Use Teleport's SAML Provider to authenticate with Grafana

Grafana is an open source observability platform. Their enterprise version supports SAML authentication. This guide will help you configure Teleport as a SAML provider, and Grafana to accept the identities it provides.

Note that Teleport can act as an identity provider to any SAML-compatible service, not just those running behind the Teleport App Service.

Prerequisites

• An instance of Grafana Enterprise, with edit access to grafana.ini.
  • A trusted certificate authority to create TLS certificates/keys for the SAML connection.

• A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial.

• The tctl admin tool and tsh client tool.

  Visit Installation for instructions on downloading tctl and tsh.

• To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example:

  $ tsh login --proxy=teleport.example.com [email protected]
  $ tctl status
  # Cluster  teleport.example.com
  # Version  17.0.0-dev
  # CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
  If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Step 1/3. Configure a Teleport role with access to SAML service provider objects

First we need to ensure you are logged into Teleport as a user that has permissions to read and modify saml_idp_service_provider objects. The default editor role has access to this already, but in case you are using a more customized configuration, create a role called sp-manager.yaml with the following contents:

kind: role
version: v7
metadata:
  name: sp-manager
spec:
  allow:
    rules:
    - resources: [saml_idp_service_provider]
      verbs: [list, create, read, update, delete]

Create it with tctl:

$ tctl create sp-manager.yaml
role 'saml-idp-service-provider-manager' has been created

Assign the saml_idp_service_provider role to your Teleport user by running the appropriate commands for your authentication provider:

Local User

1. Retrieve your local user's roles as a comma-separated list:

   $ ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')

2. Edit your local user to add the new role:

   $ tctl users update $(tsh status -f json | jq -r '.active.username') \
     --set-roles "${ROLES?},saml_idp_service_provider"

3. Sign out of the Teleport cluster and sign in again to assume the new role.

GitHub

1. Open your github authentication connector in a text editor:

   $ tctl edit github/github

2. Edit the github connector, adding saml_idp_service_provider to the teams_to_roles section.

   The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.

   Here is an example:

     teams_to_roles:
       - organization: octocats
         team: admins
         roles:
           - access
   +       - saml_idp_service_provider

3. Apply your changes by saving closing the file in your editor.

4. Sign out of the Teleport cluster and sign in again to assume the new role.

SAML

1. Retrieve your saml configuration resource:

   $ tctl get --with-secrets saml/mysaml > saml.yaml

   Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the saml.yaml file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource.

2. Edit saml.yaml, adding saml_idp_service_provider to the attributes_to_roles section.

   The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

     attributes_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - saml_idp_service_provider

3. Apply your changes:

   $ tctl create -f saml.yaml

4. Sign out of the Teleport cluster and sign in again to assume the new role.

OIDC

1. Retrieve your oidc configuration resource:

   $ tctl get oidc/myoidc --with-secrets > oidc.yaml

   Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the oidc.yaml file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource.

2. Edit oidc.yaml, adding saml_idp_service_provider to the claims_to_roles section.

   The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

     claims_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - saml_idp_service_provider

3. Apply your changes:

   $ tctl create -f oidc.yaml

4. Sign out of the Teleport cluster and sign in again to assume the new role.

Step 2/3. Configure Grafana to recognize Teleport's identity provider

The first step in configuring Grafana for SSO is retrieving Teleport's SAML identity provider metadata. You can obtain this metadata in XML format by navigating to https://<proxy-address>/enterprise/saml-idp/metadata. Save it in an easy to remember file name like teleport-metadata.xml.

Encode the metadata using base64 to provide to the Grafana config:

$ cat teleport-metadata.xml | base64

From the Grafana host, edit grafana.ini by adding a [auth.saml] section:

[auth.saml]
enabled = true
auto_login = false
allow_idp_initiated = true
relay_state = ""
private_key_path = '/path/to/certs/grafana-host-key.pem'
certificate_path = '/path/to/certs/grafana-host.pem'
idp_metadata = 'PEVudGl0eURl.....'
assertion_attribute_name = uid
assertion_attribute_login = uid
assertion_attribute_email = uid
assertion_attribute_groups = eduPersonAffiliation

Key	Value
enabled	Set to true to enable SAML authentication.
auto_login	When set to true, enables auto-login using SAML.
allow_idp_initiated	Set to true to allow IdP-initiated login.
relay_state	Relay state for IdP-initiated login. Must be set to "" to work with Teleport's IdP.
private_key_path	Path to the TLS key used to identify Grafana.
certificate_path	Path to the TLS certificate used to identify Grafana.
idp_metadata	The base64-encoded contents of the Teleport metadata XML file.
assertion_*	Various Grafana user fields to be mapped to SAML assertions.

For more information on editing grafana.ini for SAML, you can review their Configure SAML authentication in Grafana page.

Step 3/3. Add service provider metadata to Teleport

After restarting Grafana with the edited configuration, download its SAML metadata from the path /saml/metadata. Create the file grafana-sp.yaml to define this service provider, using the downloaded metadata for the value of entity_descriptor:

kind: saml_idp_service_provider
metadata:
  # The friendly name of the service provider. This is used to manage the
  # service provider as well as in identity provider initiated SSO.
  name: saml-grafana
spec:
  # The entity_descriptor is the service provider XML.
  entity_descriptor: |
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"...
version: v1

Add the service provider definition to Teleport:

$ tctl create grafana-sp.yaml

The Grafana login screen now has a "Sign in with SAML" button, which will direct you to the Teleport login screen. Or, if you've set auto_login = true, you will be redirected automatically.