Use Teleport's SAML Provider to authenticate with Grafana
Grafana is an open source observability platform. Their enterprise version supports SAML authentication. This guide will help you configure Teleport as a SAML provider, and Grafana to accept the identities it provides.
Note that Teleport can act as an identity provider to any SAML-compatible service, not just those running behind the Teleport App Service.
Prerequisites
- An instance of Grafana Enterprise, with edit access to
grafana.ini
.- A trusted certificate authority to create TLS certificates/keys for the SAML connection.
-
A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial.
-
The Enterprise
tctl
admin tool andtsh
client tool version >= 15.4.22, which you can download from your Teleport account workspace or the Teleport Installation Downloads page.
- To check that you can connect to your Teleport cluster, sign in with
tsh login
, then verify that you can runtctl
commands using your current credentials.tctl
is supported on macOS and Linux machines. For example:If you can connect to the cluster and run the$ tsh login --proxy=teleport.example.com [email protected]
$ tctl status
# Cluster teleport.example.com
# Version 15.4.22
# CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678tctl status
command, you can use your current credentials to run subsequenttctl
commands from your workstation. If you host your own Teleport cluster, you can also runtctl
commands on the computer that hosts the Teleport Auth Service for full permissions.
Step 1/3. Configure a Teleport role with access to SAML service provider objects
First we need to ensure you are logged into Teleport as a user that has permissions
to read and modify saml_idp_service_provider
objects. The default editor
role
has access to this already, but in case you are using a more customized configuration,
create a role called sp-manager.yaml
with the following contents:
kind: role
version: v7
metadata:
name: sp-manager
spec:
allow:
rules:
- resources: [saml_idp_service_provider]
verbs: [list, create, read, update, delete]
Create it with tctl
:
$ tctl create sp-manager.yaml
role 'saml-idp-service-provider-manager' has been created
Assign the saml_idp_service_provider
role to your Teleport user by running the appropriate
commands for your authentication provider:
- Local User
- GitHub
- SAML
- OIDC
-
Retrieve your local user's roles as a comma-separated list:
$ ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')
-
Edit your local user to add the new role:
$ tctl users update $(tsh status -f json | jq -r '.active.username') \
--set-roles "${ROLES?},saml_idp_service_provider" -
Sign out of the Teleport cluster and sign in again to assume the new role.
-
Retrieve your
github
authentication connector:$ tctl get github/github --with-secrets > github.yaml
Note that the
--with-secrets
flag adds the value ofspec.signing_key_pair.private_key
to thegithub.yaml
file. Because this key contains a sensitive value, you should remove the github.yaml file immediately after updating the resource. -
Edit
github.yaml
, addingsaml_idp_service_provider
to theteams_to_roles
section.The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.
Here is an example:
teams_to_roles:
- organization: octocats
team: admins
roles:
- access
+ - saml_idp_service_provider -
Apply your changes:
$ tctl create -f github.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
-
Retrieve your
saml
configuration resource:$ tctl get --with-secrets saml/mysaml > saml.yaml
Note that the
--with-secrets
flag adds the value ofspec.signing_key_pair.private_key
to thesaml.yaml
file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource. -
Edit
saml.yaml
, addingsaml_idp_service_provider
to theattributes_to_roles
section.The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.
Here is an example:
attributes_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - saml_idp_service_provider -
Apply your changes:
$ tctl create -f saml.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
-
Retrieve your
oidc
configuration resource:$ tctl get oidc/myoidc --with-secrets > oidc.yaml
Note that the
--with-secrets
flag adds the value ofspec.signing_key_pair.private_key
to theoidc.yaml
file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource. -
Edit
oidc.yaml
, addingsaml_idp_service_provider
to theclaims_to_roles
section.The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.
Here is an example:
claims_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - saml_idp_service_provider -
Apply your changes:
$ tctl create -f oidc.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
Step 2/3. Configure Grafana to recognize Teleport's identity provider
The first step in configuring Grafana for SSO is retrieving Teleport's
SAML identity provider metadata. You can obtain this metadata in XML format by
navigating to https://<proxy-address>/enterprise/saml-idp/metadata
. Save
it in an easy to remember file name like teleport-metadata.xml
.
Encode the metadata using base64
to provide to the Grafana config:
$ cat teleport-metadata.xml | base64
From the Grafana host, edit grafana.ini
by adding a [auth.saml]
section:
[auth.saml]
enabled = true
auto_login = false
allow_idp_initiated = true
relay_state = ""
private_key_path = '/path/to/certs/grafana-host-key.pem'
certificate_path = '/path/to/certs/grafana-host.pem'
idp_metadata = 'PEVudGl0eURl.....'
assertion_attribute_name = uid
assertion_attribute_login = uid
assertion_attribute_email = uid
assertion_attribute_groups = eduPersonAffiliation
Key | Value |
---|---|
enabled | Set to true to enable SAML authentication. |
auto_login | When set to true , enables auto-login using SAML. |
allow_idp_initiated | Set to true to allow IdP-initiated login. |
relay_state | Relay state for IdP-initiated login. Must be set to "" to work with Teleport's IdP. |
private_key_path | Path to the TLS key used to identify Grafana. |
certificate_path | Path to the TLS certificate used to identify Grafana. |
idp_metadata | The base64-encoded contents of the Teleport metadata XML file. |
assertion_* | Various Grafana user fields to be mapped to SAML assertions. |
For more information on editing grafana.ini
for SAML, you can review their Configure
SAML authentication in Grafana
page.
Step 3/3. Add service provider metadata to Teleport
After restarting Grafana with the edited configuration, download its SAML metadata
from the path /saml/metadata
. Create the file grafana-sp.yaml
to define this
service provider, using the downloaded metadata for the value of entity_descriptor
:
kind: saml_idp_service_provider
metadata:
# The friendly name of the service provider. This is used to manage the
# service provider as well as in identity provider initiated SSO.
name: saml-grafana
spec:
# The entity_descriptor is the service provider XML.
entity_descriptor: |
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"...
version: v1
Add the service provider definition to Teleport:
$ tctl create grafana-sp.yaml
The Grafana login screen now has a "Sign in with SAML" button, which will direct
you to the Teleport login screen. Or, if you've set auto_login = true
, you will
be redirected automatically.