The managed Grafana is getting popular since it is well integrated with tons of amazon services. I am start seeing more people asking how to do the okta integration with permission separate. Let’s go over the steps.
The below setup allows to achieve the integration.
- Create two okta group, grafana_admin and grafana_viewer and assign to them based on the requirement
- Create App Integration ->choose SAML 2.0
- Fill in the Application name and hit Next
- Configure SAML as follows :
Single Sign On URL : Copy the Service provider reply URL (Assertion consumer service URL) here from workspace
Example: https://g-xxx.grafana-workspace.us-east-1.amazonaws.com/saml/acs
5. Audience URI (SP Entity ID) : Copy the Service Provider (Entity ID) URL here.
Example: https://g-xxx.grafana-workspace.us-east-1.amazonaws.com/saml/metadata
6. . Select the option ‘Use this for Recipient URL and Destination URL’
7. Keep the other settings as default
8. Set the ‘Attribute Statement’ as follows :
displayName : user.login ( name format as unspecified)
mail : user.email ( name format as unspecified)
9. set the ‘Group Attribute Statement’ as follows:
Group: Matches regex: grafana*
10. Create
11. Copy the URL for the ‘Idp Metadata URL’ provided in the ‘Sign On’ okta tab and configure SAML authentication [1] on Grafana such that
Import Method -> URL : <enter the URL of the IdP metadata.>
Assertion Attribute Role : Role
Admin Role values : grafana_admin
Additional setting: keep it as default, you can increase login validity duration.
12. Submit the SAML configuration and try accessing Grafana using the Grafana Workspace URL provided on the AWS Console
13. test different group to see if the permission is correct
That’s it. I hope you success on this setup.