for example, https://grafana.example.com/saml/metadata.

    • Leave the default values for Name ID format and Application username.

    • In the ATTRIBUTE STATEMENTS (OPTIONAL) section, enter the SAML attributes to be shared with Grafana, for example:

      Attribute name (in Grafana) Value (in Okta profile)
      Login user.login
      Email user.email
      DisplayName user.firstName + " " + user.lastName

    • In the GROUP ATTRIBUTE STATEMENTS (OPTIONAL) section, enter a group attribute name (for example, Group) and set filter to Matches regex .* to return all user groups.

  11. Click Next.

  12. On the final Feedback tab, fill out the form and then click Finish.

Edit SAML options for Okta in Grafana config file:

  1. In the [auth.saml] section in the Grafana configuration file, set [enabled]({{< relref ".././enterprise-configuration.md#enabled" >}}) to true.
  2. Configure the [certificate and private key]({{< relref "#certificate-and-private-key" >}}).
  3. On the Okta application page where you have been redirected after application created, navigate to the Sign On tab and find Identity Provider metadata link in the Settings section.
  4. Set the [idp_metadata_url]({{< relref ".././enterprise-configuration.md#idp-metadata-url" >}}) to the URL obtained from the previous step. The URL should look like https://<your-org-id>.okta.com/app/<application-id>/sso/saml/metadata.
  5. Set the following options to the attribute names configured at the step 10 of the SAML integration setup. You can find this attributes on the General tab of the application page (ATTRIBUTE STATEMENTS and GROUP ATTRIBUTE STATEMENTS in the SAML Settings section).
    • [assertion_attribute_login]({{< relref ".././enterprise-configuration.md#assertion-attribute-login" >}})
    • [assertion_attribute_email]({{< relref ".././enterprise-configuration.md#assertion-attribute-email" >}})
    • [assertion_attribute_name]({{< relref ".././enterprise-configuration.md#assertion-attribute-name" >}})
    • [assertion_attribute_groups]({{< relref ".././enterprise-configuration.md#assertion-attribute-groups" >}})
  6. Save the configuration file and and then restart the Grafana server.

When you are finished, the Grafana configuration might look like this example:

[server]
root_url = https://grafana.example.com

[auth.saml]
enabled = true
private_key_path = "/path/to/private_key.pem"
certificate_path = "/path/to/certificate.cert"
idp_metadata_url = "https://my-org.okta.com/app/my-application/sso/saml/metadata"
assertion_attribute_name = DisplayName
assertion_attribute_login = Login
assertion_attribute_email = Email
assertion_attribute_groups = Group