Use Teleport's SAML Provider to authenticate with Grafana
- Available for:
Grafana is an open source observability platform. Their enterprise version supports SAML authentication. This guide will help you configure Teleport as a SAML provider, and Grafana to accept the identities it provides.
Note that Teleport can act as an identity provider to any SAML-compatible service, not just those running behind the Teleport App Service.
- An instance of Grafana Enterprise, with edit access to
- A trusted certificate authority to create TLS certificates/keys for the SAML connection.
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
First we need to ensure you are logged into Teleport as a user that has permissions
to read and modify
saml_idp_service_provider objects. The default
has access to this already, but in case you are using a more customized configuration,
create a role called
sp-manager.yaml with the following contents:
- resources: [saml_idp_service_provider]
verbs: [list, create, read, update, delete]
Create it with
tctl create sp-manager.yamlrole 'saml-idp-service-provider-manager' has been created
saml_idp_service_provider role to your Teleport user by running the appropriate
commands for your authentication provider:
The first step in configuring Grafana for SSO is retrieving Teleport's
SAML identity provider metadata. You can obtain this metadata in XML format by
it in an easy to remember file name like
Encode the metadata using
base64 to provide to the Grafana config:
cat teleport-metadata.xml | base64
From the Grafana host, edit
grafana.ini by adding a
enabled = true
auto_login = false
allow_idp_initiated = true
relay_state = ""
private_key_path = '/path/to/certs/grafana-host-key.pem'
certificate_path = '/path/to/certs/grafana-host.pem'
idp_metadata = 'PEVudGl0eURl.....'
assertion_attribute_name = uid
assertion_attribute_login = uid
assertion_attribute_email = uid
assertion_attribute_groups = eduPersonAffiliation
true to enable SAML authentication.
|When set to
true, enables auto-login using SAML.
true to allow IdP-initiated login.
|Relay state for IdP-initiated login. Must be set to
"" to work with Teleport's IdP.
|Path to the TLS key used to identify Grafana.
|Path to the TLS certificate used to identify Grafana.
|The base64-encoded contents of the Teleport metadata XML file.
|Various Grafana user fields to be mapped to SAML assertions.
For more information on editing
grafana.ini for SAML, you can review their Configure
SAML authentication in Grafana
After restarting Grafana with the edited configuration, download its SAML metadata
from the path
/saml/metadata. Create the file
grafana-sp.yaml to define this
service provider, using the downloaded metadata for the value of
# The friendly name of the service provider. This is used to manage the
# service provider as well as in identity provider initiated SSO.
# The entity_descriptor is the service provider XML.
Add the service provider definition to Teleport:
tctl create grafana-sp.yaml
The Grafana login screen now has a "Sign in with SAML" button, which will direct
you to the Teleport login screen. Or, if you've set
auto_login = true, you will
be redirected automatically.