Use Teleport's SAML Provider to authenticate with Grafana

Report an issue with this page

Grafana is an open source observability platform. Their enterprise version supports SAML authentication. This guide will help you configure Teleport as a SAML provider, and Grafana to accept the identities it provides.

Note that Teleport can act as an identity provider to any SAML-compatible service, not just those running behind the Teleport App Service.

Prerequisites

• An instance of Grafana Enterprise, with edit access to grafana.ini.
  • A trusted certificate authority to create TLS certificates/keys for the SAML connection.

• A running Teleport Enterprise cluster version 17.5.2 or above. If you do not have one, read Get Started with Teleport.

• The tctl and tsh clients.

  Details

  Installing tctl and tsh clients

  Mac

  Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:

  curl -O https://cdn.teleport.dev/teleport-17.5.2.pkg

  In Finder double-click the pkg file to begin installation.

  danger

  Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

  Windows - Powershell

  curl.exe -O https://cdn.teleport.dev/teleport-v17.5.2-windows-amd64-bin.zip
  Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
  NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
  Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.

  Linux

  All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.

  curl -O https://cdn.teleport.dev/teleport-v17.5.2-linux-amd64-bin.tar.gz
  tar -xzf teleport-v17.5.2-linux-amd64-bin.tar.gz
  cd teleport
  sudo ./install
  Teleport binaries have been copied to /usr/local/bin

  The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/ping and use a JSON query tool to obtain your cluster version:

  curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version'
  17.5.2

• To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email@example.com to your Teleport username:

  tsh login --proxy=teleport.example.com --user=email@example.com
  tctl status
  Cluster  teleport.example.com
  Version  17.5.2
  CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

  If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Step 1/3. Configure a Teleport role with access to SAML service provider objects

First we need to ensure you are logged into Teleport as a user that has permissions to read and modify saml_idp_service_provider objects. The default editor role has access to this already, but in case you are using a more customized configuration, create a role called sp-manager.yaml with the following contents:

kind: role
version: v7
metadata:
  name: sp-manager
spec:
  allow:
    rules:
    - resources: [saml_idp_service_provider]
      verbs: [list, create, read, update, delete]

Create it with tctl:

tctl create sp-manager.yaml
role 'saml-idp-service-provider-manager' has been created

tip

You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit.

Assign the saml_idp_service_provider role to your Teleport user by running the appropriate commands for your authentication provider:

Local User

1. Retrieve your local user's roles as a comma-separated list:

   ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')

2. Edit your local user to add the new role:

   tctl users update $(tsh status -f json | jq -r '.active.username') \  --set-roles "${ROLES?},saml_idp_service_provider"

3. Sign out of the Teleport cluster and sign in again to assume the new role.

GitHub

1. Open your github authentication connector in a text editor:

   tctl edit github/github

2. Edit the github connector, adding saml_idp_service_provider to the teams_to_roles section.

   The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.

   Here is an example:

     teams_to_roles:
       - organization: octocats
         team: admins
         roles:
           - access
   +       - saml_idp_service_provider
   

3. Apply your changes by saving closing the file in your editor.

4. Sign out of the Teleport cluster and sign in again to assume the new role.

SAML

1. Retrieve your saml configuration resource:

   tctl get --with-secrets saml/mysaml > saml.yaml

   Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the saml.yaml file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource.

2. Edit saml.yaml, adding saml_idp_service_provider to the attributes_to_roles section.

   The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

     attributes_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - saml_idp_service_provider
   

3. Apply your changes:

   tctl create -f saml.yaml

4. Sign out of the Teleport cluster and sign in again to assume the new role.

OIDC

1. Retrieve your oidc configuration resource:

   tctl get oidc/myoidc --with-secrets > oidc.yaml

   Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the oidc.yaml file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource.

2. Edit oidc.yaml, adding saml_idp_service_provider to the claims_to_roles section.

   The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

     claims_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - saml_idp_service_provider
   

3. Apply your changes:

   tctl create -f oidc.yaml

4. Sign out of the Teleport cluster and sign in again to assume the new role.

Step 2/3. Configure Grafana to recognize Teleport's identity provider

The first step in configuring Grafana for SSO is retrieving Teleport's SAML identity provider metadata. You can obtain this metadata in XML format by navigating to https://<proxy-address>/enterprise/saml-idp/metadata. Save it in an easy to remember file name like teleport-metadata.xml.

Encode the metadata using base64 to provide to the Grafana config:

cat teleport-metadata.xml | base64

From the Grafana host, edit grafana.ini by adding a [auth.saml] section:

[auth.saml]
enabled = true
auto_login = false
allow_idp_initiated = true
relay_state = ""
private_key_path = '/path/to/certs/grafana-host-key.pem'
certificate_path = '/path/to/certs/grafana-host.pem'
idp_metadata = 'PEVudGl0eURl.....'
assertion_attribute_name = uid
assertion_attribute_login = uid
assertion_attribute_email = uid
assertion_attribute_groups = eduPersonAffiliation

Key	Value
enabled	Set to true to enable SAML authentication.
auto_login	When set to true, enables auto-login using SAML.
allow_idp_initiated	Set to true to allow IdP-initiated login.
relay_state	Relay state for IdP-initiated login. Must be set to "" to work with Teleport's IdP.
private_key_path	Path to the TLS key used to identify Grafana.
certificate_path	Path to the TLS certificate used to identify Grafana.
idp_metadata	The base64-encoded contents of the Teleport metadata XML file.
assertion_*	Various Grafana user fields to be mapped to SAML assertions.

For more information on editing grafana.ini for SAML, you can review their Configure SAML authentication in Grafana page.

Step 3/3. Add service provider metadata to Teleport

After restarting Grafana with the edited configuration, download its SAML metadata from the path /saml/metadata. Create the file grafana-sp.yaml to define this service provider, using the downloaded metadata for the value of entity_descriptor:

kind: saml_idp_service_provider
metadata:
  # The friendly name of the service provider. This is used to manage the
  # service provider as well as in identity provider initiated SSO.
  name: saml-grafana
spec:
  # The entity_descriptor is the service provider XML.
  entity_descriptor: |
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"...
version: v1

Add the service provider definition to Teleport:

tctl create grafana-sp.yaml

The Grafana login screen now has a "Sign in with SAML" button, which will direct you to the Teleport login screen. Or, if you've set auto_login = true, you will be redirected automatically.