# Use Teleport's SAML Provider to authenticate with Grafana Grafana is an open source observability platform. Their enterprise version supports SAML authentication. This guide will help you configure Teleport as a SAML provider, and Grafana to accept the identities it provides. Note that Teleport can act as an identity provider to any SAML-compatible service, not just those running behind the Teleport App Service. ## How it works Grafana enables users to authenticate using SAML. You can export SAML IdP metadata from Teleport, then provide it to your Grafana configuration file in order to instruct Grafana to trust the Teleport IdP's certificate authority. Your Teleport cluster then uses a SAML IdP service provider resource to provide information about your Grafana deployment to the Teleport SAML IdP. ## Prerequisites - An instance of Grafana Enterprise, with edit access to `grafana.ini`. - A trusted certificate authority to create TLS certificates/keys for the SAML connection. * A running Teleport Enterprise cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/ver/17.x/get-started/deploy-community.md). * The `tctl` and `tsh` clients. Installing `tctl` and `tsh` clients 1. Determine the version of your Teleport cluster. The `tctl` and `tsh` clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` 2. Follow the instructions for your platform to install `tctl` and `tsh` clients: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tctl` and `tsh` clients: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip Unzip the archive and move the `tctl` and `tsh` clients to your %PATH% NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tctl` and `tsh` clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/ver/17.x/installation.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` - To check that you can connect to your Teleport cluster, sign in with `tsh login`, then verify that you can run `tctl` commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email\@example.com to your Teleport username: ``` $ tsh login --proxy=teleport.example.com --user=email@example.com $ tctl status Cluster teleport.example.com Version 17.7.20 CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678 ``` If you can connect to the cluster and run the `tctl status` command, you can use your current credentials to run subsequent `tctl` commands from your workstation. If you host your own Teleport cluster, you can also run `tctl` commands on the computer that hosts the Teleport Auth Service for full permissions. ## Step 1/3. Configure a Teleport role with access to SAML service provider objects First we need to ensure you are logged into Teleport as a user that has permissions to read and modify `saml_idp_service_provider` objects. The default `editor` role has access to this already, but in case you are using a more customized configuration, create a role called `sp-manager.yaml` with the following contents: ``` kind: role version: v7 metadata: name: sp-manager spec: allow: rules: - resources: [saml_idp_service_provider] verbs: [list, create, read, update, delete] ``` Create it with `tctl`: ``` $ tctl create sp-manager.yaml role 'saml-idp-service-provider-manager' has been created ``` --- TIP You can also create and edit roles using the Web UI. Go to **Access -> Roles** and click **Create New Role** or pick an existing role to edit. --- Assign the `saml_idp_service_provider` role to your Teleport user by running the appropriate commands for your authentication provider: **Local User** 1. Retrieve your local user's roles as a comma-separated list: ``` $ ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")') ``` 2. Edit your local user to add the new role: ``` $ tctl users update $(tsh status -f json | jq -r '.active.username') \ --set-roles "${ROLES?},saml_idp_service_provider" ``` 3. Sign out of the Teleport cluster and sign in again to assume the new role. **GitHub** 1. Open your `github` authentication connector in a text editor: ``` $ tctl edit github/github ``` 2. Edit the `github` connector, adding `saml_idp_service_provider` to the `teams_to_roles` section. The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization. Here is an example: ``` teams_to_roles: - organization: octocats team: admins roles: - access + - saml_idp_service_provider ``` 3. Apply your changes by saving closing the file in your editor. 4. Sign out of the Teleport cluster and sign in again to assume the new role. **SAML** 1. Retrieve your `saml` configuration resource: ``` $ tctl get --with-secrets saml/mysaml > saml.yaml ``` Note that the `--with-secrets` flag adds the value of `spec.signing_key_pair.private_key` to the `saml.yaml` file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource. 2. Edit `saml.yaml`, adding `saml_idp_service_provider` to the `attributes_to_roles` section. The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization. Here is an example: ``` attributes_to_roles: - name: "groups" value: "my-group" roles: - access + - saml_idp_service_provider ``` 3. Apply your changes: ``` $ tctl create -f saml.yaml ``` 4. Sign out of the Teleport cluster and sign in again to assume the new role. **OIDC** 1. Retrieve your `oidc` configuration resource: ``` $ tctl get oidc/myoidc --with-secrets > oidc.yaml ``` Note that the `--with-secrets` flag adds the value of `spec.signing_key_pair.private_key` to the `oidc.yaml` file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource. 2. Edit `oidc.yaml`, adding `saml_idp_service_provider` to the `claims_to_roles` section. The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization. Here is an example: ``` claims_to_roles: - name: "groups" value: "my-group" roles: - access + - saml_idp_service_provider ``` 3. Apply your changes: ``` $ tctl create -f oidc.yaml ``` 4. Sign out of the Teleport cluster and sign in again to assume the new role. ## Step 2/3. Configure Grafana to recognize Teleport's identity provider The first step in configuring Grafana for SSO is retrieving Teleport's SAML identity provider metadata. You can obtain this metadata in XML format by navigating to `https:///enterprise/saml-idp/metadata`. Save it in an easy to remember file name like `teleport-metadata.xml`. Encode the metadata using `base64` to provide to the Grafana config: ``` $ cat teleport-metadata.xml | base64 ``` From the Grafana host, edit `grafana.ini` by adding a `[auth.saml]` section: ``` [auth.saml] enabled = true auto_login = false allow_idp_initiated = true relay_state = "" private_key_path = '/path/to/certs/grafana-host-key.pem' certificate_path = '/path/to/certs/grafana-host.pem' idp_metadata = 'PEVudGl0eURl.....' assertion_attribute_name = uid assertion_attribute_login = uid assertion_attribute_email = uid assertion_attribute_groups = eduPersonAffiliation ``` | Key | Value | | --------------------- | ------------------------------------------------------------------------------------- | | `enabled` | Set to `true` to enable SAML authentication. | | `auto_login` | When set to `true`, enables auto-login using SAML. | | `allow_idp_initiated` | Set to `true` to allow IdP-initiated login. | | `relay_state` | Relay state for IdP-initiated login. Must be set to `""` to work with Teleport's IdP. | | `private_key_path` | Path to the TLS key used to identify Grafana. | | `certificate_path` | Path to the TLS certificate used to identify Grafana. | | `idp_metadata` | The base64-encoded contents of the Teleport metadata XML file. | | `assertion_*` | Various Grafana user fields to be mapped to SAML assertions. | For more information on editing `grafana.ini` for SAML, you can review their [Configure SAML authentication in Grafana](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml/) page. ## Step 3/3. Add service provider metadata to Teleport After restarting Grafana with the edited configuration, download its SAML metadata from the path `/saml/metadata`. Create the file `grafana-sp.yaml` to define this service provider, using the downloaded metadata for the value of `entity_descriptor`: ``` kind: saml_idp_service_provider metadata: # The friendly name of the service provider. This is used to manage the # service provider as well as in identity provider initiated SSO. name: saml-grafana spec: # The entity_descriptor is the service provider XML. entity_descriptor: |