No More Backdoors: Know Who Has Access to What, Right Now
Jun 13
Virtual
Register Today
Teleport logoTry For Free
Fork me on GitHub

Teleport

Use Teleport's SAML Provider to authenticate with Grafana

Grafana is an open source observability platform. Their enterprise version supports SAML authentication. This guide will help you configure Teleport as a SAML provider, and Grafana to accept the identities it provides.

Note that Teleport can act as an identity provider to any SAML-compatible service, not just those running behind the Teleport App Service.

Prerequisites

  • An instance of Grafana Enterprise, with edit access to grafana.ini.
    • A trusted certificate authority to create TLS certificates/keys for the SAML connection.
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines. For example:
    tsh login --proxy=teleport.example.com --user=[email protected]
    tctl status

    Cluster teleport.example.com

    Version 15.3.7

    CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Step 1/3. Configure a Teleport role with access to SAML service provider objects

First we need to ensure you are logged into Teleport as a user that has permissions to read and modify saml_idp_service_provider objects. The default editor role has access to this already, but in case you are using a more customized configuration, create a role called sp-manager.yaml with the following contents:

kind: role
version: v7
metadata:
  name: sp-manager
spec:
  allow:
    rules:
    - resources: [saml_idp_service_provider]
      verbs: [list, create, read, update, delete]

Create it with tctl:

tctl create sp-manager.yaml
role 'saml-idp-service-provider-manager' has been created

Assign the saml_idp_service_provider role to your Teleport user by running the appropriate commands for your authentication provider:

  1. Retrieve your local user's roles as a comma-separated list:

    ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')
  2. Edit your local user to add the new role:

    tctl users update $(tsh status -f json | jq -r '.active.username') \ --set-roles "${ROLES?},saml_idp_service_provider"
  3. Sign out of the Teleport cluster and sign in again to assume the new role.

  1. Retrieve your github authentication connector:

    tctl get github/github --with-secrets > github.yaml

    Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the github.yaml file. Because this key contains a sensitive value, you should remove the github.yaml file immediately after updating the resource.

  2. Edit github.yaml, adding saml_idp_service_provider to the teams_to_roles section.

    The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.

    Here is an example:

      teams_to_roles:
        - organization: octocats
          team: admins
          roles:
            - access
    +       - saml_idp_service_provider
    
  3. Apply your changes:

    tctl create -f github.yaml
  4. Sign out of the Teleport cluster and sign in again to assume the new role.

  1. Retrieve your saml configuration resource:

    tctl get --with-secrets saml/mysaml > saml.yaml

    Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the saml.yaml file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource.

  2. Edit saml.yaml, adding saml_idp_service_provider to the attributes_to_roles section.

    The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

    Here is an example:

      attributes_to_roles:
        - name: "groups"
          value: "my-group"
          roles:
            - access
    +       - saml_idp_service_provider
    
  3. Apply your changes:

    tctl create -f saml.yaml
  4. Sign out of the Teleport cluster and sign in again to assume the new role.

  1. Retrieve your oidc configuration resource:

    tctl get oidc/myoidc --with-secrets > oidc.yaml

    Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the oidc.yaml file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource.

  2. Edit oidc.yaml, adding saml_idp_service_provider to the claims_to_roles section.

    The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

    Here is an example:

      claims_to_roles:
        - name: "groups"
          value: "my-group"
          roles:
            - access
    +       - saml_idp_service_provider
    
  3. Apply your changes:

    tctl create -f oidc.yaml
  4. Sign out of the Teleport cluster and sign in again to assume the new role.

Step 2/3. Configure Grafana to recognize Teleport's identity provider

The first step in configuring Grafana for SSO is retrieving Teleport's SAML identity provider metadata. You can obtain this metadata in XML format by navigating to https://<proxy-address>/enterprise/saml-idp/metadata. Save it in an easy to remember file name like teleport-metadata.xml.

Encode the metadata using base64 to provide to the Grafana config:

cat teleport-metadata.xml | base64

From the Grafana host, edit grafana.ini by adding a [auth.saml] section:

[auth.saml]
enabled = true
auto_login = false
allow_idp_initiated = true
relay_state = ""
private_key_path = '/path/to/certs/grafana-host-key.pem'
certificate_path = '/path/to/certs/grafana-host.pem'
idp_metadata = 'PEVudGl0eURl.....'
assertion_attribute_name = uid
assertion_attribute_login = uid
assertion_attribute_email = uid
assertion_attribute_groups = eduPersonAffiliation
KeyValue
enabledSet to true to enable SAML authentication.
auto_loginWhen set to true, enables auto-login using SAML.
allow_idp_initiatedSet to true to allow IdP-initiated login.
relay_stateRelay state for IdP-initiated login. Must be set to "" to work with Teleport's IdP.
private_key_pathPath to the TLS key used to identify Grafana.
certificate_pathPath to the TLS certificate used to identify Grafana.
idp_metadataThe base64-encoded contents of the Teleport metadata XML file.
assertion_*Various Grafana user fields to be mapped to SAML assertions.

For more information on editing grafana.ini for SAML, you can review their Configure SAML authentication in Grafana page.

Step 3/3. Add service provider metadata to Teleport

After restarting Grafana with the edited configuration, download its SAML metadata from the path /saml/metadata. Create the file grafana-sp.yaml to define this service provider, using the downloaded metadata for the value of entity_descriptor:

kind: saml_idp_service_provider
metadata:
  # The friendly name of the service provider. This is used to manage the
  # service provider as well as in identity provider initiated SSO.
  name: saml-grafana
spec:
  # The entity_descriptor is the service provider XML.
  entity_descriptor: |
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"...
version: v1

Add the service provider definition to Teleport:

tctl create grafana-sp.yaml

The Grafana login screen now has a "Sign in with SAML" button, which will direct you to the Teleport login screen. Or, if you've set auto_login = true, you will be redirected automatically.