Fork me on GitHub

Teleport

Use Teleport's SAML Provider to authenticate with Grafana (Preview)

Improve
Preview

The SAML identity provider is currently in Preview mode.

Grafana is an open-source observability platform. Their enterprise version supports SAML authentication. This guide will help you configure Teleport as a SAML provider, and Grafana to accept the identities it provides.

Note that Teleport can act as an identity provider to any SAML-compatible service, not just those running behind the Teleport App Service.

Prerequisites

  • An instance of Grafana Enterprise, with edit access to grafana.ini.
    • A trusted certificate authority to create TLS certificates/keys for the SAML connection.
  • A running Teleport Enterprise cluster, including the Auth Service and Proxy Service. For details on how to set this up, see our Enterprise Getting Started guide.

  • The Enterprise tctl admin tool and tsh client tool version >= 12.1.1, which you can download by visiting the customer portal.

    tctl version

    Teleport Enterprise v12.1.1 go1.19

    tsh version

    Teleport v12.1.1 go1.19

Cloud is not available for Teleport v.
Please use the latest version of Teleport Enterprise documentation.

To connect to Teleport, log in to your cluster using tsh, then use tctl remotely:

tsh login --proxy=teleport.example.com [email protected]
tctl status

Cluster teleport.example.com

Version 12.1.1

CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

You can run subsequent tctl commands in this guide on your local machine.

For full privileges, you can also run tctl commands on your Auth Service host.

To connect to Teleport, log in to your cluster using tsh, then use tctl remotely:

tsh login --proxy=myinstance.teleport.sh [email protected]
tctl status

Cluster myinstance.teleport.sh

Version 12.1.2

CA pin sha256:sha-hash-here

You must run subsequent tctl commands in this guide on your local machine.

Step 1/3. Configure a Teleport role with access to SAML service provider objects

First we need to ensure you are logged into Teleport as a user that has permissions to read and modify saml_idp_service_provider objects. The default editor role has access to this already, but in case you are using a more customized configuration, create a role called sp-manager.yaml with the following contents:

kind: role
version: v6
metadata:
  name: sp-manager
spec:
  allow:
    rules:
    - resources: [saml_idp_service_provider]
      verbs: [list, create, read, update, delete]

Create it with tctl:

tctl create sp-manager.yaml

role 'saml-idp-service-provider-manager' has been created

Assign the saml_idp_service_provider role to your Teleport user by running the following commands, depending on whether you authenticate as a local Teleport user or via the github, saml, or oidc authentication connectors:

Retrieve your local user's configuration resource:

tctl get users/$(tsh status -f json | jq -r '.active.username') > out.yaml

Edit out.yaml, adding saml_idp_service_provider to the list of existing roles:

  roles:
   - access
   - auditor
   - editor
+  - saml_idp_service_provider

Apply your changes:

tctl create -f out.yaml

Retrieve your github configuration resource:

tctl get github/github --with-secrets > github.yaml

Edit github.yaml, adding saml_idp_service_provider to the teams_to_roles section. The team you will map to this role will depend on how you have designed your organization's RBAC, but it should be the smallest team possible within your organization. This team must also include your user.

Here is an example:

  teams_to_roles:
    - organization: octocats
      team: admins
      roles:
        - access
+       - saml_idp_service_provider

Apply your changes:

tctl create -f github.yaml
Warning

Note the --with-secrets flag in the tctl get command. This adds the value of spec.signing_key_pair.private_key to saml.yaml. This is a sensitive value, so take precautions when creating this file and remove it after updating the resource.

Retrieve your saml configuration resource:

tctl get --with-secrets saml/mysaml > saml.yaml

Edit saml.yaml, adding saml_idp_service_provider to the attributes_to_roles section. The attribute you will map to this role will depend on how you have designed your organization's RBAC, but it should be the smallest group possible within your organization. This group must also include your user.

Here is an example:

  attributes_to_roles:
    - name: "groups"
      value: "my-group"
      roles:
        - access
+       - saml_idp_service_provider

Apply your changes:

tctl create -f saml.yaml
Warning

Note the --with-secrets flag in the tctl get command. This adds the value of spec.signing_key_pair.private_key to saml.yaml. This is a sensitive value, so take precautions when creating this file and remove it after updating the resource.

Retrieve your oidc configuration resource:

tctl get oidc/myoidc --with-secrets > oidc.yaml

Edit oidc.yaml, adding saml_idp_service_provider to the claims_to_roles section. The claim you will map to this role will depend on how you have designed your organization's RBAC, but it should be the smallest group possible within your organization. This group must also include your user.

Here is an example:

  claims_to_roles:
    - name: "groups"
      value: "my-group"
      roles:
        - access
+       - saml_idp_service_provider

Apply your changes:

tctl create -f saml.yaml
Warning

Note the --with-secrets flag in the tctl get command. This adds the value of spec.signing_key_pair.private_key to saml.yaml. This is a sensitive value, so take precautions when creating this file and remove it after updating the resource.

Log out of your Teleport cluster and log in again to assume the new role.

Step 2/3. Configure Grafana to recognize Teleport's identity provider

The first step in configuring Grafana for SSO is retrieving Teleport's SAML identity provider metadata. You can obtain this metadata in XML format by navigating to https://<proxy-address>/enterprise/saml-idp/metadata. Save it in an easy to remember file name like teleport-metadata.xml.

Encode the metadata using base64 to provide to the Grafana config:

cat teleport-metadata.xml | base64

From the Grafana host, edit grafana.ini by adding a [auth.saml] section:

[auth.saml]
enabled = true
auto_login = false
private_key_path = '/path/to/certs/grafana-host-key.pem'
certificate_path = '/path/to/certs/grafana-host.pem'
idp_metadata = 'PEVudGl0eURl.....'
assertion_attribute_name = uid
assertion_attribute_login = uid
assertion_attribute_email = uid
assertion_attribute_groups = eduPersonAffiliation
KeyValue
enabledSet to true to enable SAML authentication.
auto_loginWhen set to true, enables auto-login using SAML.
private_key_pathPath to the TLS key used to identify Grafana.
certificate_pathPath to the TLS certificate used to identify Grafana.
idp_metadataThe base64-encoded contents of the Teleport metadata XML file.
assertion_*Various Grafana user fields to be mapped to SAML assertions.

For more information on editing grafana.ini for SAML, you can review their Configure SAML authentication in Grafana page.

Step 3/3. Add service provider metadata to Teleport

After restarting Grafana with the edited configuration, download its SAML metadata from the path /saml/metadata. Create the file grafana-sp.yaml to define this service provider, using the downloaded metadata for the value of entity_descriptor:

kind: saml_idp_service_provider
metadata:
  # The friendly name of the service provider. This is used to manage the
  # service provider as well as in identity provider initiated SSO.
  name: saml-grafana
spec:
  # The entity_descriptor is the service provider XML.
  entity_descriptor: |
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"...
version: v1

Add the service provider definition to Teleport:

tctl create grafana-sp.yaml

The Grafana login screen now has a "Sign in with SAML" button, which will direct you to the Teleport login screen. Or, if you've set auto_login = true, you will be redirected automatically.