Skip to main content

Use Teleport's SAML Provider to authenticate with Grafana

Grafana is an open source observability platform. Their enterprise version supports SAML authentication. This guide will help you configure Teleport as a SAML provider, and Grafana to accept the identities it provides.

Note that Teleport can act as an identity provider to any SAML-compatible service, not just those running behind the Teleport App Service.

Prerequisites

  • An instance of Grafana Enterprise, with edit access to grafana.ini.
    • A trusted certificate authority to create TLS certificates/keys for the SAML connection.
  • A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise Getting Started guide.

  • The Enterprise tctl admin tool and tsh client tool version >= 14.3.33, which you can download by visiting your Teleport account.

    $ tctl version
    # Teleport Enterprise v14.3.33 go1.21

    $ tsh version
    # Teleport v14.3.33 go1.21
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines. For example:
    $ tsh login --proxy=teleport.example.com --user=email@example.com
    $ tctl status
    # Cluster teleport.example.com
    # Version 14.3.33
    # CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Step 1/3. Configure a Teleport role with access to SAML service provider objects

First we need to ensure you are logged into Teleport as a user that has permissions to read and modify saml_idp_service_provider objects. The default editor role has access to this already, but in case you are using a more customized configuration, create a role called sp-manager.yaml with the following contents:

kind: role
version: v7
metadata:
name: sp-manager
spec:
allow:
rules:
- resources: [saml_idp_service_provider]
verbs: [list, create, read, update, delete]

Create it with tctl:

$ tctl create sp-manager.yaml
role 'saml-idp-service-provider-manager' has been created

Assign the saml_idp_service_provider role to your Teleport user by running the appropriate commands for your authentication provider:

  1. Retrieve your local user's configuration resource:

    $ tctl get users/$(tsh status -f json | jq -r '.active.username') > out.yaml
  2. Edit out.yaml, adding saml_idp_service_provider to the list of existing roles:

      roles:
    - access
    - auditor
    - editor
    + - saml_idp_service_provider
  3. Apply your changes:

    $ tctl create -f out.yaml
  4. Sign out of the Teleport cluster and sign in again to assume the new role.

Step 2/3. Configure Grafana to recognize Teleport's identity provider

The first step in configuring Grafana for SSO is retrieving Teleport's SAML identity provider metadata. You can obtain this metadata in XML format by navigating to https://<proxy-address>/enterprise/saml-idp/metadata. Save it in an easy to remember file name like teleport-metadata.xml.

Encode the metadata using base64 to provide to the Grafana config:

$ cat teleport-metadata.xml | base64

From the Grafana host, edit grafana.ini by adding a [auth.saml] section:

[auth.saml]
enabled = true
auto_login = false
allow_idp_initiated = true
relay_state = ""
private_key_path = '/path/to/certs/grafana-host-key.pem'
certificate_path = '/path/to/certs/grafana-host.pem'
idp_metadata = 'PEVudGl0eURl.....'
assertion_attribute_name = uid
assertion_attribute_login = uid
assertion_attribute_email = uid
assertion_attribute_groups = eduPersonAffiliation
KeyValue
enabledSet to true to enable SAML authentication.
auto_loginWhen set to true, enables auto-login using SAML.
allow_idp_initiatedSet to true to allow IdP-initiated login.
relay_stateRelay state for IdP-initiated login. Must be set to "" to work with Teleport's IdP.
private_key_pathPath to the TLS key used to identify Grafana.
certificate_pathPath to the TLS certificate used to identify Grafana.
idp_metadataThe base64-encoded contents of the Teleport metadata XML file.
assertion_*Various Grafana user fields to be mapped to SAML assertions.

For more information on editing grafana.ini for SAML, you can review their Configure SAML authentication in Grafana page.

Step 3/3. Add service provider metadata to Teleport

After restarting Grafana with the edited configuration, download its SAML metadata from the path /saml/metadata. Create the file grafana-sp.yaml to define this service provider, using the downloaded metadata for the value of entity_descriptor:

kind: saml_idp_service_provider
metadata:
# The friendly name of the service provider. This is used to manage the
# service provider as well as in identity provider initiated SSO.
name: saml-grafana
spec:
# The entity_descriptor is the service provider XML.
entity_descriptor: |
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"...
version: v1

Add the service provider definition to Teleport:

$ tctl create grafana-sp.yaml

The Grafana login screen now has a "Sign in with SAML" button, which will direct you to the Teleport login screen. Or, if you've set auto_login = true, you will be redirected automatically.