DevOps Engineer
Jatin is a DevOps Engineer with expertise and multiple certifications in Azure and AWS.
3
3This guide will walk you through setting up SAML authentication for your Amazon Grafana Workspace, allowing users to log in through AWS IAM Identity Center (formerly AWS SSO). This process enhances security and streamlines user management by centralizing access control.
Step 1: Get Your Grafana Service Provider Details
First, you'll need to retrieve some key details from your Grafana workspace to configure the application in the IAM Identity Center.
Navigate to your Amazon Grafana Workspace and click on the SAML configuration button.
a) Navigate to your Amazon Grafana Workspace and click on the SAML configuration button.
b) Copy the following three URLs and IDs. You'll need these in the next step:
- Service provider identifier (Entity ID)
- Service provider login URL
- Service provider reply URL (Assertion consumer service URL)
Step 2: Create a New Application in IAM Identity Center
Now, we'll create a new application in the IAM Identity Center that will represent your Grafana workspace.
- Open AWS IAM Identity Center in a new browser tab or window.
- Go to Application assignments -> Applications.
- Click the Add application button.
- Select the setup preference as I have an application I want to set up, and the application type as SAML 2.0. Click Next.
- Give your application a descriptive name (e.g., "Amazon Grafana Workspace") and an optional description.
- Find and copy the IAM Identity Center SAML metadata file URL.
Step 3: Configure Grafana with IAM Identity Center Metadata
Next, you'll use the metadata URL from IAM Identity Center to configure Grafana.
- Go back to your Amazon Grafana Workspace's SAML configuration page.
- In the "Step 2: Import the metadata" section, paste the IAM Identity Center SAML metadata file URL into the Metadata URL field.
Step 4: Map Grafana Details to the IAM Identity Center Application
Now, you'll need to go back to IAM Identity Center and map the Grafana service provider details you copied in Step 1.
Return to the IAM Identity Center application you created.
Paste the Grafana details into the following fields:
- Grafana's Service provider login URL -> IAM Identity Center's Application start URL
- Grafana's Service provider reply URL (Assertion consumer service URL) -> IAM Identity Center's Application ACS URL
- Grafana's Service provider identifier (Entity ID) -> IAM Identity Center's Application SAML audience
- Click the Submit button to save these settings.
Step 5: Configure Group-Based Access
To manage user roles, you'll create groups in IAM Identity Center and link them to Grafana roles.
- Create two new groups in IAM Identity Center, for example: Grafana-Admins and Grafana-Viewers.
- Go to the details page for the Grafana-Admins group and copy its Group ID.
- Go back to your Amazon Grafana SAML configuration page.
- In the Admin role values field, paste the Group ID of the Grafana-Admins group.
- Keep the other values as shown in the screenshot below and save the configuration.
Step 6: Assign Groups and Configure Attribute Mappings
The final step is to assign the newly created groups to the application and define the attribute mappings that will pass user and role information from IAM Identity Center to Grafana.
- In IAM Identity Center, go to Customer-managed applications and open the Grafana application you created.
Click on the Assign users and groups button and add the Grafana-Admins and Grafana-Viewers groups to the application.
- Click the Actions button in the top right corner and select Edit attribute mappings.
- Add the attribute mappings as shown in the provided example and save the changes.
- Now, the Amazon Grafana application should appear on your AWS access portal.
Users added to the Grafana-Admins group will be able to log in as administrators in Grafana. Similarly, users in the Grafana-Viewers group will have standard viewer access. You've successfully configured SAML authentication! 🎉
Check out our other guide: Signing into Amazon Managed Grafana with Google Workspace
