
The SAML identity provider is currently in Preview mode.
Grafana is an open-source observability platform. Their enterprise version supports SAML authentication. This guide will help you configure Teleport as a SAML provider, and Grafana to accept the identities it provides.
Note that Teleport can act as an identity provider to any SAML-compatible service, not just those running behind the Teleport App Service.
Prerequisites
- An instance of Grafana Enterprise, with edit access to
grafana.ini
.- A trusted certificate authority to create TLS certificates/keys for the SAML connection.
-
A running Teleport Enterprise cluster, including the Auth Service and Proxy Service. For details on how to set this up, see our Enterprise Getting Started guide.
-
The Enterprise
tctl
admin tool andtsh
client tool version >= 12.1.1, which you can download by visiting the customer portal.tctl versionTeleport Enterprise v12.1.1 go1.19
tsh versionTeleport v12.1.1 go1.19
Please use the latest version of Teleport Enterprise documentation.
To connect to Teleport, log in to your cluster using tsh
, then use tctl
remotely:
tsh login --proxy=teleport.example.com [email protected]tctl statusCluster teleport.example.com
Version 12.1.1
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
You can run subsequent tctl
commands in this guide on your local machine.
For full privileges, you can also run tctl
commands on your Auth Service host.
To connect to Teleport, log in to your cluster using tsh
, then use tctl
remotely:
tsh login --proxy=myinstance.teleport.sh [email protected]tctl statusCluster myinstance.teleport.sh
Version 12.1.2
CA pin sha256:sha-hash-here
You must run subsequent tctl
commands in this guide on your local machine.
Step 1/3. Configure a Teleport role with access to SAML service provider objects
First we need to ensure you are logged into Teleport as a user that has permissions
to read and modify saml_idp_service_provider
objects. The default editor
role
has access to this already, but in case you are using a more customized configuration,
create a role called sp-manager.yaml
with the following contents:
kind: role
version: v6
metadata:
name: sp-manager
spec:
allow:
rules:
- resources: [saml_idp_service_provider]
verbs: [list, create, read, update, delete]
Create it with tctl
:
tctl create sp-manager.yamlrole 'saml-idp-service-provider-manager' has been created
Assign the saml_idp_service_provider
role to your Teleport user by running the following
commands, depending on whether you authenticate as a local Teleport user or via
the github
, saml
, or oidc
authentication connectors:
Retrieve your local user's configuration resource:
tctl get users/$(tsh status -f json | jq -r '.active.username') > out.yaml
Edit out.yaml
, adding saml_idp_service_provider
to the list of existing roles:
roles:
- access
- auditor
- editor
+ - saml_idp_service_provider
Apply your changes:
tctl create -f out.yaml
Retrieve your github
configuration resource:
tctl get github/github --with-secrets > github.yaml
Edit github.yaml
, adding saml_idp_service_provider
to the
teams_to_roles
section. The team you will map to this role will depend on how
you have designed your organization's RBAC, but it should be the smallest team
possible within your organization. This team must also include your user.
Here is an example:
teams_to_roles:
- organization: octocats
team: admins
roles:
- access
+ - saml_idp_service_provider
Apply your changes:
tctl create -f github.yaml
Note the --with-secrets
flag in the tctl get
command. This adds the value of
spec.signing_key_pair.private_key
to saml.yaml
. This is a sensitive value,
so take precautions when creating this file and remove it after updating the resource.
Retrieve your saml
configuration resource:
tctl get --with-secrets saml/mysaml > saml.yaml
Edit saml.yaml
, adding saml_idp_service_provider
to the
attributes_to_roles
section. The attribute you will map to this role will
depend on how you have designed your organization's RBAC, but it should be the
smallest group possible within your organization. This group must also include
your user.
Here is an example:
attributes_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - saml_idp_service_provider
Apply your changes:
tctl create -f saml.yaml
Note the --with-secrets
flag in the tctl get
command. This adds the value of
spec.signing_key_pair.private_key
to saml.yaml
. This is a sensitive value,
so take precautions when creating this file and remove it after updating the resource.
Retrieve your oidc
configuration resource:
tctl get oidc/myoidc --with-secrets > oidc.yaml
Edit oidc.yaml
, adding saml_idp_service_provider
to the
claims_to_roles
section. The claim you will map to this role will depend on
how you have designed your organization's RBAC, but it should be the smallest
group possible within your organization. This group must also include your
user.
Here is an example:
claims_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - saml_idp_service_provider
Apply your changes:
tctl create -f saml.yaml
Note the --with-secrets
flag in the tctl get
command. This adds the value of
spec.signing_key_pair.private_key
to saml.yaml
. This is a sensitive value,
so take precautions when creating this file and remove it after updating the resource.
Log out of your Teleport cluster and log in again to assume the new role.
Step 2/3. Configure Grafana to recognize Teleport's identity provider
The first step in configuring Grafana for SSO is retrieving Teleport's
SAML identity provider metadata. You can obtain this metadata in XML format by
navigating to https://<proxy-address>/enterprise/saml-idp/metadata
. Save
it in an easy to remember file name like teleport-metadata.xml
.
Encode the metadata using base64
to provide to the Grafana config:
cat teleport-metadata.xml | base64
From the Grafana host, edit grafana.ini
by adding a [auth.saml]
section:
[auth.saml]
enabled = true
auto_login = false
private_key_path = '/path/to/certs/grafana-host-key.pem'
certificate_path = '/path/to/certs/grafana-host.pem'
idp_metadata = 'PEVudGl0eURl.....'
assertion_attribute_name = uid
assertion_attribute_login = uid
assertion_attribute_email = uid
assertion_attribute_groups = eduPersonAffiliation
Key | Value |
---|---|
enabled | Set to true to enable SAML authentication. |
auto_login | When set to true , enables auto-login using SAML. |
private_key_path | Path to the TLS key used to identify Grafana. |
certificate_path | Path to the TLS certificate used to identify Grafana. |
idp_metadata | The base64-encoded contents of the Teleport metadata XML file. |
assertion_* | Various Grafana user fields to be mapped to SAML assertions. |
For more information on editing grafana.ini
for SAML, you can review their Configure
SAML authentication in Grafana
page.
Step 3/3. Add service provider metadata to Teleport
After restarting Grafana with the edited configuration, download its SAML metadata
from the path /saml/metadata
. Create the file grafana-sp.yaml
to define this
service provider, using the downloaded metadata for the value of entity_descriptor
:
kind: saml_idp_service_provider
metadata:
# The friendly name of the service provider. This is used to manage the
# service provider as well as in identity provider initiated SSO.
name: saml-grafana
spec:
# The entity_descriptor is the service provider XML.
entity_descriptor: |
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"...
version: v1
Add the service provider definition to Teleport:
tctl create grafana-sp.yaml
The Grafana login screen now has a "Sign in with SAML" button, which will direct
you to the Teleport login screen. Or, if you've set auto_login = true
, you will
be redirected automatically.